Bug 31664 - Liferea CVE-2023-1350 Remote code execution on feed enrichment
Summary: Liferea CVE-2023-1350 Remote code execution on feed enrichment
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-03-13 21:45 CET by Julien Moragny
Modified: 2023-03-18 23:18 CET (History)
5 users (show)

See Also:
Source RPM: liferea-1.12.10-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Julien Moragny 2023-03-13 21:45:36 CET 
Hello QA,

I just uploaded liferea 1.12.10 to 8/updates_testing. It fixes CVE-2023-1350 which is a Remote code execution. Please test and hopefully validate this package.


Tentative Advisory:
========================

Updated liferea 1.12.10 fix a security vulnerability

CVE-2023-1350 Remote code execution on feed enrichment

If you have enabled "Extract full content from HTML5 and Google AMP" for one or
more of your feed subscriptions it is possible for a an attacker to inject a script command that would run any command on your system.

Upgrading to 1.12.10 solves this security problem.

If you cannot upgrade disable "Extract full content from HTML5 and Google AMP" for all of you feeds. This can be done in the feed properties dialog,

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1350
https://github.com/lwindolf/liferea/releases/tag/v1.12.10
========================

Updated packages in core/updates_testing:
========================
liferea-1.12.10-1.1.mga8

Source RPM: 
liferea-1.12.10-1.1.mga8.src.rpm


Thanks
regards
Julien
Julien Moragny 2023-03-13 21:45:50 CET

CC: (none) => julien.moragny

Comment 1 Herman Viaene 2023-03-16 10:11:40 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No previous experience with this kind of stuff, so just opened it at the CLI:
$ liferea

(liferea:5080): Gtk-WARNING **: 10:02:21.632: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory
Oops, secure memory pool already initialized
Oops, secure memory pool already initialized

(WebKitWebProcess:5096): Gtk-WARNING **: 10:02:23.094: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/tester8/.config/gtk-3.0/window_decorations.css: No such file or directory
unsupported entity: r.target.src
Liferea opens OK with a whole list of subscriptions preconfigured, jumped around a bit, found Planet Mageia and read the announcement of Mageia9beta.
Works OK to me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 2 Thomas Andrews 2023-03-16 15:28:06 CET 
Validating. Advisory in comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-03-17 23:58:26 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 3 Mageia Robot 2023-03-18 23:18:38 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0103.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.