µBackup 1.1, 2.0 and 2.2 local code execution using patterns
Bug #317115 reported by
Eugenio Paolantonio
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
µBackup |
Fix Released
|
High
|
Eugenio Paolantonio |
Bug Description
Affected Releases:
* 1.1a1 to 1.1.5
* 2.0a1 to 2.0.0
* 2.2a1
On releases with patterns support (all releases except the 1.0 series), patterns are defined using "source" command (an alias of this is ".") and is possible executing commands with a special pattern.
This compromises security of the system, because with a ad-hoc script a malicous person can modify your pattern configuration file.
1.0 series is not affected.
Changed in bxe: | |
assignee: | nobody → g7 |
importance: | Undecided → High |
status: | New → In Progress |
To post a comment you must log in.
I have released on our bazaar branches 1.1.5-5, 2.0.0-5 and 2.1.36.
These are test releases: can contain other bugs and regressions.
Until some few hours/days/ weeks/months/ years (we hope in hours :D) we shall release 1.1.6 and 2.0.1.
For 2.2 series, until the release of alpha1/Beta 1 you can fix the problem upgrading via bazaar.
g7