Bug 289047

Summary:

app-backup/backintime: Information disclosure when removing old backups (CVE-2009-3611)

Product:

Gentoo Security

Reporter:

Alex Legler (RETIRED) <a3li>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

trivial

CC:

bangert

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543785

Whiteboard:

~4 [noglsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
backintime-0.9.26_snapshots.patch	none

Description Alex Legler (RETIRED) archtester

2009-10-14 13:58:04 UTC

From the Debian bugreport:
When asking backintime to remove an old backup, it first change mode
of all file of the backup to 777, allowing potentially every local
user to read and modify those before they are deleted (and this could take some
time). 

Worst still, if a file is shared between several backup, as the file's
mode are also shared, it stay world readable and writable in those
other backup.

Comment 1 Alex Legler (RETIRED) archtester

2009-10-14 13:59:42 UTC

Created attachment 207083 [details, diff]
backintime-0.9.26_snapshots.patch

Patch taken from Fedora's backintime-0.9.26_snapshots.patch.

Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev

2009-10-14 18:22:04 UTC

patch applied in backintime-0.9.26-r1.ebuild - old version removed.
thanks for the sec check.

Comment 3 Alex Legler (RETIRED) archtester

2009-10-14 18:43:41 UTC

Thanks, closing.

Comment 4 Tobias Heinlein (RETIRED) gentoo-dev

2009-10-26 21:14:09 UTC

CVE-2009-3611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3611):
  common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes
  certain permissions to 0777 before deleting the files in an old
  backup snapshot, which allows local users to obtain sensitive
  information by reading these files, or interfere with backup
  integrity by modifying files that are shared across snapshots.