CVE-2013-2142
Published: 4 June 2013
userpref.c in libimobiledevice 1.1.4, when $HOME and $XDG_CONFIG_HOME are not set, allows local users to overwrite arbitrary files via a symlink attack on (1) HostCertificate.pem, (2) HostPrivateKey.pem, (3) libimobiledevicerc, (4) RootCertificate.pem, or (5) RootPrivateKey.pem in /tmp/root/.config/libimobiledevice/.
Priority
Status
Package | Release | Status |
---|---|---|
libimobiledevice Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Not vulnerable
(1.1.1-4)
|
|
quantal |
Released
(1.1.4-1ubuntu3.2)
|
|
raring |
Released
(1.1.4-1ubuntu6.2)
|
|
upstream |
Needed
|
|
Patches: upstream: http://cgit.sukimashita.com/libimobiledevice.git/commit/?id=a2ddca0916ef776dbd0c6304ea36b4ca7a35302c upstream: http://cgit.sukimashita.com/libimobiledevice.git/commit/?id=153fbe15c702d9c36551d84ee8cb25c4884fd701 upstream: http://cgit.sukimashita.com/libimobiledevice.git/commit/?id=42892465d4522cf19283b8a06bf48104bb387430 |
||
This vulnerability is mitigated in part by the use of symlink restrictions in Ubuntu. This vulnerability is mitigated in part by the use of hardlink restrictions in Ubuntu. |