oss-sec mailing list archives
CVE Request: libimobiledevice insecure /tmp use
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Fri, 31 May 2013 10:43:20 -0400
Hello, In libimobiledevice, the following commit: http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825d... Falls back to creating files in /tmp if $XDG_CONFIG_HOME and $HOME are unset. In some distros, upowerd runs this as root, which causes files in /tmp to be created and updated in an insecure manner as root, allowing for symlink attacks. Bugs: http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets/331-insecure-tmp-directory-use https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263 Could a CVE please be assigned to this issue? Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Current thread:
- CVE Request: libimobiledevice insecure /tmp use Marc Deslauriers (May 31)
- Re: CVE Request: libimobiledevice insecure /tmp use Kurt Seifried (Jun 04)