The annex identified () that allows the local user to execute code as root. Timeshift is a backup system that uses rsync with hard links or Btrfs snapshots to provide functionality similar to System Restore on Windows and Time Machine on macOS. The program is included in the repositories of many distributions and is used by default in PCLinuxOS and Linux Mint. Vulnerability fixed in release .
The problem is caused by incorrect work with the public directory /tmp. During the backup, the program creates the /tmp/timeshift directory, in which a randomly named subdirectory is created containing a shell script with commands that is run as root. The script subdirectory has an unpredictable name, but /tmp/timeshift itself is predictable and is not checked for substitution or creation of a symbolic link instead. An attacker can create the /tmp/timeshift directory on his own behalf, then track the appearance of a subdirectory and replace this subdirectory and the file in it. In the course of work, Timeshift will execute with root rights not the script generated by the program, but the file substituted by the attacker.
Source: opennet.ru