user-specific and possible private files are written to a global location

Bug #1164263 reported by Paul Collins on 2013-04-04
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libimobiledevice (Ubuntu)
Undecided
Unassigned

Bug Description

$ dpkg -l libimobiledevic* | grep ^ii
ii libimobiledevice3 1.1.4-1ubuntu6 amd64 Library for communicating with the iPhone and iPod Touch
$ lsb_release -d
Description: Ubuntu Raring Ringtail (development branch)

I just noticed the oddly-named "/tmp/root" on my machine.

$ tree -a /tmp/root
/tmp/root
└── .config
    └── libimobiledevice
        ├── HostCertificate.pem
        ├── HostPrivateKey.pem
        ├── libimobiledevicerc
        ├── RootCertificate.pem
        └── RootPrivateKey.pem

Given the names of some of the files and the fact they probably relate to my phone, I suspect they should not live here, and certainly not be world-readable, as they currently are:
$ sudo -u nobody sha256sum /tmp/root/.config/libimobiledevice/*
35df7500851f8b77e97da0d19b656233fa70e23933426bcce9c1860ad30d854c /tmp/root/.config/libimobiledevice/HostCertificate.pem
4a50a2982d2479d7f4cee23c41c93ba0d31bc97732d4d0accaa7e24d643003f1 /tmp/root/.config/libimobiledevice/HostPrivateKey.pem
49bb734ce3a6ac0bf517738e8c13dfdd6281f66bd63e82355a1aa319fd94aa2c /tmp/root/.config/libimobiledevice/libimobiledevicerc
0753ad5f801544c927af58fa3521784246fe510ee3d7870863db736481e5b278 /tmp/root/.config/libimobiledevice/RootCertificate.pem
aa1d53e80d7033e8ca27ea37b140a8bdb1ae6185371975360751377013131e03 /tmp/root/.config/libimobiledevice/RootPrivateKey.pem

There are some files in $HOME/.config/libimobiledevice with similar names that date from October 10th 2012.

Marc Deslauriers (mdeslaur) wrote :

What user owned those files?

Did you perhaps run some of those tools with sudo, or from root without a $HOME directory set?

Could you give exact steps necessary to reproduce the issue?

information type: Private Security → Public Security
Changed in libimobiledevice (Ubuntu):
status: New → Incomplete
Paul Collins (pjdc) wrote :

The files are owned by root. I have not directly run any of the related tools as root (or indeed ever, that I can recall).

I can create a fresh set simply by removing the existing set and plugging in my phone:

$ ls -lRa /tmp/root
/tmp/root:
total 12
drwxr-xr-x 3 root root 4096 Apr 4 16:31 ./
drwxrwxrwt 19 root root 4096 Apr 5 09:05 ../
drwxr-xr-x 3 root root 4096 Apr 4 16:31 .config/

/tmp/root/.config:
total 12
drwxr-xr-x 3 root root 4096 Apr 4 16:31 ./
drwxr-xr-x 3 root root 4096 Apr 4 16:31 ../
drwxr-xr-x 2 root root 4096 Apr 4 16:31 libimobiledevice/

/tmp/root/.config/libimobiledevice:
total 28
drwxr-xr-x 2 root root 4096 Apr 4 16:31 ./
drwxr-xr-x 3 root root 4096 Apr 4 16:31 ../
-rw-r--r-- 1 root root 964 Apr 4 16:31 HostCertificate.pem
-rw-r--r-- 1 root root 1679 Apr 4 16:31 HostPrivateKey.pem
-rw-r--r-- 1 root root 54 Apr 4 16:31 libimobiledevicerc
-rw-r--r-- 1 root root 948 Apr 4 16:31 RootCertificate.pem
-rw-r--r-- 1 root root 1675 Apr 4 16:31 RootPrivateKey.pem
$ sudo rm -rf /tmp/root
$ ls -lRa /tmp/root
ls: cannot access /tmp/root: No such file or directory

[ Here I plug in my phone ]

$ ls -lRa /tmp/root
/tmp/root:
total 12
drwxr-xr-x 3 root root 4096 Apr 5 09:07 ./
drwxrwxrwt 19 root root 4096 Apr 5 09:07 ../
drwxr-xr-x 3 root root 4096 Apr 5 09:07 .config/

/tmp/root/.config:
total 12
drwxr-xr-x 3 root root 4096 Apr 5 09:07 ./
drwxr-xr-x 3 root root 4096 Apr 5 09:07 ../
drwxr-xr-x 2 root root 4096 Apr 5 09:07 libimobiledevice/

/tmp/root/.config/libimobiledevice:
total 28
drwxr-xr-x 2 root root 4096 Apr 5 09:07 ./
drwxr-xr-x 3 root root 4096 Apr 5 09:07 ../
-rw-r--r-- 1 root root 964 Apr 5 09:07 HostCertificate.pem
-rw-r--r-- 1 root root 1675 Apr 5 09:07 HostPrivateKey.pem
-rw-r--r-- 1 root root 54 Apr 5 09:07 libimobiledevicerc
-rw-r--r-- 1 root root 948 Apr 5 09:07 RootCertificate.pem
-rw-r--r-- 1 root root 1675 Apr 5 09:07 RootPrivateKey.pem

Paul Collins (pjdc) on 2013-04-07
Changed in libimobiledevice (Ubuntu):
status: Incomplete → New
Marc Deslauriers (mdeslaur) wrote :

I have reproduced this with an iPod in saucy.

Caused by this upsteam commit:

http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825da48d2e9c20086c4e34869da0b28376676b4c

I don't believe there's anything confidential in that directory though, it seems to simply consist of the device's public key, which anyone can pull off the device, and a set of user-specific generated keys for communication.

Marc Deslauriers (mdeslaur) wrote :

The directories don't seem to be created in a safe manner though. On Ubuntu, an attack would be prevented by the Yama symlink restrictions, but this is definitely an issue.

Marc Deslauriers (mdeslaur) wrote :
Changed in libimobiledevice (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libimobiledevice - 1.1.4-1ubuntu3.2

---------------
libimobiledevice (1.1.4-1ubuntu3.2) quantal-security; urgency=low

  * SECURITY UPDATE: insecure /tmp usage (LP: #1164263)
    - debian/patches/CVE-2013-2142.patch: fall back to getpwuid_r instead
      of using /tmp in src/userpref.c. Added string_concat() function in
      src/Makefile.am, src/utils.c, src/utils.h.
    - added new symbol to debian/libimobiledevice3.symbols.
    - CVE-2013-2142
 -- Marc Deslauriers <email address hidden> Wed, 14 Aug 2013 11:56:31 -0400

Changed in libimobiledevice (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libimobiledevice - 1.1.4-1ubuntu6.2

---------------
libimobiledevice (1.1.4-1ubuntu6.2) raring-security; urgency=low

  * SECURITY UPDATE: insecure /tmp usage (LP: #1164263)
    - debian/patches/CVE-2013-2142.patch: fall back to getpwuid_r instead
      of using /tmp in src/userpref.c. Added string_concat() function in
      src/Makefile.am, src/utils.c, src/utils.h.
    - added new symbol to debian/libimobiledevice3.symbols.
    - CVE-2013-2142
 -- Marc Deslauriers <email address hidden> Wed, 14 Aug 2013 11:56:31 -0400

Changed in libimobiledevice (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers