Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 499126 (CVE-2013-2142) - <app-pda/libimobiledevice-1.1.5: Symlink attack (CVE-2013-2142)
Summary: <app-pda/libimobiledevice-1.1.5: Symlink attack (CVE-2013-2142)
Status: RESOLVED FIXED
Alias: CVE-2013-2142
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-24 14:40 UTC by GLSAMaker/CVETool Bot
Modified: 2014-05-11 13:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2014-01-24 14:40:22 UTC 
CVE-2013-2142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2142):
  userpref.c in libimobiledevice 1.1.4, when $HOME and $XDG_CONFIG_HOME are
  not set, allows local users to overwrite arbitrary files via a symlink
  attack on (1) HostCertificate.pem, (2) HostPrivateKey.pem, (3)
  libimobiledevicerc, (4) RootCertificate.pem, or (5) RootPrivateKey.pem in
  /tmp/root/.config/libimobiledevice/.


@maintainers, please drop 1.1.4-r4.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-24 15:32:34 UTC 
Also, GLSA vote: no.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-09 18:13:27 UTC 
GLSA vote: no.
Comment 3 Sergey Popov gentoo-dev 2014-02-12 10:44:44 UTC 
+  12 Feb 2014; Sergey Popov <pinkbyte@gentoo.org>
+  -libimobiledevice-1.1.4-r4.ebuild,
+  -files/libimobiledevice-1.1.4-HOME-segfault.patch,
+  -files/libimobiledevice-1.1.4-openssl.patch,
+  -files/libimobiledevice-1.1.4-property_list_service-do-not-strip-non-ASCII-ch
+  aract.patch:
+  Security cleanup, wrt bug #499126

Actually, fix was at least partially backported in -r4, but we have new version in stable for a couple of months with no reported breakages.
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2014-02-12 14:26:22 UTC 
(In reply to Sergey Popov from comment #3)
> +  12 Feb 2014; Sergey Popov <pinkbyte@gentoo.org>
> +  -libimobiledevice-1.1.4-r4.ebuild,
> +  -files/libimobiledevice-1.1.4-HOME-segfault.patch,
> +  -files/libimobiledevice-1.1.4-openssl.patch,
> + 
> -files/libimobiledevice-1.1.4-property_list_service-do-not-strip-non-ASCII-ch
> +  aract.patch:
> +  Security cleanup, wrt bug #499126
> 
> Actually, fix was at least partially backported in -r4, but we have new
> version in stable for a couple of months with no reported breakages.

what?!

bug 500240
bug 500238

1.1.5 majorly changed API from 1.1.4 and broke every reverse dependency, and I was *not* ready as a libimobiledevice maintainer to let 1.1.4 go :-/
Comment 5 Sergey Popov gentoo-dev 2014-05-11 13:11:33 UTC 
(In reply to Samuli Suominen from comment #4)
> 1.1.5 majorly changed API from 1.1.4 and broke every reverse dependency, and
> I was *not* ready as a libimobiledevice maintainer to let 1.1.4 go :-/

Ok, then i assume that you verifid that all necessary parts of fix were applied in 1.1.4-r4 and you restored it for good purpose.
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2014-05-11 13:24:40 UTC 
(In reply to Sergey Popov from comment #5)
> (In reply to Samuli Suominen from comment #4)
> > 1.1.5 majorly changed API from 1.1.4 and broke every reverse dependency, and
> > I was *not* ready as a libimobiledevice maintainer to let 1.1.4 go :-/
> 
> Ok, then i assume that you verifid that all necessary parts of fix were
> applied in 1.1.4-r4 and you restored it for good purpose.

nah, your commit just never happened, as you can see from:

http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-pda/libimobiledevice/libimobiledevice-1.1.4-r4.ebuild?view=log