newsbeuter is my favourite RSS reader because I can save the config easily in a git repo and run the whole thing from a terminal, meaning I can access it from everywhere. The interface is quite clear and easy to use. All the info I need and want easily spottable.
It’s about two CVEs in newsbeuter, potentially allowing a remote attacker code execution on my machine. They were open.
As one can see, CVE-2017-14500 was issued on 2017-09-17 and the openSUSE bug was created just one day later. CVE-2017-12904 was released on 2017-08-23 and the openSUSE bug created on 2017-08-19.
Both bugs were only solved on 2018-01-18. This can sometimes happen. For example when a package maintainer suddenly disappears or has other more pressing life circumstances and doesn’t find the time.
Luckily Alexander Batischev aka Minoru already fixed them in the upstream GitHub repo. So applying them to the openSUSE version of newsbeuter 2.9 was easy. Then I see that there are 603 commits since the last release, many important bug fixes and the fixes for the above mentioned CVEs.
Why didn’t those guys release a new version?
The one who can read is in advantage. But why did they fork and not create a new release?!
The answer can be found in Minorus mail to the newsbeuter mailing list.
TL;DR: The original maintainer, Andreas Krennmair, disappeared. Minoru had admin rights to the GitHub repo, but wasn’t able to udpate the website. So he forked the project into: newsboat.
After fixing both CVEs for openSUSE Leap and Tumbleweed, addtionally it would make sense to replace newsbeuter with newsboat in openSUSE Tumbleweed. I created a tracker bug for this, and the changes were merged already. So users who had newsbeuter installed will now automatically migrate to newsboat. The configuration files imported automatically too.
Additionally when building the openSUSE package, the tarball is checked against the GPG signature of the upstream author by OBS.
I was curious. Were we the only ones who didn’t have patches for those CVEs?
Arch has a newsbeuter 2.8 and newsbeuter-git package. The git package is not at all latest git. It stands at git commit 96e9506ae9e252c548665152d1b8968297128307, which is from mid August 2017, where as the last commit (as of this writing) is 7c981f460d6c8c3690f140cbb279c277dc8f55fe from end of September.
openSUSE has git packages which can automatically be triggered, then they check out the newest source code and build the package. No manual intervention needed. GitHub offers to send out such notifications, meaning openSUSE’s build service can build and release a new packge upon every commit to the upstream GitHub repo. For Arch I suppose manual updates to the git packages are needed.
They also have a newsboat-git package since 12th of December 2017, but it also not up to date git. It has the state of the 12th December still.
So they have 3 different packages providing the same thing, all in different states, none in the state that it should have. Also people who installed newsbeuter will not be notified or automatically upgraded to newsboat. So they need to keep track of this themselves.
And even if they do, there is not a good package available for them. There should be a single newsboat package with the latest stable version, and maybe a newsboat-git package for people who want to run the development version. But the latter really should be latest git.
Good looking package. No confusion about what is what. Debian Testing contains newsbeuter 2.9 and newsboat 2.10.2, so both are at the latest stable version. Newsbeuter 2.9 has many important patches among them are the fixes for the CVEs. As far as I can see, no notification or automatic migration to newsboat. Howevers users are secure no matter which one they have installed.
Fedora ships version 2.9 of newsbeuter (to make it build with latest json-c for example), but no fixes for the security issues. And no newsboat.
Gentoo has a stable 2.9 package with some patches, among which is a fix for CVE-2017-12904. And also a git package. They also offer newsboat in version 2.10.2 and and latest git.