'[oss-security] CVE Request: libimobiledevice insecure /tmp use'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request: libimobiledevice insecure /tmp use
From:       Marc Deslauriers <marc.deslauriers () canonical ! com>
Date:       2013-05-31 14:43:20
Message-ID: 51A8B708.30005 () canonical ! com
[Download RAW message or body]

Hello,

In libimobiledevice, the following commit:

http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825d...

Falls back to creating files in /tmp if $XDG_CONFIG_HOME and $HOME are
unset. In some distros, upowerd runs this as root, which causes files in
/tmp to be created and updated in an insecure manner as root, allowing
for symlink attacks.

Bugs:
http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets/331-insecure-tmp-directory-use
https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263

Could a CVE please be assigned to this issue?

Thanks,

Marc.

-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic