CVE-2017-16667

backintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell commands within an os.system call in qt4/plugins/notifyplugin.py. This could allow an attacker to craft an unreadable file with a specific name to run arbitrary shell commands.

References

Affected packages

Git / github.com/bit-team/backintime

Affected ranges

Type

GIT

Repo

https://github.com/bit-team/backintime

Events

Introduced

Fixed

52051a69451fc9fbf6c07e934c615116cd33e4d3

Fixed

cef81d0da93ff601252607df3db1a48f7f6f01b3

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.1.24"
        }
    ]
}

Affected versions

v0.*

v0.7.4

v0.8.0

v0.8.12

v0.8.14

v0.8.16

v0.8.18

v0.8.20

v0.8.8

v0.9.0

v0.9.10

v0.9.12

v0.9.14

v0.9.16

v0.9.18

v0.9.2

v0.9.20

v0.9.22

v0.9.24

v0.9.26

v0.9.4

v0.9.6

v0.9.8

v1.*

v1.0.0

v1.0.12

v1.0.14

v1.0.18

v1.0.2

v1.0.20

v1.0.24

v1.0.28

v1.0.4

v1.0.6

v1.1.0

v1.1.10

v1.1.12

v1.1.14

v1.1.16

v1.1.18

v1.1.2

v1.1.20

v1.1.22

v1.1.4

v1.1.6

v1.1.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16667.json"