No CVE (yet?) as far as I can see but upstream release notes for version 1.8.7 state SECURITY: Prevent shell injection attacks within the PostgreSQL hook, the MongoDB hook, the SQLite hook, the "borgmatic borg" action, and command hook variable/constant interpolation. These were mostly fixed in 1.8.7, with additional fixes related to the PostgreSQL hook in 1.8.8.
I've removed the version from the summary because we don't have a fixed version in gentoo yet. I also think this should have been < 1.8.8 instead of <= 1.8.8, or am I overlooking something?
No, you're right. My bad.
Also, now we HAVE got 1.8.8 in the tree so version number re-added to the summary :)
(In reply to Marek Szuba from comment #3) > Also, now we HAVE got 1.8.8 in the tree so version number re-added to the > summary :) Onwards to a stable version then. Thanks!
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=412d9041161ccba7f5bb976e4387048a80f143ef commit 412d9041161ccba7f5bb976e4387048a80f143ef Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2024-03-11 15:19:49 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2024-03-11 15:22:44 +0000 app-backup/borgmatic: stabilize 1.8.8 for amd64 Closes: https://bugs.gentoo.org/924892 Signed-off-by: Marek Szuba <marecki@gentoo.org> app-backup/borgmatic/borgmatic-1.8.8.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b19259d6c55106a630f0cf3baf0c9b354fed332c commit b19259d6c55106a630f0cf3baf0c9b354fed332c Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2024-03-11 15:23:10 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2024-03-11 15:23:53 +0000 app-backup/borgmatic: drop 1.8.3, 1.8.5-r1 No versions vulnerable to the present issue left in the tree. Bug: https://bugs.gentoo.org/924892 Signed-off-by: Marek Szuba <marecki@gentoo.org> app-backup/borgmatic/Manifest | 2 - app-backup/borgmatic/borgmatic-1.8.3.ebuild | 74 ------------------------ app-backup/borgmatic/borgmatic-1.8.5-r1.ebuild | 79 -------------------------- 3 files changed, 155 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7ef3d7f0844a47e11674d679d67d55835035ab61 commit 7ef3d7f0844a47e11674d679d67d55835035ab61 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-05 07:55:00 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-05 07:56:01 +0000 [ GLSA 202405-13 ] borgmatic: Shell Injection Bug: https://bugs.gentoo.org/924892 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-13.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+)