Control: found -1 1.12.0-1 Control: tags -1 pending Hi Salvatore,
On 12-03-2023 08:47, Salvatore Bonaccorso wrote:
The following vulnerability was published for liferea. CVE-2023-1350[0]: | A vulnerability was found in liferea. It has been rated as critical. | Affected by this issue is the function update_job_run of the file | src/update.c of the component Feed Enrichment. The manipulation of the | argument source with the input |date >/tmp/bad-item-link.txt | leads to os command injection. The attack may be launched remotely. | The exploit has been disclosed to the public and may be used. The name | of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is | recommended to apply a patch to fix this issue. The identifier of this | vulnerability is VDB-222848.
Please adjust the affected versions in the BTS as needed.
Patch applies cleanly on both the version in unstable and the version in bullseye. I'll verify further.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
