CVE-2020-10174

Name of the Vulnerable Software and Affected Versions Timeshift versions prior to 20.03

Description The issue is caused by errors in synchronization when using a shared resource in the init tmp function of TeeJee.FileSystem.vala in Timeshift. This allows an attacker to execute arbitrary code by winning a race condition to replace scripts created by Timeshift with attacker-controlled scripts, which are then executed with full root privileges. Timeshift is a backup system that uses rsync or Btrfs snapshots, providing functionality similar to System Restore in Windows and Time Machine in macOS.

Recommendations For versions prior to 20.03, update to version 20.03 or later to resolve the issue. As a temporary workaround, consider restricting access to the /tmp/timeshift location to minimize the risk of exploitation. Avoid using Timeshift until the issue is resolved, as the logic is practically always triggered when Timeshift runs, regardless of the command-line arguments used.