backintime-1.3.1-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10647 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z backintime-1.3.1-1.2 on GA media These are all security issues fixed in the backintime-1.3.1-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10647 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10647 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-7572/ SUSE CVE CVE-2017-7572 page openSUSE Tumbleweed backintime-1.3.1-1.2 backintime-lang-1.3.1-1.2 backintime-qt-1.3.1-1.2 backintime-1.3.1-1.2 as a component of openSUSE Tumbleweed backintime-lang-1.3.1-1.2 as a component of openSUSE Tumbleweed backintime-qt-1.3.1-1.2 as a component of openSUSE Tumbleweed The _checkPolkitPrivilege function in serviceHelper.py in Back In Time (aka backintime) 1.1.18 and earlier uses a deprecated polkit authorization method (unix-process) that is subject to a race condition (time of check, time of use). With this authorization method, the owner of a process requesting a polkit operation is checked by polkitd via /proc/<pid>/status, by which time the requesting process may have been replaced by a different process with the same PID that has different privileges then the original requester. CVE-2017-7572 openSUSE Tumbleweed:backintime-1.3.1-1.2 openSUSE Tumbleweed:backintime-lang-1.3.1-1.2 openSUSE Tumbleweed:backintime-qt-1.3.1-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7572.html CVE-2017-7572 https://bugzilla.suse.com/1032717 SUSE Bug 1032717