oss-security - CVE Request -- android-tools (server): Insecure temporary file used for logging

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <1961204867.37145591.1353671088048.JavaMail.root@redhat.com>
Date: Fri, 23 Nov 2012 06:44:48 -0500 (EST)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Christoph Biedl <debian.axhn@...chmal.in-ulm.de>
Subject: CVE Request -- android-tools (server): Insecure temporary file used
 for logging

Hello Kurt, Steve, vendors,

  Christoph Biedl in Debian bug report [1] noticed the
following deficiency:

An insecure temporary file use flaw was found in the way
server component of android tools, a suite of Android Debug
Bridge (ADB) platform tools, performed logging of server
events upon server startup. A local attacker could use this
flaw to conduct symbolic links attacks, possibly leading to
their ability to append unauthorized content to system files
accessible with the privileges of the user running the adb
executable.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688280
[2] https://bugzilla.redhat.com/show_bug.cgi?id=879582

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.