Date: Wed, 8 Nov 2017 20:46:52 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: Back in Time: CVE-2017-16667: shell injection in notify-send Hi MITRE has assinged CVE-2017-16667 for the following isue in Back in Time, "a simple backup tool for Linux". backintime is prone to a shell injection vulnerability via notify-sent. Back in Time did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell commands. An attacker could take advantage of this flaw by crafting an unreadable file with a specific name to run arbitrary shell commands. Upstream report: https://github.com/bit-team/backintime/issues/834 Fixed by: https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.