CVE-2020-10174: 
NixOS vulnerability analysis and mitigation

CVE-2020-10174 affects Timeshift versions before 20.03, a system restore utility for Linux. The vulnerability was discovered by Matthias Gerstner during a security review and was disclosed on March 4, 2020. The issue lies in the init_tmp function in TeeJee.FileSystem.vala, which unsafely reuses a preexisting temporary directory in the predictable location /tmp/timeshift (OSS Security, SUSE Bug).

The vulnerability stems from the TEMP_DIR path variable being set with a predictable prefix (/tmp/timeshift/) followed by a random string. The application does not verify the trustworthiness of pre-existing /tmp/timeshift directories or check if they are symlinks. When Timeshift runs, it creates a temporary directory and executes scripts under this location with root privileges. The issue has been present since version 17.2 and was fixed in version 20.03 (OSS Security).

If exploited, this vulnerability allows an unprivileged local attacker to execute arbitrary code with full root privileges. The vulnerability is triggered whenever Timeshift runs, regardless of the command-line arguments used (CVE Mitre).

The vulnerability was fixed in Timeshift version 20.03 by removing the predictable prefix from the TEMP_DIR path and changing the temporary directory permissions to mode 0750 to prevent other users from accessing sensitive temporary data. Users should upgrade to version 20.03 or later. Various distributions have released security updates, including Ubuntu 19.10 (19.01+ds-2ubuntu0.1) and Fedora 30-32 (Ubuntu Notice, Fedora Update).