Date: Fri, 31 May 2013 10:43:20 -0400 From: Marc Deslauriers <marc.deslauriers@...onical.com> To: oss-security@...ts.openwall.com Subject: CVE Request: libimobiledevice insecure /tmp use Hello, In libimobiledevice, the following commit: http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825d... Falls back to creating files in /tmp if $XDG_CONFIG_HOME and $HOME are unset. In some distros, upowerd runs this as root, which causes files in /tmp to be created and updated in an insecure manner as root, allowing for symlink attacks. Bugs: http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets/331-insecure-tmp-directory-use https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263 Could a CVE please be assigned to this issue? Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.