system-tools-backends is no longer in main and has been deprecated. I am going to leave this bug open for now, but unsubscribing ubuntu-security.
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to system-tools-backends in Ubuntu. https://bugs.launchpad.net/bugs/190628 Title: breakage and possible execution of unsafe code with shell metacharacters Status in system-tools-backends: Confirmed Status in “system-tools-backends” package in Ubuntu: Confirmed Bug description: Binary package hint: system-tools-backends The function Utils::File::run_backtick() (from '/usr/share/system- tools-backends-2.0/scripts/Utils/File.pm') accepts a single argument of a string which is later parsed into a command and arguments by splitting on blanks. This causes breakage whenever an argument itself contains blanks or other shell metacharacters and can even lead to the unintended execution of shellcode. A real-world example of breakage is when entering an SSID or encryption key containing blanks or other shell metacharacters via network-admin from gnome-system-tools. It is even unsecure since unsafe shellcode could be injected by way having an SSID such as "My SSID; rm -rf /". To manage notifications about this bug go to: https://bugs.launchpad.net/system-tools-backends/+bug/190628/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
