#331 ✓resolved
Marc Deslauriers

Insecure tmp directory use

Reported by Marc Deslauriers | May 31st, 2013 @ 02:37 PM | in 1.2.0 Release

The following commit:

http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825d...

Falls back to creating files in /tmp if $XDG_CONFIG_HOME and $HOME are unset. Upowerd runs this as root, which causes files in /tmp to be created and updated in an insecure manner as root, allowing for symlink attacks.

See downstream bug report:
https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/116...

Comments and changes to this ticket

  • Federico Mena Quintero

    Federico Mena Quintero June 27th, 2013 @ 11:44 PM

    The code in question, that uses "/tmp/root" for the user's home if $HOME and $XDG_USER_HOME are not set, comes from http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets...

    That bug had a duplicate marked for it, http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets...

    The code which is in git right now, and which came from bug 265, is wrong. Simply doing a chain of mkdir() for /tmp/root/.config/blahblah allows for a symlink attack in /tmp.

    I think the code in bug 273 is better. At least it directly uses /root if the environment variables for the user's home are not set. In this case, if upowerd is running as root, then it will be able to create /root/.config/blahblah properly, and regular users won't, because they can't write to /root anyway.

    The bigger question is, why does libimobiledevice need to write stuff in .config? I don't know the code well enough to answer this right now.

  • Martin S.

    Martin S. July 1st, 2013 @ 04:00 PM

    • State changed from “new” to “open”
    • Tag set to configuration, desktop, libimobiledevice
    • Milestone set to 1.2.0 Release

    Every device that is connected is "paired" with the host. This "pairing" needs to be saved somewhere alongside the one-time generated host ID. Thus .config looked like the "current way of doing things".

    I think I tend to use user directories only, thus /root and not fall back as you advise.
    This already ended up as CVE anyways...

  • Martin S.

    Martin S. July 13th, 2013 @ 04:51 PM

    • State changed from “open” to “resolved”
    • Assigned user set to “Martin S.”

    Pushed your fix to git master. Thanks!

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

A project around supporting the iPhone in Linux.

See http://libimobiledevice.org

People watching this ticket

Pages