CVE-2013-2142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2142): userpref.c in libimobiledevice 1.1.4, when $HOME and $XDG_CONFIG_HOME are not set, allows local users to overwrite arbitrary files via a symlink attack on (1) HostCertificate.pem, (2) HostPrivateKey.pem, (3) libimobiledevicerc, (4) RootCertificate.pem, or (5) RootPrivateKey.pem in /tmp/root/.config/libimobiledevice/. @maintainers, please drop 1.1.4-r4.
Also, GLSA vote: no.
GLSA vote: no.
+ 12 Feb 2014; Sergey Popov <pinkbyte@gentoo.org> + -libimobiledevice-1.1.4-r4.ebuild, + -files/libimobiledevice-1.1.4-HOME-segfault.patch, + -files/libimobiledevice-1.1.4-openssl.patch, + -files/libimobiledevice-1.1.4-property_list_service-do-not-strip-non-ASCII-ch + aract.patch: + Security cleanup, wrt bug #499126 Actually, fix was at least partially backported in -r4, but we have new version in stable for a couple of months with no reported breakages.
(In reply to Sergey Popov from comment #3) > + 12 Feb 2014; Sergey Popov <pinkbyte@gentoo.org> > + -libimobiledevice-1.1.4-r4.ebuild, > + -files/libimobiledevice-1.1.4-HOME-segfault.patch, > + -files/libimobiledevice-1.1.4-openssl.patch, > + > -files/libimobiledevice-1.1.4-property_list_service-do-not-strip-non-ASCII-ch > + aract.patch: > + Security cleanup, wrt bug #499126 > > Actually, fix was at least partially backported in -r4, but we have new > version in stable for a couple of months with no reported breakages. what?! bug 500240 bug 500238 1.1.5 majorly changed API from 1.1.4 and broke every reverse dependency, and I was *not* ready as a libimobiledevice maintainer to let 1.1.4 go :-/
(In reply to Samuli Suominen from comment #4) > 1.1.5 majorly changed API from 1.1.4 and broke every reverse dependency, and > I was *not* ready as a libimobiledevice maintainer to let 1.1.4 go :-/ Ok, then i assume that you verifid that all necessary parts of fix were applied in 1.1.4-r4 and you restored it for good purpose.
(In reply to Sergey Popov from comment #5) > (In reply to Samuli Suominen from comment #4) > > 1.1.5 majorly changed API from 1.1.4 and broke every reverse dependency, and > > I was *not* ready as a libimobiledevice maintainer to let 1.1.4 go :-/ > > Ok, then i assume that you verifid that all necessary parts of fix were > applied in 1.1.4-r4 and you restored it for good purpose. nah, your commit just never happened, as you can see from: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-pda/libimobiledevice/libimobiledevice-1.1.4-r4.ebuild?view=log