oss-sec mailing list archives

CVE Request -- android-tools (server): Insecure temporary file used for logging

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 23 Nov 2012 06:44:48 -0500 (EST)

Hello Kurt, Steve, vendors,

  Christoph Biedl in Debian bug report [1] noticed the
following deficiency:

An insecure temporary file use flaw was found in the way
server component of android tools, a suite of Android Debug
Bridge (ADB) platform tools, performed logging of server
events upon server startup. A local attacker could use this
flaw to conduct symbolic links attacks, possibly leading to
their ability to append unauthorized content to system files
accessible with the privileges of the user running the adb
executable.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688280
[2] https://bugzilla.redhat.com/show_bug.cgi?id=879582

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- android-tools (server): Insecure temporary file used for logging Jan Lieskovsky (Nov 23)
- Re: CVE Request -- android-tools (server): Insecure temporary file used for logging Kurt Seifried (Nov 23)