Launchpad CVE tracker

CVE 2013-2142

userpref.c in libimobiledevice 1.1.4, when $HOME and $XDG_CONFIG_HOME are not set, allows local users to overwrite arbitrary files via a symlink attack on (1) HostCertificate.pem, (2) HostPrivateKey.pem, (3) libimobiledevicerc, (4) RootCertificate.pem, or (5) RootPrivateKey.pem in /tmp/root/.config/libimobiledevice/.

Related bugs and status

CVE-2013-2142 (Candidate) is related to these bugs:

Bug #1164263: user-specific and possible private files are written to a global location

Summary				In	Importance	Status
	1164263	user-specific and possible private files are written to a global location		libimobiledevice (Ubuntu)	Undecided	Fix Released

Bug #1207812: [FFe] Update libimobiledevice to support iOS 7, fix Trust Prompt Looping

		In	Importance	Status
1207812	[FFe] Update libimobiledevice to support iOS 7, fix Trust Prompt Looping	libimobiledevice (Ubuntu)	Medium	Fix Released
1207812	[FFe] Update libimobiledevice to support iOS 7, fix Trust Prompt Looping	libimobiledevice (Debian)	Unknown	Fix Released
1207812	[FFe] Update libimobiledevice to support iOS 7, fix Trust Prompt Looping	Linux Mint	Undecided	Fix Released

Bug #1249847: Sync libimobiledevice 1.1.5-2 (main) from Debian unstable (main)

Summary				In	Importance	Status
	1249847	Sync libimobiledevice 1.1.5-2 (main) from Debian unstable (main)		libimobiledevice (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2013-2142

References