Hello community, here is the log from the commit of package backintime for openSUSE:Factory checked in at 2017-11-19 11:15:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/backintime (Old) and /work/SRC/openSUSE:Factory/.backintime.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "backintime" Sun Nov 19 11:15:49 2017 rev:18 rq:542840 version:1.1.24 Changes: -------- --- /work/SRC/openSUSE:Factory/backintime/backintime.changes 2017-05-17 10:55:42.391412480 +0200 +++ /work/SRC/openSUSE:Factory/.backintime.new/backintime.changes 2017-11-19 11:16:02.205234923 +0100 @@ -1,0 +2,9 @@ +Sat Nov 18 20:14:39 UTC 2017 - [email protected] + +- Update to upstream version 1.1.24 + * fix critical bug: shell injection in notify-send (https://github.com/bit-team/backintime/issues/834) + * fix bug: stat free space for snapshot folder instead of backintime folder (https://github.com/bit-team/backintime/issues/733) + * backport bug fix: backintime root crontab doesn't run; missinng line-feed 0x0A on last line (https://github.com/bit-team/backintime/issues/781) + * backport bug fix: can't open files with spaces in name (https://github.com/bit-team/backintime/issues/552) + +------------------------------------------------------------------- Old: ---- backintime-1.1.20.tar.gz New: ---- backintime-1.1.24.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ backintime.spec ++++++ --- /var/tmp/diff_new_pack.gmI90F/_old 2017-11-19 11:16:03.685181158 +0100 +++ /var/tmp/diff_new_pack.gmI90F/_new 2017-11-19 11:16:03.689181012 +0100 @@ -17,7 +17,7 @@ Name: backintime -Version: 1.1.20 +Version: 1.1.24 Release: 0 Summary: Back In Time is a simple backup tool for Linux, inspired by "flyback project" License: GPL-2.0+ ++++++ backintime-1.1.20.tar.gz -> backintime-1.1.24.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/CHANGES new/backintime-1.1.24/CHANGES --- old/backintime-1.1.20/CHANGES 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/CHANGES 2017-11-07 21:36:43.000000000 +0100 @@ -1,5 +1,13 @@ Back In Time +Version 1.1.24 +* fix critical bug: shell injection in notify-send (https://github.com/bit-team/backintime/issues/834) + +Version 1.1.22 +* fix bug: stat free space for snapshot folder instead of backintime folder (https://github.com/bit-team/backintime/issues/733) +* backport bug fix: backintime root crontab doesn't run; missinng line-feed 0x0A on last line (https://github.com/bit-team/backintime/issues/781) +* backport bug fix: can't open files with spaces in name (https://github.com/bit-team/backintime/issues/552) + Version 1.1.20 * backport bug fix: polkit CheckAuthorization: race condition in privilege authorization (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7572) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/VERSION new/backintime-1.1.24/VERSION --- old/backintime-1.1.20/VERSION 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/VERSION 2017-11-07 21:36:43.000000000 +0100 @@ -1 +1 @@ -1.1.20 +1.1.24 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/common/config.py new/backintime-1.1.24/common/config.py --- old/backintime-1.1.20/common/config.py 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/common/config.py 2017-11-07 21:36:43.000000000 +0100 @@ -46,7 +46,7 @@ class Config( configfile.ConfigFileWithProfiles ): APP_NAME = 'Back In Time' - VERSION = '1.1.20' + VERSION = '1.1.24' COPYRIGHT = 'Copyright (C) 2008-2017 Oprea Dan, Bart de Koning, Richard Bailey, Germar Reitze' CONFIG_VERSION = 5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/common/man/C/backintime-askpass.1 new/backintime-1.1.24/common/man/C/backintime-askpass.1 --- old/backintime-1.1.20/common/man/C/backintime-askpass.1 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/common/man/C/backintime-askpass.1 2017-11-07 21:36:43.000000000 +0100 @@ -1,4 +1,4 @@ -.TH backintime-askpass 1 "Jan 2015" "version 1.1.20" "USER COMMANDS" +.TH backintime-askpass 1 "Jan 2015" "version 1.1.24" "USER COMMANDS" .SH NAME backintime-askpass \- a simple backup tool for Linux. .PP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/common/man/C/backintime-config.1 new/backintime-1.1.24/common/man/C/backintime-config.1 --- old/backintime-1.1.20/common/man/C/backintime-config.1 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/common/man/C/backintime-config.1 2017-11-07 21:36:43.000000000 +0100 @@ -1,4 +1,4 @@ -.TH backintime-config 1 "Dec 2015" "version 1.1.20" "USER COMMANDS" +.TH backintime-config 1 "Dec 2015" "version 1.1.24" "USER COMMANDS" .SH NAME config \- BackInTime configuration files. .SH SYNOPSIS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/common/man/C/backintime.1 new/backintime-1.1.24/common/man/C/backintime.1 --- old/backintime-1.1.20/common/man/C/backintime.1 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/common/man/C/backintime.1 2017-11-07 21:36:43.000000000 +0100 @@ -1,4 +1,4 @@ -.TH backintime 1 "July 2015" "version 1.1.20" "USER COMMANDS" +.TH backintime 1 "July 2015" "version 1.1.24" "USER COMMANDS" .SH NAME backintime \- a simple backup tool for Linux. .PP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/common/snapshots.py new/backintime-1.1.24/common/snapshots.py --- old/backintime-1.1.20/common/snapshots.py 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/common/snapshots.py 2017-11-07 21:36:43.000000000 +0100 @@ -1707,7 +1707,7 @@ if len( snapshots ) <= 1: break - free_space = self._stat_free_space_local(self.config.get_snapshots_path()) + free_space = self._stat_free_space_local(self.config.get_snapshots_full_path()) if free_space is None: free_space = self._stat_free_space_ssh() @@ -1784,7 +1784,7 @@ if self.config.get_snapshots_mode() not in ('ssh', 'ssh_encfs'): return None - snapshots_path_ssh = self.config.get_snapshots_path_ssh() + snapshots_path_ssh = self.config.get_snapshots_full_path_ssh() if not len(snapshots_path_ssh): snapshots_path_ssh = './' cmd = self.cmd_ssh(['df', snapshots_path_ssh]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/common/tools.py new/backintime-1.1.24/common/tools.py --- old/backintime-1.1.20/common/tools.py 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/common/tools.py 2017-11-07 21:36:43.000000000 +0100 @@ -871,7 +871,7 @@ assert isinstance(lines, (list, tuple)), 'lines is not list or tuple type: %s' % lines with tempfile.NamedTemporaryFile(mode = 'wt') as f: f.write('\n'.join(lines)) - f.write('\n') + f.write('\n\n') f.flush() cmd = ['crontab', f.name] proc = subprocess.Popen(cmd, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/debian/changelog new/backintime-1.1.24/debian/changelog --- old/backintime-1.1.20/debian/changelog 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/debian/changelog 2017-11-07 21:36:43.000000000 +0100 @@ -1,3 +1,3 @@ -backintime (1.1.20) unstable; urgency=low - * backport bug fix: polkit CheckAuthorization: race condition in privilege authorization (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7572) - -- Germar Reitze <[email protected]> Sun, 09 Apr 2017 21:07:02 +0200 +backintime (1.1.24) unstable; urgency=low + * fix critical bug: shell injection in notify-send (https://github.com/bit-team/backintime/issues/834) + -- Germar Reitze <[email protected]> Tue, 07 Nov 2017 21:34:43 +0100 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/debian/compat new/backintime-1.1.24/debian/compat --- old/backintime-1.1.20/debian/compat 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/debian/compat 2017-11-07 21:36:43.000000000 +0100 @@ -1 +1 @@ -5 +9 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/debian/rules new/backintime-1.1.24/debian/rules --- old/backintime-1.1.20/debian/rules 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/debian/rules 2017-11-07 21:36:43.000000000 +0100 @@ -29,4 +29,4 @@ dh_python3 /usr/share/backintime/ %: - dh --with python3 $@ + dh $@ --with python3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/qt4/app.py new/backintime-1.1.24/qt4/app.py --- old/backintime-1.1.20/qt4/app.py 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/qt4/app.py 2017-11-07 21:36:43.000000000 +0100 @@ -1207,7 +1207,7 @@ self.path_history.append(rel_path) self.update_files_view( 0 ) else: - self.run = QDesktopServices.openUrl(QUrl(full_path )) + self.run = QDesktopServices.openUrl(QUrl('file://' + full_path)) def files_view_get_name( self, item ): return item.text( 0 ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/qt4/docbook/en/index.docbook new/backintime-1.1.24/qt4/docbook/en/index.docbook --- old/backintime-1.1.20/qt4/docbook/en/index.docbook 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/qt4/docbook/en/index.docbook 2017-11-07 21:36:43.000000000 +0100 @@ -3,8 +3,8 @@ <!ENTITY legal SYSTEM "legal.xml"> <!ENTITY appname "Back In Time"> <!ENTITY app "<application>&appname;</application>"> -<!ENTITY appversion "1.1.20"> -<!ENTITY manrevision "1.1.20"> +<!ENTITY appversion "1.1.24"> +<!ENTITY manrevision "1.1.24"> <!ENTITY date "Juliy 2010"> ]> <!-- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/qt4/man/C/backintime-qt4.1 new/backintime-1.1.24/qt4/man/C/backintime-qt4.1 --- old/backintime-1.1.20/qt4/man/C/backintime-qt4.1 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/qt4/man/C/backintime-qt4.1 2017-11-07 21:36:43.000000000 +0100 @@ -1,4 +1,4 @@ -.TH backintime-qt4 1 "July 2015" "version 1.1.20" "USER COMMANDS" +.TH backintime-qt4 1 "July 2015" "version 1.1.24" "USER COMMANDS" .SH NAME backintime-qt4 \- a simple backup tool. .SH SYNOPSIS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/backintime-1.1.20/qt4/plugins/notifyplugin.py new/backintime-1.1.24/qt4/plugins/notifyplugin.py --- old/backintime-1.1.20/qt4/plugins/notifyplugin.py 2017-04-09 21:09:18.000000000 +0200 +++ new/backintime-1.1.24/qt4/plugins/notifyplugin.py 2017-11-07 21:36:43.000000000 +0100 @@ -19,6 +19,7 @@ import os import pluginmanager import gettext +import subprocess _=gettext.gettext @@ -64,15 +65,15 @@ def on_message( self, profile_id, profile_name, level, message, timeout ): if 1 == level: - cmd = "notify-send " + cmd = ['notify-send'] if timeout > 0: - cmd = cmd + " -t %s" % (1000 * timeout) + cmd.extend(['-t', str(1000 * timeout)]) title = "Back In Time (%s) : %s" % (self.user, profile_name) message = message.replace("\n", ' ') message = message.replace("\r", '') - cmd = cmd + " \"%s\" \"%s\"" % (title, message) - print(cmd) - os.system(cmd) + cmd.append(title) + cmd.append(message) + subprocess.Popen(cmd).communicate() return
