Description
common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes certain permissions to 0777 before deleting the files in an old backup snapshot, which allows local users to obtain sensitive information by reading these files, or interfere with backup integrity by modifying files that are shared across snapshots.
References (9)
Core 9
Core References
Mailing List x_refsource_confirm
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543785
Issue Tracking, Patch x_refsource_confirm
http://bugs.gentoo.org/show_bug.cgi?id=289047
Broken Link, Patch x_refsource_confirm
http://ftp.debian.org/debian/pool/main/b/backintime/backintime_0.9.26-3.diff.gz
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=125554894700336&w=2
Mailing List vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00821.html
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=125553645511436&w=2
Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/ubuntu/+source/backintime/+bug/434256
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=520210
Mailing List vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00823.html
Scores
CVSS v3
7.1
EPSS
0.0006
EPSS Percentile
18.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-732
Status
published
Products (3)
fedoraproject/fedora
10
fedoraproject/fedora
11
le-web/backintime
0.9.26
Published
Oct 26, 2009
Tracked Since
Feb 18, 2026