GLSA 201801-06: Back In Time: Command injection

Severity:normal
Title:Back In Time: Command injection
Date:01/07/2018
Bugs: #636974
ID:201801-06

Synopsis

A command injection vulnerability in 'Back in Time' may allow for the execution of arbitrary shell commands.

Background

A simple backup tool for Linux, inspired by “flyback project”.

Affected packages

Package Vulnerable Unaffected Architecture(s)
app-backup/backintime < 1.1.24 >= 1.1.24 All supported architectures

Description

‘Back in Time’ did improper escaping/quoting of file paths used as arguments to the ‘notify-send’ command leading to some parts of file paths being executed as shell commands within an os.system call.

Impact

A context-dependent attacker could execute arbitrary shell commands via a specially crafted file.

Workaround

There is no known workaround at this time.

Resolution

All ‘Back In Time’ users should upgrade to the latest version:

      # emerge --sync
      # emerge --ask --oneshot --verbose ">=app-backup/backintime-1.1.24"
    

References

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201801-06.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Thank you!