backintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of
file paths used as arguments to the 'notify-send' command, leading to some
parts of file paths being executed as shell commands within an os.system
call in qt4/plugins/notifyplugin.py. This could allow an attacker to craft
an unreadable file with a specific name to run arbitrary shell commands.
@Maintainer please call for stabilization when ready.
@arches: Please stabilize immediately.
@ Maintainer(s): Please cleanup and drop <app-backup/backintime-1.1.24!
The bug has been referenced in the following commit(s):
Author: Michael Weber <email@example.com>
AuthorDate: 2017-12-22 08:51:37 +0000
Commit: Michael Weber <firstname.lastname@example.org>
CommitDate: 2017-12-22 08:51:49 +0000
app-backup/backintime: Remove security affected version.
- Remote code execution vulnerability (CVE-2017-16667)
- Race condition (CVE-2017-7572)
Package-Manager: Portage-2.3.19, Repoman-2.3.6
app-backup/backintime/Manifest | 1 -
app-backup/backintime/backintime-1.1.12.ebuild | 77 --------------------------
2 files changed, 78 deletions(-)}
New GLSA request filed.
Gentoo Security Padawan
This issue was resolved and addressed in
GLSA 201801-06 at https://security.gentoo.org/glsa/201801-06
by GLSA coordinator Aaron Bauman (b-man).