user-specific and possible private files are written to a global location
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libimobiledevice (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
$ dpkg -l libimobiledevic* | grep ^ii
ii libimobiledevice3 1.1.4-1ubuntu6 amd64 Library for communicating with the iPhone and iPod Touch
$ lsb_release -d
Description: Ubuntu Raring Ringtail (development branch)
I just noticed the oddly-named "/tmp/root" on my machine.
$ tree -a /tmp/root
/tmp/root
└── .config
└── libimobiledevice
├── HostCertificate.pem
├── HostPrivateKey.pem
├── libimobiledevicerc
├── RootCertificate.pem
└── RootPrivateKey.pem
Given the names of some of the files and the fact they probably relate to my phone, I suspect they should not live here, and certainly not be world-readable, as they currently are:
$ sudo -u nobody sha256sum /tmp/root/
35df7500851f8b7
4a50a2982d2479d
49bb734ce3a6ac0
0753ad5f801544c
aa1d53e80d7033e
There are some files in $HOME/.
CVE References
Changed in libimobiledevice (Ubuntu): | |
status: | Incomplete → New |
What user owned those files?
Did you perhaps run some of those tools with sudo, or from root without a $HOME directory set?
Could you give exact steps necessary to reproduce the issue?