Marked for autoremoval on 21 September: #935341high
Version 1.1.24-0.1 of backintime is marked for autoremoval from testing on Sat 21 Sep 2019. It is affected by #935341. You should try to prevent the removal by fixing these RC bugs.
vcswatch reports that
this package seems to have a new changelog entry (version
1.2.1-1, distribution
unstable) and new commits
in its VCS. You should consider whether it's time to make
an upload.
CVE-2017-16667: backintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell commands within an os.system call in qt4/plugins/notifyplugin.py. This could allow an attacker to craft an unreadable file with a specific name to run arbitrary shell commands.
CVE-2017-7572: The _checkPolkitPrivilege function in serviceHelper.py in Back In Time (aka backintime) 1.1.18 and earlier uses a deprecated polkit authorization method (unix-process) that is subject to a race condition (time of check, time of use). With this authorization method, the owner of a process requesting a polkit operation is checked by polkitd via /proc/<pid>/status, by which time the requesting process may have been replaced by a different process with the same PID that has different privileges then the original requester.
CVE-2017-16667: backintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell commands within an os.system call in qt4/plugins/notifyplugin.py. This could allow an attacker to craft an unreadable file with a specific name to run arbitrary shell commands.
Please fix it.
Standards version of the package is outdated.
wishlist
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.4.0 instead of
4.1.5).
![[bug history graph]](https://qa.debian.org/data/bts/graphs/b/backintime.png){kind=link}