Your message dated Mon, 16 Mar 2020 21:32:19 +0000
with message-id <[email protected]>
and subject line Bug#953385: fixed in timeshift 19.01+ds-2+deb10u1
has caused the Debian Bug report #953385,
regarding timeshift: CVE-2020-10174
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
953385: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953385
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: timeshift
Version: 19.01+ds-2.1
Severity: important
Tags: security upstream
Control: found -1 19.01+ds-2
Hi,
The following vulnerability was published for timeshift.
CVE-2020-10174[0]:
| init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely
| reuses a preexisting temporary directory in the predictable location
| /tmp/timeshift. It follows symlinks in this location or uses
| directories owned by unprivileged users. Because Timeshift also
| executes scripts under this location, an attacker can attempt to win a
| race condition to replace scripts created by Timeshift with attacker-
| controlled scripts. Upon success, an attacker-controlled script is
| executed with full root privileges. This logic is practically always
| triggered when Timeshift runs regardless of the command-line arguments
| used.
Note that this seem not to be mitigated by the default enabled
fs.protected_symlinks kernel hardening.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-10174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10174
[1] https://www.openwall.com/lists/oss-security/2020/03/06/3
[2] https://bugzilla.suse.com/show_bug.cgi?id=1165802
[3]
https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: timeshift
Source-Version: 19.01+ds-2+deb10u1
Done: Boyuan Yang <[email protected]>
We believe that the bug you reported is fixed in the latest version of
timeshift, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Boyuan Yang <[email protected]> (supplier of updated timeshift package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Mar 2020 17:24:24 -0400
Source: timeshift
Binary: timeshift timeshift-dbgsym
Architecture: source amd64
Version: 19.01+ds-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Yanhao Mo <[email protected]>
Changed-By: Boyuan Yang <[email protected]>
Description:
timeshift - System restore utility
Closes: 952685 953385
Changes:
timeshift (19.01+ds-2+deb10u1) buster; urgency=medium
.
* Team upload.
* debian/control: Use new homepage. (Closes: #952685)
* debian/patches/0006: Backport upstream fix on predictable
location of temporary directory.
(Closes: #953385, CVE-2020-10174)
Checksums-Sha1:
634c20fc74daff8b1255cb5da8d67540f3bd382b 1965 timeshift_19.01+ds-2+deb10u1.dsc
d3cba88ad49ab50e7fb23eb8f6aeaee5cf5b209d 828864 timeshift_19.01+ds.orig.tar.xz
1faf51530460796c8c8383de94437ffede9e6d82 4776
timeshift_19.01+ds-2+deb10u1.debian.tar.xz
a09b91e62740d3f991807cdeb19e7b159ee9ddde 2816236
timeshift-dbgsym_19.01+ds-2+deb10u1_amd64.deb
c3530daa89add8c7664e0e179c7fc67361a7290f 15111
timeshift_19.01+ds-2+deb10u1_amd64.buildinfo
d9b3e2949e2b53eace1be9e91243091f10f2366b 643260
timeshift_19.01+ds-2+deb10u1_amd64.deb
Checksums-Sha256:
ab86f5d3ee3e9dd5e70a99a562f832f6c17f23fad3dde37b09be11454181d630 1965
timeshift_19.01+ds-2+deb10u1.dsc
baeedf9eccb84166f67a915482994e569276af0490a214f1239b6bcdd2b535fb 828864
timeshift_19.01+ds.orig.tar.xz
2a777bc73eafb1b8652dba0211ccbd7b0963c8086bc1a355af3e0cb747de327b 4776
timeshift_19.01+ds-2+deb10u1.debian.tar.xz
9a5ca67860c95d59650d98bf4a661c246199842d3f33f468cf2c98a1ec58b047 2816236
timeshift-dbgsym_19.01+ds-2+deb10u1_amd64.deb
9ebd39861f4e10a3f308b5675aee0b00863b62b8d39a4a8c001090445972a4c1 15111
timeshift_19.01+ds-2+deb10u1_amd64.buildinfo
a6600930afedb67ef6443dc32bfae584a13817cdfad7eb294f3f52e2bcef25c3 643260
timeshift_19.01+ds-2+deb10u1_amd64.deb
Files:
09c3e9eba5234c814bc7e1ff5630d926 1965 utils optional
timeshift_19.01+ds-2+deb10u1.dsc
eee7156c78de36bd7e59efaeb5832f9f 828864 utils optional
timeshift_19.01+ds.orig.tar.xz
1c9d362802c245263ad1a6bd76a9f717 4776 utils optional
timeshift_19.01+ds-2+deb10u1.debian.tar.xz
1a9d5c15bd095c41d8a6f2d66778e9db 2816236 debug optional
timeshift-dbgsym_19.01+ds-2+deb10u1_amd64.deb
07ecc8b9b4950049e2f317da0f9845d4 15111 utils optional
timeshift_19.01+ds-2+deb10u1_amd64.buildinfo
1497ef3811a54e55ca3f35d2b26b647e 643260 utils optional
timeshift_19.01+ds-2+deb10u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAl5u1uMACgkQwpPntGGC
Ws5TKxAAnbCyVfVGbKsZPd669ZWAA48DMYBgk/d7tp9Z16k5AyHBCmeucOGZcD1E
uAOUItit9QYbQ53R1hXHo5QKIX1Ra7N9dJV+nEKV0vOHYiq3Ctmj6F3PPHZayfL6
EACynudMrxq7mPgGAHJjwqIoOPkcyt/p6CUQmmHsNYIEcl5hb06JBhlk2Rdet8t4
U5cSNCM42hogt2aV3XW9EgBT46nH1bDGgQBt8x0kwFlWQtl/d7cHvOiOdGwaYnhu
vYLA8cipBkkdlqC64HkTiiiDK4/sqwfHCkdmda9dPSXHAfqFYIDzVyrllOrPhO55
7Jc34+6Q7S6m5KWAKlu4b7idfKJSOMryT0DjRrTpM05xDbF0EaxJXwTb3eSTCsc9
/f2lp+TjdvlI80j7bLmSOEzCstDet7gukD5q4pgGYPKaZH2+PFBgxYFOnDWuJk82
HQWzKxgIKVoO0CK9x8gN7uUIUGEv1PDEoH6o16+2M0L3MZuxnKN1Gb7d5wZQOXr5
MFB+5c7bVhHFdsknyz149PDG/sF19zNJHks8xRWX+1ftIfT/yM4JVcg1623zHigt
uYKSPh7t03M24qS30NSD/fxAwjmdu8xIp50NS6yaLhlNnGzj0UADLHdYKihBdCQT
Ixejlw9fU9wUlLoNQIceDbPGniW0UUWwxPOMaGFEDGq6YcwgQ4Y=
=2Gbx
-----END PGP SIGNATURE-----
--- End Message ---
