[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE Request: libimobiledevice insecure /tmp use
From: Marc Deslauriers <marc.deslauriers () canonical ! com>
Date: 2013-05-31 14:43:20
Message-ID: 51A8B708.30005 () canonical ! com
[Download RAW message or body]
Hello,
In libimobiledevice, the following commit:
http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825d...
Falls back to creating files in /tmp if $XDG_CONFIG_HOME and $HOME are
unset. In some distros, upowerd runs this as root, which causes files in
/tmp to be created and updated in an insecure manner as root, allowing
for symlink attacks.
Bugs:
http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets/331-insecure-tmp-directory-use
https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263
Could a CVE please be assigned to this issue?
Thanks,
Marc.
--
Marc Deslauriers
Ubuntu Security Engineer | http://www.ubuntu.com/
Canonical Ltd. | http://www.canonical.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic