Libiphone libiphone → 1.2.0 Release

Comments and changes to this ticket

• You flagged this item as spam.
  

  Federico Mena Quintero June 27th, 2013 @ 11:44 PM

  The code in question, that uses "/tmp/root" for the user's home if $HOME and $XDG_USER_HOME are not set, comes from http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets...

  That bug had a duplicate marked for it, http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets...

  The code which is in git right now, and which came from bug 265, is wrong. Simply doing a chain of mkdir() for /tmp/root/.config/blahblah allows for a symlink attack in /tmp.

  I think the code in bug 273 is better. At least it directly uses /root if the environment variables for the user's home are not set. In this case, if upowerd is running as root, then it will be able to create /root/.config/blahblah properly, and regular users won't, because they can't write to /root anyway.

  The bigger question is, why does libimobiledevice need to write stuff in .config? I don't know the code well enough to answer this right now.

• 

  Martin S. July 1st, 2013 @ 04:00 PM

  • State changed from “new” to “open”
  • Tag set to “configuration, desktop, libimobiledevice”
  • Milestone set to “1.2.0 Release”

  Every device that is connected is "paired" with the host. This "pairing" needs to be saved somewhere alongside the one-time generated host ID. Thus .config looked like the "current way of doing things".

  I think I tend to use user directories only, thus /root and not fall back as you advise.
  This already ended up as CVE anyways...

• 

  Martin S. July 13th, 2013 @ 04:51 PM

  • State changed from “open” to “resolved”
  • Assigned user set to “Martin S.”

  Pushed your fix to git master. Thanks!