Bug 31664

Summary: Liferea CVE-2023-1350 Remote code execution on feed enrichment
Product: Mageia Reporter: Julien Moragny <julien.moragny>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, julien.moragny, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: liferea-1.12.10-1.1.mga8.src.rpm CVE:
Status comment:

Description Julien Moragny 2023-03-13 21:45:36 CET 
Hello QA,

I just uploaded liferea 1.12.10 to 8/updates_testing. It fixes CVE-2023-1350 which is a Remote code execution. Please test and hopefully validate this package.


Tentative Advisory:
========================

Updated liferea 1.12.10 fix a security vulnerability

CVE-2023-1350 Remote code execution on feed enrichment

If you have enabled "Extract full content from HTML5 and Google AMP" for one or
more of your feed subscriptions it is possible for a an attacker to inject a script command that would run any command on your system.

Upgrading to 1.12.10 solves this security problem.

If you cannot upgrade disable "Extract full content from HTML5 and Google AMP" for all of you feeds. This can be done in the feed properties dialog,

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1350
https://github.com/lwindolf/liferea/releases/tag/v1.12.10
========================

Updated packages in core/updates_testing:
========================
liferea-1.12.10-1.1.mga8

Source RPM: 
liferea-1.12.10-1.1.mga8.src.rpm


Thanks
regards
Julien
Julien Moragny 2023-03-13 21:45:50 CET

CC: (none) => julien.moragny

Comment 1 Herman Viaene 2023-03-16 10:11:40 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No previous experience with this kind of stuff, so just opened it at the CLI:
$ liferea

(liferea:5080): Gtk-WARNING **: 10:02:21.632: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory
Oops, secure memory pool already initialized
Oops, secure memory pool already initialized

(WebKitWebProcess:5096): Gtk-WARNING **: 10:02:23.094: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory
unsupported entity: r.target.src
Liferea opens OK with a whole list of subscriptions preconfigured, jumped around a bit, found Planet Mageia and read the announcement of Mageia9beta.
Works OK to me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 2 Thomas Andrews 2023-03-16 15:28:06 CET 
Validating. Advisory in comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-17 23:58:26 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 3 Mageia Robot 2023-03-18 23:18:38 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0103.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED