Bug 22000

Summary: backintime new security issue CVE-2017-16667
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: brtians1, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga6-64-ok mga6-32-ok
Source RPM: backintime-1.1.20-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-11-09 18:06:54 CET 
A security issue fixed upstream in backintime has been given a CVE:
http://openwall.com/lists/oss-security/2017/11/08/9

The message above contains a link to the commit that fixed the issue.

The issue is fixed in 1.1.24, which David already updated Cauldron to:
https://github.com/bit-team/backintime/releases/tag/v1.1.24

Mageia 5 is also likely to be affected.
David Walser 2017-11-09 18:07:02 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-11-10 16:48:15 CET 
Built so far by David:
backintime-common-1.1.24-1.mga6
backintime-qt4-1.1.24-1.mga6

from backintime-1.1.24-1.mga6.src.rpm
Comment 2 David Walser 2017-11-22 19:10:00 CET 
Fedora has issued an advisory for this on November 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4QNBPN76RX2RKR2K7NEMJMOD576ASBHA/
Comment 3 David Walser 2017-11-26 19:19:22 CET 
openSUSE has issued an advisory for this today (November 26):
https://lists.opensuse.org/opensuse-updates/2017-11/msg00078.html
Comment 4 David Walser 2017-12-29 17:34:56 CET 
Not sure what happened to David, but obviously he doesn't intend to update this for Mageia 5.  Assigning Mageia 6 update to QA.

Advisory:
========================

Updated backintime packages fix security vulnerability:

backintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of
file paths used as arguments to the 'notify-send' command, leading to some
parts of file paths being executed as shell commands within an os.system call
in qt4/plugins/notifyplugin.py. This could allow an attacker to craft an
unreadable file with a specific name to run arbitrary shell commands
(CVE-2017-16667).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16667
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4QNBPN76RX2RKR2K7NEMJMOD576ASBHA/
========================

Updated packages in core/updates_testing:
========================
backintime-common-1.1.24-1.mga6
backintime-qt4-1.1.24-1.mga6

from backintime-1.1.24-1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 5 Brian Rockwell 2018-01-03 20:39:57 CET 
The following 78 packages are going to be installed:

- appres-1.0.4-5.mga6.x86_64
- backintime-common-1.1.24-1.mga6.noarch
- backintime-qt4-1.1.24-1.mga6.noarch
- editres-1.0.6-5.mga6.x86_64
- encfs-1.8.1-6.mga6.x86_64
- lbxproxy-1.0.3-5.mga6.x86_64
- lib64boost_serialization1.60.0-1.60.0-6.mga6.x86_64
- lib64encfs6-1.8.1-6.mga6.x86_64
- lib64fs6-1.0.7-2.mga6.x86_64
- lib64lbxutil1-1.1.0-8.mga6.x86_64
- lib64proj9-4.9.2-1.mga6.x86_64
- lib64qtdeclarative4-4.8.7-15.mga6.x86_64
- lib64qtdesigner4-4.8.7-15.mga6.x86_64
- lib64qtlocation1-1.2.2-4.mga6.x86_64
- lib64qtmultimedia4-4.8.7-15.mga6.x86_64
- lib64qtsensors1-1.2.2-4.mga6.x86_64
- lib64qttest4-4.8.7-15.mga6.x86_64
- lib64qtwebkit2.2_4-2.3.4-9.mga6.x86_64
- lib64qtxmlpatterns4-4.8.7-15.mga6.x86_64
- lib64rlog5-1.4-9.mga6.x86_64
- lib64xtrap6-1.0.1-7.mga6.x86_64
- libnotify-0.7.7-1.mga6.x86_64
- listres-1.0.3-6.mga6.x86_64
- luit-1.1.1-8.mga6.x86_64
- makedepend-1.0.5-5.mga6.x86_64
- proxymngr-1.0.3-5.mga6.x86_64
- python-qt4-core-4.11.4-10.mga6.x86_64
- python-sip-4.18.1-1.mga6.x86_64
- python3-keyring-8.5.1-1.mga6.noarch
- python3-qt4-4.11.4-10.mga6.x86_64
- python3-qt4-core-4.11.4-10.mga6.x86_64
- python3-qt4-dbus-4.11.4-10.mga6.x86_64
- python3-qt4-declarative-4.11.4-10.mga6.x86_64
- python3-qt4-designer-4.11.4-10.mga6.x86_64
- python3-qt4-gui-4.11.4-10.mga6.x86_64
- python3-qt4-multimedia-4.11.4-10.mga6.x86_64
- python3-qt4-network-4.11.4-10.mga6.x86_64
- python3-qt4-opengl-4.11.4-10.mga6.x86_64
- python3-qt4-script-4.11.4-10.mga6.x86_64
- python3-qt4-sql-4.11.4-10.mga6.x86_64
- python3-qt4-svg-4.11.4-10.mga6.x86_64
- python3-qt4-test-4.11.4-10.mga6.x86_64
- python3-qt4-webkit-4.11.4-10.mga6.x86_64
- python3-qt4-xml-4.11.4-10.mga6.x86_64
- python3-qt4-xmlpatterns-4.11.4-10.mga6.x86_64
- python3-sip-4.18.1-1.mga6.x86_64
- qt4-xmlpatterns-4.8.7-15.mga6.x86_64
- qtwebkit-qmlplugin-2.3.4-9.mga6.x86_64
- rstart-1.0.5-5.mga6.x86_64
- smproxy-1.0.5-6.mga6.x86_64
- sshfs-fuse-2.5-4.mga6.x86_64
- viewres-1.0.4-5.mga6.x86_64
- x11-scripts-1.0.1-15.mga6.noarch
- x11-tools-1.0.0-14.mga6.noarch
- x11perf-1.5.4-6.mga6.x86_64
- xcmsdb-1.0.5-1.mga6.x86_64
- xconsole-1.0.7-1.mga6.x86_64
- xcursorgen-1.0.6-5.mga6.x86_64
- xev-1.2.2-2.mga6.x86_64
- xfindproxy-1.0.3-5.mga6.x86_64
- xfsinfo-1.0.5-1.mga6.x86_64
- xfwp-1.0.3-5.mga6.x86_64
- xgamma-1.0.6-2.mga6.x86_64
- xkbevd-1.1.4-1.mga6.x86_64
- xkbprint-1.0.4-2.mga6.x86_64
- xkbutils-1.0.4-5.mga6.x86_64
- xkill-1.0.4-6.mga6.x86_64
- xlsatoms-1.1.1-6.mga6.x86_64
- xlsclients-1.1.3-5.mga6.x86_64
- xrefresh-1.0.5-5.mga6.x86_64
- xrx-1.0.4-6.mga6.x86_64
- xsetmode-1.0.0-14.mga6.x86_64
- xsetpointer-1.0.1-11.mga6.x86_64
- xstdcmap-1.0.3-5.mga6.x86_64
- xtrap-1.0.2-11.mga6.x86_64
- xvidtune-1.0.3-5.mga6.x86_64
- xvinfo-1.1.3-2.mga6.x86_64
- xwininfo-1.1.3-6.mga6.x86_64

86MB of additional disk space will be used.

22MB of packages will be retrieved.

Is it ok to continue?


---

$ uname -a
Linux localhost 4.14.9-desktop-1.mga6 #1 SMP Mon Dec 25 15:27:17 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

-----

Ran backintime (back to Marty Fly)


Was able to perform a backup to a USB drive.  Did not try the network options.

Working as designed.

Whiteboard: (none) => mga6-64-ok
CC: (none) => brtians1

David Walser 2018-01-03 22:35:07 CET

Severity: normal => critical

Comment 6 Brian Rockwell 2018-01-04 00:38:31 CET 
]$ uname -a
Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:53:48 UTC 2017 i686 i686 i686 GNU/Linux

The following 84 packages are going to be installed:

- appres-1.0.4-5.mga6.i586
- backintime-common-1.1.24-1.mga6.noarch
- backintime-qt4-1.1.24-1.mga6.noarch
- dkms-nvidia304-304.137-2.mga6.nonfree.i586
- editres-1.0.6-5.mga6.i586
- encfs-1.8.1-6.mga6.i586
- lbxproxy-1.0.3-5.mga6.i586
- libboost_serialization1.60.0-1.60.0-6.mga6.i586
- libencfs6-1.8.1-6.mga6.i586
- libfs6-1.0.7-2.mga6.i586
- liblbxutil1-1.1.0-8.mga6.i586
- libproj9-4.9.2-1.mga6.i586
- libqtdbus4-4.8.7-15.mga6.i586
- libqtdeclarative4-4.8.7-15.mga6.i586
- libqtdesigner4-4.8.7-15.mga6.i586
- libqtlocation1-1.2.2-4.mga6.i586
- libqtmultimedia4-4.8.7-15.mga6.i586
- libqtnetwork4-4.8.7-15.mga6.i586
- libqtscript4-4.8.7-15.mga6.i586
- libqtsensors1-1.2.2-4.mga6.i586
- libqtsql4-4.8.7-15.mga6.i586
- libqttest4-4.8.7-15.mga6.i586
- libqtwebkit2.2_4-2.3.4-9.mga6.i586
- libqtxmlpatterns4-4.8.7-15.mga6.i586
- librlog5-1.4-9.mga6.i586
- libxtrap6-1.0.1-7.mga6.i586
- listres-1.0.3-6.mga6.i586
- makedepend-1.0.5-5.mga6.i586
- nvidia304-doc-html-304.137-2.mga6.nonfree.i586
- proxymngr-1.0.3-5.mga6.i586
- python-qt4-core-4.11.4-10.mga6.i586
- python-sip-4.18.1-1.mga6.i586
- python3-keyring-8.5.1-1.mga6.noarch
- python3-qt4-4.11.4-10.mga6.i586
- python3-qt4-core-4.11.4-10.mga6.i586
- python3-qt4-dbus-4.11.4-10.mga6.i586
- python3-qt4-declarative-4.11.4-10.mga6.i586
- python3-qt4-designer-4.11.4-10.mga6.i586
- python3-qt4-gui-4.11.4-10.mga6.i586
- python3-qt4-multimedia-4.11.4-10.mga6.i586
- python3-qt4-network-4.11.4-10.mga6.i586
- python3-qt4-opengl-4.11.4-10.mga6.i586
- python3-qt4-script-4.11.4-10.mga6.i586
- python3-qt4-sql-4.11.4-10.mga6.i586
- python3-qt4-svg-4.11.4-10.mga6.i586
- python3-qt4-test-4.11.4-10.mga6.i586
- python3-qt4-webkit-4.11.4-10.mga6.i586
- python3-qt4-xml-4.11.4-10.mga6.i586
- python3-qt4-xmlpatterns-4.11.4-10.mga6.i586
- python3-sip-4.18.1-1.mga6.i586
- qt4-xmlpatterns-4.8.7-15.mga6.i586
- qtwebkit-qmlplugin-2.3.4-9.mga6.i586
- rstart-1.0.5-5.mga6.i586
- smproxy-1.0.5-6.mga6.i586
- sshfs-fuse-2.5-4.mga6.i586
- viewres-1.0.4-5.mga6.i586
- x11-driver-video-nvidia304-304.137-2.mga6.nonfree.i586
- x11-scripts-1.0.1-15.mga6.noarch
- x11-tools-1.0.0-14.mga6.noarch
- x11perf-1.5.4-6.mga6.i586
- xcmsdb-1.0.5-1.mga6.i586
- xconsole-1.0.7-1.mga6.i586
- xcursorgen-1.0.6-5.mga6.i586
- xev-1.2.2-2.mga6.i586
- xfindproxy-1.0.3-5.mga6.i586
- xfsinfo-1.0.5-1.mga6.i586
- xfwp-1.0.3-5.mga6.i586
- xgamma-1.0.6-2.mga6.i586
- xkbevd-1.1.4-1.mga6.i586
- xkbprint-1.0.4-2.mga6.i586
- xkbutils-1.0.4-5.mga6.i586
- xkill-1.0.4-6.mga6.i586
- xlsatoms-1.1.1-6.mga6.i586
- xlsclients-1.1.3-5.mga6.i586
- xrandr-1.5.0-1.mga6.i586
- xrefresh-1.0.5-5.mga6.i586
- xrx-1.0.4-6.mga6.i586
- xsetmode-1.0.0-14.mga6.i586
- xsetpointer-1.0.1-11.mga6.i586
- xstdcmap-1.0.3-5.mga6.i586
- xtrap-1.0.2-11.mga6.i586
- xvidtune-1.0.3-5.mga6.i586
- xvinfo-1.1.3-2.mga6.i586
- xwininfo-1.1.3-6.mga6.i586

151MB of additional disk space will be used.

37MB of packages will be retrieved.

Is it ok to continue?



Configured backintime.

Ran backup on different files

Working as designed.

Whiteboard: mga6-64-ok => mga6-64-ok mga6-32-ok

Comment 7 Lewis Smith 2018-01-04 13:37:46 CET 
Thank you Brian for both your tests. Advisoried; validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-01-04 17:49:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0059.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED