Source: liferea Version: 1.14.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for liferea. CVE-2023-1350[0]: | A vulnerability was found in liferea. It has been rated as critical. | Affected by this issue is the function update_job_run of the file | src/update.c of the component Feed Enrichment. The manipulation of the | argument source with the input |date &gt;/tmp/bad-item-link.txt | leads to os command injection. The attack may be launched remotely. | The exploit has been disclosed to the public and may be used. The name | of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is | recommended to apply a patch to fix this issue. The identifier of this | vulnerability is VDB-222848. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1350 https://www.cve.org/CVERecord?id=CVE-2023-1350 [1] https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
