Advisories » MGASA-2018-0059

Updated backintime packages fix security vulnerability

Publication date: 04 Jan 2018
Modification date: 04 Jan 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-16667

Description

backintime (aka Back in Time) before 1.1.24 did improper
escaping/quoting of file paths used as arguments to the 'notify-send'
command, leading to some parts of file paths being executed as shell
commands within an os.system call in qt4/plugins/notifyplugin.py. This
could allow an attacker to craft an unreadable file with a specific name
to run arbitrary shell commands (CVE-2017-16667).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=22000
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4QNBPN76RX2RKR2K7NEMJMOD576ASBHA/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16667

SRPMS

6/core

• backintime-1.1.24-1.mga6