Your message dated Sun, 22 Jul 2018 20:35:21 +0000 with message-id <e1fhl4b-0004y6...@fasolo.debian.org> and subject line Bug#881205: fixed in backintime 1.1.24-0.1 has caused the Debian Bug report #881205, regarding backintime: CVE-2017-16667: shell injection in notify-send to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 881205: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881205 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: backintime Version: 1.1.12-2 Severity: grave Tags: patch security upstream Forwarded: https://github.com/bit-team/backintime/issues/834 Hi, the following vulnerability was published for backintime. CVE-2017-16667[0]: | backintime (aka Back in Time) before 1.1.24 did improper | escaping/quoting of file paths used as arguments to the 'notify-send' | command, leading to some parts of file paths being executed as shell | commands within an os.system call in qt4/plugins/notifyplugin.py. This | could allow an attacker to craft an unreadable file with a specific | name to run arbitrary shell commands. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16667 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16667 [1] https://github.com/bit-team/backintime/issues/834 [2] https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: backintime Source-Version: 1.1.24-0.1 We believe that the bug you reported is fixed in the latest version of backintime, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 881...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Fabian Wolff <fabi.wo...@arcor.de> (supplier of updated backintime package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 17 Jul 2018 13:02:53 +0200 Source: backintime Binary: backintime-common backintime-qt4 backintime-gnome backintime-kde Architecture: source all Version: 1.1.24-0.1 Distribution: unstable Urgency: medium Maintainer: Jonathan Wiltshire <j...@debian.org> Changed-By: Fabian Wolff <fabi.wo...@arcor.de> Description: backintime-common - simple backup/snapshot system (common files) backintime-gnome - GNOME front-end for backintime (transitional package) backintime-kde - KDE front-end for backintime (transitional package) backintime-qt4 - simple backup/snapshot system (graphical interface) Closes: 879609 881205 Changes: backintime (1.1.24-0.1) unstable; urgency=medium . * Non-maintainer upload. * New upstream release (Closes: #879609, #881205) (fixes CVE-2017-16667). * Update debian/watch to version 4 format (no changes). * Remove patches 01-858193-back-up-slash-root-perms.patch and 02-polkit-vuln.patch (fixed upstream). * Set Priority to optional in debian/control (extra is deprecated). * Update Vcs-Git and Vcs-Browser fields in debian/control. * Delete trailing whitespace from debian/{changelog,control} in order to silence the file-contains-trailing-whitespace Lintian tag. * Upgrade to debhelper compat level 11. * Upgrade to Standards-Version 4.1.5 in debian/control. * Add patches 01-fix-spelling-errors.patch and 02-fix-man-error.patch. * Remove unused desktop-command-not-in-package Lintian override. * Update debian/copyright. Checksums-Sha1: f8cb0094c792f70df9ab74f02787ba368e5e95b5 2083 backintime_1.1.24-0.1.dsc 4b624e8427b51011159851019d4ef302f574a664 657667 backintime_1.1.24.orig.tar.gz 8b85db6b15a0e754715d471f75582c4406ec9ef2 6516 backintime_1.1.24-0.1.debian.tar.xz c6264bd8b3982be788ab74865a9491b791a6ca27 248316 backintime-common_1.1.24-0.1_all.deb cc1d6c83e85142eb1e05590dfbb4df432c477920 17596 backintime-gnome_1.1.24-0.1_all.deb c57a2e78e4e1084413ab3cc378d04dc7ab44fe52 17608 backintime-kde_1.1.24-0.1_all.deb a582ae090ed903d96cea9a9483ed5f09c2e4c91b 65388 backintime-qt4_1.1.24-0.1_all.deb b9011b0fd931168726413068e069c7ef61accf7a 6728 backintime_1.1.24-0.1_amd64.buildinfo Checksums-Sha256: 8b60aea6569d3e25c2ea332124145a0c48930af3698fdbc3bef53c499e2047a4 2083 backintime_1.1.24-0.1.dsc 72b9324314c70cc55bac04e5db8ca300ae98bf24f63334d3d9cd297a6b988308 657667 backintime_1.1.24.orig.tar.gz 6a0af4fd3374c2298baf32dc5c3e3b14ea17205761034eb1a9c5f4000bc02bbb 6516 backintime_1.1.24-0.1.debian.tar.xz de459e1d7d7af098a9843530cb640387ffce07a6c1ff8920c53c8126473c9531 248316 backintime-common_1.1.24-0.1_all.deb c46d070d4f71edbc4859b502c50239993008ffd84901b27d5fea36550f135e9f 17596 backintime-gnome_1.1.24-0.1_all.deb 2fa1b5dbf2c318986462d31b95557b36280e411f0fd39b31336fee3a81d18cba 17608 backintime-kde_1.1.24-0.1_all.deb ddb83341aa774d7e69981e339df09b555ecc827c48d39c6a77029d9173e04a91 65388 backintime-qt4_1.1.24-0.1_all.deb 2533c61273899ed7cf2506ad719ec9bca279607594d7c8cb18e6ee7625c36a94 6728 backintime_1.1.24-0.1_amd64.buildinfo Files: 841bfea70629d002095864dd2ede93dd 2083 utils optional backintime_1.1.24-0.1.dsc 3a9ddafc129e46b7a0e049f3bba65548 657667 utils optional backintime_1.1.24.orig.tar.gz e31a276da84ad32beab670309d00f9d8 6516 utils optional backintime_1.1.24-0.1.debian.tar.xz 1bc78f88f6f14e5e2506d17593fcd53b 248316 utils optional backintime-common_1.1.24-0.1_all.deb a977232bbe58de046e96f3cd0f5b5f23 17596 oldlibs optional backintime-gnome_1.1.24-0.1_all.deb c4115141d36524ce91880143b969fc9a 17608 oldlibs optional backintime-kde_1.1.24-0.1_all.deb ca88cc2d5e7d5850dcb6f9502399174a 65388 utils optional backintime-qt4_1.1.24-0.1_all.deb 5321faf8dc043912dbe1c72f4f519ef8 6728 utils optional backintime_1.1.24-0.1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEI3pUsQKHKL8A7zH00Ot2KGX8XjYFAltOOhMACgkQ0Ot2KGX8 XjYpxg//RXZDlZHBnY4ZQg5Sd1pU30wlSOjtdaaB0ZlO8uMqxoWRi0fkmrcHG5Vo kA7VaTCp7MS27oPWiGKNB26Co8QGj5eo0uxQPI2bEQnI8zZdIou6CevGlajiA4N6 n0M+J2f9LO/D/uI7c1LydhK+s9sjBl/b62oHsU4XWmpXJYJjKK5eaPAIbGJo+U+m 1MKI+X7koD24V9fdsh3TEjgea5OypdiyJvKF850fF86TLwvcXVFU88y2/gy6xj2n 5ujz9ztO1YevxHOtR3rc8GR+X/noKtzw2qmD0JdP6+WwqAlb5keMhdSYe1dgAhHB UFSIh+lxoMfzsuutxEOlT2WPdoR6NCgchzFvWmNU/S85M2oG1j98pHqJTnYZiuIQ yKuufcqhBbV33Itbinh2SCm4l+/oFBW/VOdDTFjIutDis2BSd/c1tVjDpjmiziiQ LsAjwUlbiPV8YFFrSSUMtrP2OhOuoiDxqETX/J1/Pko08uIj5TcF4DBmS2sicNvv b1kEmxIjgwkxQ+LPs+I+2f03agAefi73cwdi0+PcMqT6D4atojs6pr0eYwda1mfi X63TwicroTe+5q2R5hHgM78fQi54ZjGD7IF4JmDrogNOvgR1ppBPa/gTgXRVGw/O v4xuze69VsJmi+Zewu9P4NS8fS1YQwZNAE+56gtibNv1xKbHOXU= =nyhc -----END PGP SIGNATURE-----
--- End Message ---
