Advisories ยป MGASA-2018-0059

Updated backintime packages fix security vulnerability

Publication date: 04 Jan 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2017-16667

Description

backintime (aka Back in Time) before 1.1.24 did improper
escaping/quoting of file paths used as arguments to the 'notify-send'
command, leading to some parts of file paths being executed as shell
commands within an os.system call in qt4/plugins/notifyplugin.py. This
could allow an attacker to craft an unreadable file with a specific name
to run arbitrary shell commands (CVE-2017-16667).
                

References

SRPMS

6/core