[Bug 1164263] Re: user-specific and possible private files are written to a global location
This bug was fixed in the package libimobiledevice - 1.1.4-1ubuntu6.2 --- libimobiledevice (1.1.4-1ubuntu6.2) raring-security; urgency=low * SECURITY UPDATE: insecure /tmp usage (LP: #1164263) - debian/patches/CVE-2013-2142.patch: fall back to getpwuid_r instead of using /tmp in src/userpref.c. Added string_concat() function in src/Makefile.am, src/utils.c, src/utils.h. - added new symbol to debian/libimobiledevice3.symbols. - CVE-2013-2142 -- Marc Deslauriers marc.deslauri...@ubuntu.com Wed, 14 Aug 2013 11:56:31 -0400 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to libimobiledevice in Ubuntu. https://bugs.launchpad.net/bugs/1164263 Title: user-specific and possible private files are written to a global location To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1164263] Re: user-specific and possible private files are written to a global location
This bug was fixed in the package libimobiledevice - 1.1.4-1ubuntu3.2 --- libimobiledevice (1.1.4-1ubuntu3.2) quantal-security; urgency=low * SECURITY UPDATE: insecure /tmp usage (LP: #1164263) - debian/patches/CVE-2013-2142.patch: fall back to getpwuid_r instead of using /tmp in src/userpref.c. Added string_concat() function in src/Makefile.am, src/utils.c, src/utils.h. - added new symbol to debian/libimobiledevice3.symbols. - CVE-2013-2142 -- Marc Deslauriers marc.deslauri...@ubuntu.com Wed, 14 Aug 2013 11:56:31 -0400 ** Changed in: libimobiledevice (Ubuntu) Status: Confirmed = Fix Released ** Changed in: libimobiledevice (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to libimobiledevice in Ubuntu. https://bugs.launchpad.net/bugs/1164263 Title: user-specific and possible private files are written to a global location To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1164263] Re: user-specific and possible private files are written to a global location
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2142 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to libimobiledevice in Ubuntu. https://bugs.launchpad.net/bugs/1164263 Title: user-specific and possible private files are written to a global location To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1164263] Re: user-specific and possible private files are written to a global location
The directories don't seem to be created in a safe manner though. On Ubuntu, an attack would be prevented by the Yama symlink restrictions, but this is definitely an issue. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to libimobiledevice in Ubuntu. https://bugs.launchpad.net/bugs/1164263 Title: user-specific and possible private files are written to a global location To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1164263] Re: user-specific and possible private files are written to a global location
I have reproduced this with an iPod in saucy. Caused by this upsteam commit: http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825da48d2e9c20086c4e34869da0b28376676b4c I don't believe there's anything confidential in that directory though, it seems to simply consist of the device's public key, which anyone can pull off the device, and a set of user-specific generated keys for communication. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to libimobiledevice in Ubuntu. https://bugs.launchpad.net/bugs/1164263 Title: user-specific and possible private files are written to a global location To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1164263] Re: user-specific and possible private files are written to a global location
Upstream bug: http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets/331-insecure-tmp-directory-use ** Changed in: libimobiledevice (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to libimobiledevice in Ubuntu. https://bugs.launchpad.net/bugs/1164263 Title: user-specific and possible private files are written to a global location To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1164263] Re: user-specific and possible private files are written to a global location
** Changed in: libimobiledevice (Ubuntu) Status: Incomplete = New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to libimobiledevice in Ubuntu. https://bugs.launchpad.net/bugs/1164263 Title: user-specific and possible private files are written to a global location To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1164263] Re: user-specific and possible private files are written to a global location
What user owned those files? Did you perhaps run some of those tools with sudo, or from root without a $HOME directory set? Could you give exact steps necessary to reproduce the issue? ** Information type changed from Private Security to Public Security ** Changed in: libimobiledevice (Ubuntu) Status: New = Incomplete -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to libimobiledevice in Ubuntu. https://bugs.launchpad.net/bugs/1164263 Title: user-specific and possible private files are written to a global location To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1164263] Re: user-specific and possible private files are written to a global location
The files are owned by root. I have not directly run any of the related tools as root (or indeed ever, that I can recall). I can create a fresh set simply by removing the existing set and plugging in my phone: $ ls -lRa /tmp/root /tmp/root: total 12 drwxr-xr-x 3 root root 4096 Apr 4 16:31 ./ drwxrwxrwt 19 root root 4096 Apr 5 09:05 ../ drwxr-xr-x 3 root root 4096 Apr 4 16:31 .config/ /tmp/root/.config: total 12 drwxr-xr-x 3 root root 4096 Apr 4 16:31 ./ drwxr-xr-x 3 root root 4096 Apr 4 16:31 ../ drwxr-xr-x 2 root root 4096 Apr 4 16:31 libimobiledevice/ /tmp/root/.config/libimobiledevice: total 28 drwxr-xr-x 2 root root 4096 Apr 4 16:31 ./ drwxr-xr-x 3 root root 4096 Apr 4 16:31 ../ -rw-r--r-- 1 root root 964 Apr 4 16:31 HostCertificate.pem -rw-r--r-- 1 root root 1679 Apr 4 16:31 HostPrivateKey.pem -rw-r--r-- 1 root root 54 Apr 4 16:31 libimobiledevicerc -rw-r--r-- 1 root root 948 Apr 4 16:31 RootCertificate.pem -rw-r--r-- 1 root root 1675 Apr 4 16:31 RootPrivateKey.pem $ sudo rm -rf /tmp/root $ ls -lRa /tmp/root ls: cannot access /tmp/root: No such file or directory [ Here I plug in my phone ] $ ls -lRa /tmp/root /tmp/root: total 12 drwxr-xr-x 3 root root 4096 Apr 5 09:07 ./ drwxrwxrwt 19 root root 4096 Apr 5 09:07 ../ drwxr-xr-x 3 root root 4096 Apr 5 09:07 .config/ /tmp/root/.config: total 12 drwxr-xr-x 3 root root 4096 Apr 5 09:07 ./ drwxr-xr-x 3 root root 4096 Apr 5 09:07 ../ drwxr-xr-x 2 root root 4096 Apr 5 09:07 libimobiledevice/ /tmp/root/.config/libimobiledevice: total 28 drwxr-xr-x 2 root root 4096 Apr 5 09:07 ./ drwxr-xr-x 3 root root 4096 Apr 5 09:07 ../ -rw-r--r-- 1 root root 964 Apr 5 09:07 HostCertificate.pem -rw-r--r-- 1 root root 1675 Apr 5 09:07 HostPrivateKey.pem -rw-r--r-- 1 root root 54 Apr 5 09:07 libimobiledevicerc -rw-r--r-- 1 root root 948 Apr 5 09:07 RootCertificate.pem -rw-r--r-- 1 root root 1675 Apr 5 09:07 RootPrivateKey.pem -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to libimobiledevice in Ubuntu. https://bugs.launchpad.net/bugs/1164263 Title: user-specific and possible private files are written to a global location To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
