oss-sec mailing list archives
CVE Request -- android-tools (server): Insecure temporary file used for logging
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 23 Nov 2012 06:44:48 -0500 (EST)
Hello Kurt, Steve, vendors, Christoph Biedl in Debian bug report [1] noticed the following deficiency: An insecure temporary file use flaw was found in the way server component of android tools, a suite of Android Debug Bridge (ADB) platform tools, performed logging of server events upon server startup. A local attacker could use this flaw to conduct symbolic links attacks, possibly leading to their ability to append unauthorized content to system files accessible with the privileges of the user running the adb executable. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688280 [2] https://bugzilla.redhat.com/show_bug.cgi?id=879582 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- android-tools (server): Insecure temporary file used for logging Jan Lieskovsky (Nov 23)
- Re: CVE Request -- android-tools (server): Insecure temporary file used for logging Kurt Seifried (Nov 23)