gnu: newsbeuter: Deprecate in favour of newsboat.

* gnu/packages/syndication.scm (newsbeuter): Redefine using ‘deprecated-package’. * gnu/packages/patches/newsbeuter-CVE-2017-12904.patch: Delete file. * gnu/packages/patches/newsbeuter-CVE-2017-14500.patch: Likewise. * gnu/local.mk (dist_patch_DATA): Remove both.
2018-01-11 00:54:22 +01:00 · 2018-01-11 00:54:22 +01:00 · f26fa354f1
commit f26fa354f1
parent e21888dd0d
4 changed files with 6 additions and 131 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -921,8 +921,6 @@ dist_patch_DATA =						\
  %D%/packages/patches/netsurf-system-utf8proc.patch		\
  %D%/packages/patches/netsurf-y2038-tests.patch		\
  %D%/packages/patches/netsurf-longer-test-timeout.patch	\
-  %D%/packages/patches/newsbeuter-CVE-2017-12904.patch		\
-  %D%/packages/patches/newsbeuter-CVE-2017-14500.patch		\
  %D%/packages/patches/ngircd-handle-zombies.patch		\
  %D%/packages/patches/ninja-zero-mtime.patch			\
  %D%/packages/patches/node-test-http2-server-rst-stream.patch	\
--- a/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch
+++ b/gnu/packages/patches/newsbeuter-CVE-2017-12904.patch
@ -1,34 +0,0 @@
-Fix CVE-2017-12904:
-
-https://github.com/akrennmair/newsbeuter/issues/591
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12904
-
-Patch copied from the Debian package of newsbeuter, version 2.9-5+deb9u1.
-
-Adapted from upstream source repository:
-
-https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
-
-Description: Fix a RCE vulnerability in the bookmark command
- Newsbeuter didn't properly escape the title and description fields before
- passing them to the bookmarking program which could lead to remote code
- execution using the shells command substitution functionality (e.g. "$()", ``,
- etc)
-
-Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
-Last-Update: 2017-08-18
-
--- newsbeuter-2.9.orig/src/controller.cpp
-+++ newsbeuter-2.9/src/controller.cpp
-@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s
- 	std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
- 	bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
- 	if (bookmark_cmd.length() > 0) {
-		std::string cmdline = utils::strprintf("%s '%s' %s %s",
-+		std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
- 		                                       bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
-		                                       stfl::quote(title).c_str(), stfl::quote(description).c_str());
-+		                                       utils::replace_all(title,"'", "%27").c_str(),
-+		                                       utils::replace_all(description,"'", "%27").c_str());
- 
- 		LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
--- a/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch
+++ b/gnu/packages/patches/newsbeuter-CVE-2017-14500.patch
@ -1,43 +0,0 @@
-https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333.patch
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500
-
-From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001
-From: Alexander Batischev <eual.jp@gmail.com>
-Date: Sat, 16 Sep 2017 19:31:43 +0300
-Subject: [PATCH] Work around shell code in podcast names (#598)
-
---
- src/pb_controller.cpp | 6 +++---
- src/queueloader.cpp   | 2 +-
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/pb_controller.cpp b/src/pb_controller.cpp
-index 09b5e897..213216cd 100644
--- a/src/pb_controller.cpp
-+++ b/src/pb_controller.cpp
-@@ -306,9 +306,9 @@ void pb_controller::play_file(const std::string& file) {
- 	if (player == "")
- 		return;
- 	cmdline.append(player);
-	cmdline.append(" \"");
-	cmdline.append(utils::replace_all(file,"\"", "\\\""));
-	cmdline.append("\"");
-+	cmdline.append(" \'");
-+	cmdline.append(utils::replace_all(file,"'", "%27"));
-+	cmdline.append("\'");
- 	stfl::reset();
- 	LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str());
- 	::system(cmdline.c_str());
-diff --git a/src/queueloader.cpp b/src/queueloader.cpp
-index c1dabdd8..ae725e04 100644
--- a/src/queueloader.cpp
-+++ b/src/queueloader.cpp
-@@ -130,7 +130,7 @@ std::string queueloader::get_filename(const std::string& str) {
- 		strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t));
- 		fn.append(lbuf);
- 	} else {
-		fn.append(base);
-+		fn.append(utils::replace_all(base, "'", "%27"));
- 	}
- 	return fn;
- }
--- a/gnu/packages/syndication.scm
+++ b/gnu/packages/syndication.scm
@ -25,59 +25,9 @@
  #:use-module (gnu packages documentation)
  #:use-module (gnu packages gettext)
  #:use-module (gnu packages ncurses)
-  #:use-module (gnu packages perl)
  #:use-module (gnu packages pkg-config)
-  #:use-module (gnu packages ruby)
-  #:use-module (gnu packages xml)
-  #:use-module (gnu packages web))
-
-(define-public newsbeuter
-  (package
-    (name "newsbeuter")
-    (version "2.9")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append "https://newsbeuter.org/downloads/newsbeuter-"
-                            version ".tar.gz"))
-        (patches (search-patches "newsbeuter-CVE-2017-12904.patch"
-                                 "newsbeuter-CVE-2017-14500.patch"))
-        (sha256
-         (base32
-          "1j1x0hgwxz11dckk81ncalgylj5y5fgw5bcmp9qb5hq9kc0vza3l"))))
-    (build-system gnu-build-system)
-    (arguments
-     '(#:phases
-       (modify-phases %standard-phases
-         (replace 'configure
-           (lambda _
-             (substitute* "config.sh"
-               ;; try to remove this at the next release
-               (("ncursesw5") "ncursesw6"))
-             #t)))
-       #:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out")))
-       #:test-target "test"))
-    (native-inputs
-     `(("gettext" ,gettext-minimal)
-       ("perl" ,perl)
-       ("pkg-config" ,pkg-config)
-       ("ruby" ,ruby))) ; for tests
-    (inputs
-     `(("curl" ,curl)
-       ("json-c" ,json-c-0.12)      ; check whether json-c-0.12 can be removed
-       ("ncurses" ,ncurses)
-       ("stfl" ,stfl)
-       ("sqlite" ,sqlite)
-       ("libxml2" ,libxml2)))
-    (home-page "https://newsbeuter.org/")
-    (synopsis "Text mode rss feed reader with podcast support")
-    (description "Newsbeuter is an innovative RSS feed reader for the text
-console.  It supports OPML import/exports, HTML rendering, podcast (podbeuter),
-offline reading, searching and storing articles to your filesystem, and many
-more features.  Its user interface is coherent, easy to use, and might look
-common to users of @command{mutt} and @command{slrn}.")
-    (license (list license:gpl2+        ; filter/*
-                   license:expat))))    ; everything else
+  #:use-module (gnu packages web)
+  #:use-module (gnu packages xml))

 (define-public newsboat
  (package
@ -128,3 +78,7 @@ file system, and many more features.
 It started life as a fork of the currently unmaintained Newsbeuter.")
    (license (list license:gpl2+        ; filter/*
                   license:expat))))    ; everything else
+
+(define-public newsbeuter
+  ;; Newsbeuter is unmaintained with multiple CVEs, and was forked as Newsboat.
+  (deprecated-package "newsbeuter" newsboat))