µBackup

µBackup 1.1, 2.0 and 2.2 local code execution using patterns

Bug #317115 reported by Eugenio Paolantonio on 2009-01-14

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	µBackup	Fix Released	High	Eugenio Paolantonio

Bug Description

Affected Releases:
* 1.1a1 to 1.1.5
* 2.0a1 to 2.0.0
* 2.2a1

On releases with patterns support (all releases except the 1.0 series), patterns are defined using "source" command (an alias of this is ".") and is possible executing commands with a special pattern.

This compromises security of the system, because with a ad-hoc script a malicous person can modify your pattern configuration file.

1.0 series is not affected.

Related branches

lp://qastaging/~lxe-sw/bxe/tuxtux-dev

lp://qastaging/~lxe-sw/bxe/shorty-dev

lp://qastaging/~lxe-sw/bxe/dream-dev

Eugenio Paolantonio (g7) on 2009-01-14

Changed in bxe:
assignee:	nobody → g7
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

Eugenio Paolantonio (g7) wrote on 2009-01-14:

I have released on our bazaar branches 1.1.5-5, 2.0.0-5 and 2.1.36.

These are test releases: can contain other bugs and regressions.

Until some few hours/days/weeks/months/years (we hope in hours :D) we shall release 1.1.6 and 2.0.1.

For 2.2 series, until the release of alpha1/Beta 1 you can fix the problem upgrading via bazaar.

Revision history for this message

Eugenio Paolantonio (g7) wrote on 2009-01-24:

Released 2.0.1, 2.2.0 and 1.1.6.

Is higly recommended upgrading immediately to these releases.

Changed in bxe:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.