user-specific and possible private files are written to a global location

Bug #1164263 reported by Paul Collins
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libimobiledevice (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

$ dpkg -l libimobiledevic* | grep ^ii
ii libimobiledevice3 1.1.4-1ubuntu6 amd64 Library for communicating with the iPhone and iPod Touch
$ lsb_release -d
Description: Ubuntu Raring Ringtail (development branch)

I just noticed the oddly-named "/tmp/root" on my machine.

$ tree -a /tmp/root
/tmp/root
└── .config
    └── libimobiledevice
        ├── HostCertificate.pem
        ├── HostPrivateKey.pem
        ├── libimobiledevicerc
        ├── RootCertificate.pem
        └── RootPrivateKey.pem

Given the names of some of the files and the fact they probably relate to my phone, I suspect they should not live here, and certainly not be world-readable, as they currently are:
$ sudo -u nobody sha256sum /tmp/root/.config/libimobiledevice/*
35df7500851f8b77e97da0d19b656233fa70e23933426bcce9c1860ad30d854c /tmp/root/.config/libimobiledevice/HostCertificate.pem
4a50a2982d2479d7f4cee23c41c93ba0d31bc97732d4d0accaa7e24d643003f1 /tmp/root/.config/libimobiledevice/HostPrivateKey.pem
49bb734ce3a6ac0bf517738e8c13dfdd6281f66bd63e82355a1aa319fd94aa2c /tmp/root/.config/libimobiledevice/libimobiledevicerc
0753ad5f801544c927af58fa3521784246fe510ee3d7870863db736481e5b278 /tmp/root/.config/libimobiledevice/RootCertificate.pem
aa1d53e80d7033e8ca27ea37b140a8bdb1ae6185371975360751377013131e03 /tmp/root/.config/libimobiledevice/RootPrivateKey.pem

There are some files in $HOME/.config/libimobiledevice with similar names that date from October 10th 2012.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

What user owned those files?

Did you perhaps run some of those tools with sudo, or from root without a $HOME directory set?

Could you give exact steps necessary to reproduce the issue?

information type: Private Security → Public Security
Changed in libimobiledevice (Ubuntu):
status: New → Incomplete
Revision history for this message
Paul Collins (pjdc) wrote :

The files are owned by root. I have not directly run any of the related tools as root (or indeed ever, that I can recall).

I can create a fresh set simply by removing the existing set and plugging in my phone:

$ ls -lRa /tmp/root
/tmp/root:
total 12
drwxr-xr-x 3 root root 4096 Apr 4 16:31 ./
drwxrwxrwt 19 root root 4096 Apr 5 09:05 ../
drwxr-xr-x 3 root root 4096 Apr 4 16:31 .config/

/tmp/root/.config:
total 12
drwxr-xr-x 3 root root 4096 Apr 4 16:31 ./
drwxr-xr-x 3 root root 4096 Apr 4 16:31 ../
drwxr-xr-x 2 root root 4096 Apr 4 16:31 libimobiledevice/

/tmp/root/.config/libimobiledevice:
total 28
drwxr-xr-x 2 root root 4096 Apr 4 16:31 ./
drwxr-xr-x 3 root root 4096 Apr 4 16:31 ../
-rw-r--r-- 1 root root 964 Apr 4 16:31 HostCertificate.pem
-rw-r--r-- 1 root root 1679 Apr 4 16:31 HostPrivateKey.pem
-rw-r--r-- 1 root root 54 Apr 4 16:31 libimobiledevicerc
-rw-r--r-- 1 root root 948 Apr 4 16:31 RootCertificate.pem
-rw-r--r-- 1 root root 1675 Apr 4 16:31 RootPrivateKey.pem
$ sudo rm -rf /tmp/root
$ ls -lRa /tmp/root
ls: cannot access /tmp/root: No such file or directory

[ Here I plug in my phone ]

$ ls -lRa /tmp/root
/tmp/root:
total 12
drwxr-xr-x 3 root root 4096 Apr 5 09:07 ./
drwxrwxrwt 19 root root 4096 Apr 5 09:07 ../
drwxr-xr-x 3 root root 4096 Apr 5 09:07 .config/

/tmp/root/.config:
total 12
drwxr-xr-x 3 root root 4096 Apr 5 09:07 ./
drwxr-xr-x 3 root root 4096 Apr 5 09:07 ../
drwxr-xr-x 2 root root 4096 Apr 5 09:07 libimobiledevice/

/tmp/root/.config/libimobiledevice:
total 28
drwxr-xr-x 2 root root 4096 Apr 5 09:07 ./
drwxr-xr-x 3 root root 4096 Apr 5 09:07 ../
-rw-r--r-- 1 root root 964 Apr 5 09:07 HostCertificate.pem
-rw-r--r-- 1 root root 1675 Apr 5 09:07 HostPrivateKey.pem
-rw-r--r-- 1 root root 54 Apr 5 09:07 libimobiledevicerc
-rw-r--r-- 1 root root 948 Apr 5 09:07 RootCertificate.pem
-rw-r--r-- 1 root root 1675 Apr 5 09:07 RootPrivateKey.pem

Paul Collins (pjdc)
Changed in libimobiledevice (Ubuntu):
status: Incomplete → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have reproduced this with an iPod in saucy.

Caused by this upsteam commit:

http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825da48d2e9c20086c4e34869da0b28376676b4c

I don't believe there's anything confidential in that directory though, it seems to simply consist of the device's public key, which anyone can pull off the device, and a set of user-specific generated keys for communication.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The directories don't seem to be created in a safe manner though. On Ubuntu, an attack would be prevented by the Yama symlink restrictions, but this is definitely an issue.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in libimobiledevice (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libimobiledevice - 1.1.4-1ubuntu3.2

---------------
libimobiledevice (1.1.4-1ubuntu3.2) quantal-security; urgency=low

  * SECURITY UPDATE: insecure /tmp usage (LP: #1164263)
    - debian/patches/CVE-2013-2142.patch: fall back to getpwuid_r instead
      of using /tmp in src/userpref.c. Added string_concat() function in
      src/Makefile.am, src/utils.c, src/utils.h.
    - added new symbol to debian/libimobiledevice3.symbols.
    - CVE-2013-2142
 -- Marc Deslauriers <email address hidden> Wed, 14 Aug 2013 11:56:31 -0400

Changed in libimobiledevice (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libimobiledevice - 1.1.4-1ubuntu6.2

---------------
libimobiledevice (1.1.4-1ubuntu6.2) raring-security; urgency=low

  * SECURITY UPDATE: insecure /tmp usage (LP: #1164263)
    - debian/patches/CVE-2013-2142.patch: fall back to getpwuid_r instead
      of using /tmp in src/userpref.c. Added string_concat() function in
      src/Makefile.am, src/utils.c, src/utils.h.
    - added new symbol to debian/libimobiledevice3.symbols.
    - CVE-2013-2142
 -- Marc Deslauriers <email address hidden> Wed, 14 Aug 2013 11:56:31 -0400

Changed in libimobiledevice (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.