
Arq 5 Mac security update - graystevens
https://www.arqbackup.com/download/arq5_release_notes.html
======
graystevens
From the email:

    
    
      Arq for Mac Vulnerabilities Fixed
      
      Mark Wadham (thank you Mark for all your help identifying and helping to resolve this!) identified a vulnerability in Arq 5 for Mac where an attacker could become "root" user. The issue was the way Arq applied the set-user-ID-on-execution bit to helper apps (for auto-updating, backup using administrator privileges, and restoring). The affected helper apps were arq_updater (for auto-update), arqcommitter (for backing up) and standardrestorer, arqglacierrestorer and arqs3glacierrestorer (for restoring). The fix for this issue is implemented in Arq 5.10:
      
      When you double-click the Arq icon in the DMG, Arq copies itself to /Applications and sets the permissions on the application bundle to prevent non-root users from modifying it.
      Arq will only set the set-user-ID-on-execution bit on the helper apps if the Arq app bundle is installed in /Applications.

