Insecure tmp directory use
Reported by Marc Deslauriers | May 31st, 2013 @ 02:37 PM | in 1.2.0 Release
The following commit:
http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825d...
Falls back to creating files in /tmp if $XDG_CONFIG_HOME and $HOME are unset. Upowerd runs this as root, which causes files in /tmp to be created and updated in an insecure manner as root, allowing for symlink attacks.
See downstream bug report:
https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/116...
Comments and changes to this ticket
-
Federico Mena Quintero June 27th, 2013 @ 11:44 PM
The code in question, that uses "/tmp/root" for the user's home if $HOME and $XDG_USER_HOME are not set, comes from http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets...
That bug had a duplicate marked for it, http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets...
The code which is in git right now, and which came from bug 265, is wrong. Simply doing a chain of mkdir() for /tmp/root/.config/blahblah allows for a symlink attack in /tmp.
I think the code in bug 273 is better. At least it directly uses /root if the environment variables for the user's home are not set. In this case, if upowerd is running as root, then it will be able to create /root/.config/blahblah properly, and regular users won't, because they can't write to /root anyway.
The bigger question is, why does libimobiledevice need to write stuff in .config? I don't know the code well enough to answer this right now.
-
Martin S. July 1st, 2013 @ 04:00 PM
- State changed from new to open
- Tag set to configuration, desktop, libimobiledevice
- Milestone set to 1.2.0 Release
Every device that is connected is "paired" with the host. This "pairing" needs to be saved somewhere alongside the one-time generated host ID. Thus .config looked like the "current way of doing things".
I think I tend to use user directories only, thus /root and not fall back as you advise.
This already ended up as CVE anyways... -
Martin S. July 13th, 2013 @ 04:51 PM
- State changed from open to resolved
- Assigned user set to Martin S.
Pushed your fix to git master. Thanks!
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
A project around supporting the iPhone in Linux.
See http://libimobiledevice.org