From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C3F7B138330 for ; Sun, 7 Jan 2018 23:42:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6B274E0A8C; Sun, 7 Jan 2018 23:42:25 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CB2CCE09FA for ; Sun, 7 Jan 2018 23:42:01 +0000 (UTC) Received: from localhost.localdomain (107-1-160-144-ip-static.hfc.comcastbusiness.net [107.1.160.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id A8854340E97 for ; Sun, 7 Jan 2018 23:42:00 +0000 (UTC) From: Aaron Bauman To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Subject: [gentoo-announce] [ GLSA 201801-06 ] Back In Time: Command injection Date: Sun, 07 Jan 2018 18:41:58 -0500 Message-ID: <2656969.04icUuYMUl@localhost.localdomain> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart7258291.x7tSHVTkuU"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-Archives-Salt: 75604763-823a-45b6-a8d5-8028558de23b X-Archives-Hash: d82541079039dfea0c5a18db5c86e643 --nextPart7258291.x7tSHVTkuU Content-Type: multipart/alternative; boundary="nextPart1846763.RSI9dPKBja" Content-Transfer-Encoding: 7Bit This is a multi-part message in MIME format. --nextPart1846763.RSI9dPKBja Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201801-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Back In Time: Command injection Date: January 07, 2018 Bugs: #636974 ID: 201801-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A command injection vulnerability in 'Back in Time' may allow for the execution of arbitrary shell commands. Background ========== A simple backup tool for Linux, inspired by "flyback project". Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-backup/backintime < 1.1.24 >= 1.1.24 Description =========== 'Back in Time' did improper escaping/quoting of file paths used as arguments to the 'notify-send' command leading to some parts of file paths being executed as shell commands within an os.system call. Impact ====== A context-dependent attacker could execute arbitrary shell commands via a specially crafted file. Workaround ========== There is no known workaround at this time. Resolution ========== All 'Back In Time' users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-backup/backintime-1.1.24" References ========== [ 1 ] CVE-2017-16667 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16667 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201801-06 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= --nextPart1846763.RSI9dPKBja Content-Transfer-Encoding: 7Bit Content-Type: text/html; charset="us-ascii"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 201801-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

https://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: Normal

Title: Back In Time: Command injection

Date: January 07, 2018

Bugs: #636974

ID: 201801-06

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

A command injection vulnerability in 'Back in Time' may allow for the

execution of arbitrary shell commands.

 

Background

==========

 

A simple backup tool for Linux, inspired by "flyback project".

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 app-backup/backintime < 1.1.24 >= 1.1.24

 

Description

===========

 

'Back in Time' did improper escaping/quoting of file paths used as

arguments to the 'notify-send' command leading to some parts of file

paths being executed as shell commands within an os.system call.

 

Impact

======

 

A context-dependent attacker could execute arbitrary shell commands via

a specially crafted file.

 

Workaround

==========

 

There is no known workaround at this time.

 

Resolution

==========

 

All 'Back In Time' users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose ">=app-backup/backintime-1.1.24"

 

References

==========

 

[ 1 ] CVE-2017-16667

https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16667

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

https://security.gentoo.org/glsa/201801-06

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users' machines is of utmost

importance to us. Any security concerns should be addressed to

security@gentoo.org or alternatively, you may file a bug at

https://bugs.gentoo.org.

 

License

=======

 

Copyright 2018 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5

--nextPart1846763.RSI9dPKBja-- --nextPart7258291.x7tSHVTkuU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlpSsEYACgkQpRQw84X1 dt3lbAf/cXJPcK+iaFP5SA0ibjz4/VLRWQ1BI4Y1uYQdGdamA1J6pjz+XFCxo72K erkj+amZuZVYeAsy2Tj31gfkGlFj2UQInC4m0vxCE47JjzvNM/UEMBvJxJYnL9Hu qIaXeNKuprNMLHAB1S/9GAXtr6CpIZqOJrPgJaftRH7MpPrhALn7HK9VNwiT7UKo V8UYbP6PQlibkpEM+v40U3YDcntAEMmZy4jc5MrhZBLWuYlGO6SnGGxXDjvFPuNz 4qAQS9VsCbqCMZ6IipMlK4cD5BQnV5B02geeRNP5WN0qDX/JfPI81IvzeCtg6aFF EHEMij4jrBDjf3stYs0XhLMq/lnIoA== =pMyR -----END PGP SIGNATURE----- --nextPart7258291.x7tSHVTkuU--