Descriptionbackintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell commands within an os.system call in qt4/plugins/notifyplugin.py. This could allow an attacker to craft an unreadable file with a specific name to run arbitrary shell commands.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having important severity.
|National Vulnerability Database|
- openSUSE-SU-2017:3096-1, published Sun, 26 Nov 2017 00:07:26 +0100 (CET)
List of released packages
|Product(s)||Fixed package version(s)||References|
|openSUSE Leap 42.2|| ||Patchnames:
|openSUSE Leap 42.3|| ||Patchnames: