Re: CVE Request -- android-tools (server): Insecure temporary file used for logging

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/23/2012 04:44 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> Christoph Biedl in Debian bug report [1] noticed the following
> deficiency:
>
> An insecure temporary file use flaw was found in the way server
> component of android tools, a suite of Android Debug Bridge (ADB)
> platform tools, performed logging of server events upon server
> startup. A local attacker could use this flaw to conduct symbolic
> links attacks, possibly leading to their ability to append
> unauthorized content to system files accessible with the privileges
> of the user running the adb executable.
>
> References: [1]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688280 [2]
> https://bugzilla.redhat.com/show_bug.cgi?id=879582
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team

Please use CVE-2012-5564 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQr9RiAAoJEBYNRVNeJnmTWf0P/j7uMLeu5rT3UFvpKcFpynn2
2CH/zKBY5bccRM55Uxfv8KVzSQnxHS1Oe8NajXazTezpcYYlrNVUp/ZO0ieUtv4T
AHJ+i6AFOrYzERpuLy23+BCQQCOW5QAfl+aKPElIVv7N/UjHr0GtKbxo+bB2S6Ai
KPlo0I8CjAPeFRfE+lirX8zWjECoau5/ZSW7ApmzLrBepsgAXmFXf95pMLXia1kY
1JifG6rCwrxA5+I/QtMiEfIVe2n9VOEz1UyZ0ajgw8suUxQ3f+hMmP2NmTpTI/nl
pWkrrL8XUJxyYeMHND/AvIB3YrIvLWWR8Mfsx+hHhfdDI+HfmsgUJxEu65c4zPVZ
s6gsDuLOcpFRY/of3zdf65eIqwjb2gaA9nugrZsju/z97H/0SCj8KQAiS+RU3SPn
IdcFssui2SNxXKnqvQkk+DwyJvH9JahreryoxvVfhZDdzEBoqcNsEJyx5dOUmoG7
da1JeSuvbo0ViIiWSKtDzpCX4LPHCLU7t5iF1e9HU46rIhA4olYaZZFlpLHxXs9n
8Ns/eZlKN8jE+IDCatoHzqjsNMdA34E8nUYgmMp945jlkBNmjSLVsSIFYGDjcB7k
snDl/iySQVCaKbJzU9ATnAScp0Nxvkj0glKgpjVCaWSlYrzUMTLXikXMtDqntrx2
xEUvnKJvWX+LXIj+BdXU
=FLKN
-----END PGP SIGNATURE-----