Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 289047 - app-backup/backintime: Information disclosure when removing old backups (CVE-2009-3611)
Summary: app-backup/backintime: Information disclosure when removing old backups (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-14 13:58 UTC by Alex Legler (RETIRED)
Modified: 2009-10-26 21:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
backintime-0.9.26_snapshots.patch (backintime-0.9.26_snapshots.patch,1.11 KB, patch)
2009-10-14 13:59 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-14 13:58:04 UTC
From the Debian bugreport:
When asking backintime to remove an old backup, it first change mode
of all file of the backup to 777, allowing potentially every local
user to read and modify those before they are deleted (and this could take some
time). 

Worst still, if a file is shared between several backup, as the file's
mode are also shared, it stay world readable and writable in those
other backup.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-14 13:59:42 UTC
Created attachment 207083 [details, diff]
backintime-0.9.26_snapshots.patch

Patch taken from Fedora's backintime-0.9.26_snapshots.patch.
Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2009-10-14 18:22:04 UTC
patch applied in backintime-0.9.26-r1.ebuild - old version removed.
thanks for the sec check.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-14 18:43:41 UTC
Thanks, closing.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 21:14:09 UTC
CVE-2009-3611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3611):
  common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes
  certain permissions to 0777 before deleting the files in an old
  backup snapshot, which allows local users to obtain sensitive
  information by reading these files, or interfere with backup
  integrity by modifying files that are shared across snapshots.