Bug 970172 - (CVE-2013-2142) CVE-2013-2142 libimobiledevice: Insecure temporary file use when both $XDG_CONFIG_HOME and $HOME are unset
CVE-2013-2142 libimobiledevice: Insecure temporary file use when both $XDG_CO...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130531,reported=2...
: Reopened, Security
Depends On: 951167 970175
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-03 11:21 EDT by Jan Lieskovsky
Modified: 2015-07-31 03:07 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-20 14:45:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-06-03 11:21:58 EDT
An insecure temporary file use flaw was found in the way libimobiledevice, a library for connecting to mobile devices including phones and music players, used to create temporary directory (to hold certificate files) when both of $XDG_CONFIG_HOME and $HOME variables were undefined. A local attacker could use this flaw to conduct symbolic link attacks (possibly leading to their ability to overwrite content of arbitrary directory accessible with the privileges of the user running the application linked against libimobiledevice).

References:
[1] https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263
[2] http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets/331-insecure-tmp-directory-use
[3] http://www.openwall.com/lists/oss-security/2013/05/31/5
Comment 1 Jan Lieskovsky 2013-06-03 11:23:39 EDT
This issue did NOT affect the version of the libimobiledevice, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the libimobiledevice, as shipped with Fedora release of 17 and 18. Please schedule an update (once there is final upstream patch available).
Comment 2 Jan Lieskovsky 2013-06-03 11:25:03 EDT
Created libimobiledevice tracking bugs for this issue

Affects: fedora-all [bug 970175]
Comment 3 Jan Lieskovsky 2013-06-03 11:27:29 EDT
Statement:

Not vulnerable. This issue did not affect the version of libimobiledevice as shipped with Red Hat Enterprise Linux 6 as it did not include the upstream commit 825da48d2e9c20086c4e34869da0b28376676b4c that introduced this issue.
Comment 4 Jan Lieskovsky 2013-06-05 05:31:56 EDT
The CVE identifier of CVE-2013-2142 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/06/04/11
Comment 6 Bastien Nocera 2013-11-22 09:46:20 EST
Does this also affect unreleased versions?
Comment 8 Jan Lieskovsky 2013-11-22 10:15:43 EST
(In reply to Bastien Nocera from comment #6)
> Does this also affect unreleased versions?

Looks it got fixed in 1.2.0 upstream version already. I don't have iPod phone to try if the fix works, but patch in previous comment seems to be applicable to recent Fedora versions.
Comment 10 Fedora Update System 2014-08-29 23:54:05 EDT
libplist-1.11-2.fc20, libusbmuxd-1.0.9-2.fc20, libimobiledevice-1.1.6-2.fc20, usbmuxd-1.0.9-0.4.c24463e.fc20, ifuse-1.1.3-3.fc20, libgpod-0.8.3-2.fc20, upower-0.9.23-3.fc20, gvfs-1.18.3-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Peter Robinson 2015-03-20 14:45:18 EDT
Fixed in all current Fedora releases

Note You need to log in before you can comment on or make changes to this bug.