Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Nov 2014 00:25:09 +0200
From: Henri Salo <>
Subject: CVE request: Canto Feed URL Parsing Command Line Injection 

Can I get 2013 CVE for Canto feed URL parsing command line injection
vulnerability, thanks.

Project website:
Affected versions: All versions prior to v0.9.0
Debian version affected: 0.7.10-4
Canto was later removed from Debian. Versions 0.7.10-4 (wheezy) and 0.7.9-1
(squeeze) are not affected with this payload.
Upstream fix:
PoCs attached from the original advisory email.

Reported in Debian BTS by
<>. Quoting the mail:

I have just found a command line injection security vuln in
canto. The program fetches feeds from configured sites, and the
feeds contain URLs that people may want to visit. If a user
starts canto and chooses to go to one URL from one feed, canto
constructs a sh command line to visit the URL, but it doesn't
remove metachars. Therefore a malicious feed (owner turned bad,
man in the middle attack if fetched with http) can put in bad
data in all link and guid elements of the feed and use this to
hack the user when they visit some of the URLs. Not good. See my and evil.rss files for an example. Sorry for my English!

In case someone finds more issues you can contact developer via:

Henri Salo

Download attachment "evil.rss" of type "application/x-rss+xml" (1526 bytes)

View attachment "" of type "text/x-python" (75 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.