Описание
Security update for backintime
This update for backintime to version 1.1.20 fixes several issues.
These security issues were fixed:
- CVE-2017-7572: The _checkPolkitPrivilege function in serviceHelper.py in backintime used a deprecated polkit authorization method (unix-process) that is subject to a race condition (time of check, time of use) (bsc#1032717).
- Don't store passwords given to polkit helper
- boo#1007723: General security hardening measures
These non-security issues were fixed:
- Delete udev configuration files on uninstall
- Merge doc subpackage into main package
Список пакетов
openSUSE Leap 42.1
backintime-1.1.20-3.3.1
backintime-lang-1.1.20-3.3.1
backintime-qt4-1.1.20-3.3.1
openSUSE Leap 42.2
backintime-1.1.20-3.3.1
backintime-lang-1.1.20-3.3.1
backintime-qt4-1.1.20-3.3.1
Ссылки
- E-Mail link for openSUSE-SU-2017:1124-1
- SUSE Security Ratings
Описание
The _checkPolkitPrivilege function in serviceHelper.py in Back In Time (aka backintime) 1.1.18 and earlier uses a deprecated polkit authorization method (unix-process) that is subject to a race condition (time of check, time of use). With this authorization method, the owner of a process requesting a polkit operation is checked by polkitd via /proc/<pid>/status, by which time the requesting process may have been replaced by a different process with the same PID that has different privileges then the original requester.
Затронутые продукты
openSUSE Leap 42.1:backintime-1.1.20-3.3.1
openSUSE Leap 42.1:backintime-lang-1.1.20-3.3.1
openSUSE Leap 42.1:backintime-qt4-1.1.20-3.3.1
openSUSE Leap 42.2:backintime-1.1.20-3.3.1
Ссылки
- CVE-2017-7572
- SUSE Bug 1032717