Debian Bug report logs -
#710885
libimobiledevice: CVE-2013-2142: insecure /tmp usage
Reported by: Henri Salo <henri@nerv.fi>
Date: Mon, 3 Jun 2013 09:37:13 UTC
Severity: important
Tags: security
Found in version 1.1.1-4
Fixed in version libimobiledevice/1.1.5-0.1
Done: Andreas Metzler <ametzler@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>:
Bug#710885; Package libimobiledevice.
(Mon, 03 Jun 2013 09:37:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>.
(Mon, 03 Jun 2013 09:37:18 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libimobiledevice
Version: 1.1.1-4
Severity: important
Tags: security
Insecure /tmp usage vulnerability has been fixed in upstream. Please contact me
in case you need assistance.
http://www.openwall.com/lists/oss-security/2013/05/31/5
http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825d
http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets/331-insecure-tmp-directory-use
https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263
---
Henri Salo
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>:
Bug#710885; Package libimobiledevice.
(Tue, 04 Jun 2013 21:03:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>.
(Tue, 04 Jun 2013 21:03:12 GMT) (full text, mbox, link).
Message #10 received at 710885@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 libimobiledevice: CVE-2013-2142: insecure /tmp usage
On Mon, Jun 03, 2013 at 11:43:55AM +0300, Henri Salo wrote:
> Package: libimobiledevice
> Version: 1.1.1-4
> Severity: important
> Tags: security
>
> Insecure /tmp usage vulnerability has been fixed in upstream. Please contact me
> in case you need assistance.
>
> http://www.openwall.com/lists/oss-security/2013/05/31/5
> http://cgit.sukimashita.com/libimobiledevice.git/commit/src?id=825d
> http://libiphone.lighthouseapp.com/projects/27916-libiphone/tickets/331-insecure-tmp-directory-use
> https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1164263
A CVE was now assigned to this issue. Please include the CVE in your
changelog when you fix this issue.
Thanks a lot in advance, and for your work
Regards,
Salvatore
Changed Bug title to 'libimobiledevice: CVE-2013-2142: insecure /tmp usage' from 'libimobiledevice: insecure /tmp usage'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 710885-submit@bugs.debian.org.
(Tue, 04 Jun 2013 21:03:12 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Anibal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org.
(Sat, 12 Oct 2013 19:06:15 GMT) (full text, mbox, link).
Reply sent
to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(Mon, 14 Oct 2013 10:03:20 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 14 Oct 2013 10:03:20 GMT) (full text, mbox, link).
Message #19 received at 710885-close@bugs.debian.org (full text, mbox, reply):
Source: libimobiledevice
Source-Version: 1.1.5-0.1
We believe that the bug you reported is fixed in the latest version of
libimobiledevice, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 710885@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated libimobiledevice package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Oct 2013 18:49:30 +0200
Source: libimobiledevice
Binary: libimobiledevice4 libimobiledevice-dev libimobiledevice4-dbg python-imobiledevice libimobiledevice-utils libimobiledevice-doc
Architecture: source i386 all
Version: 1.1.5-0.1
Distribution: experimental
Urgency: low
Maintainer: gtkpod Maintainers <pkg-gtkpod-devel@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
libimobiledevice-dev - Library for communicating with iPhone and iPod Touch devices
libimobiledevice-doc - Library for communicating with iPhone and iPod Touch devices
libimobiledevice-utils - Library for communicating with iPhone and iPod Touch devices
libimobiledevice4 - Library for communicating with the iPhone and iPod Touch
libimobiledevice4-dbg - Library for communicating with iPhone and iPod Touch devices
python-imobiledevice - Library for communicating with iPhone and iPod Touch devices
Closes: 624066 682275 709369 710885 713689 725637
Changes:
libimobiledevice (1.1.5-0.1) experimental; urgency=low
.
* Non-maintainer upload.
* Sync from Ubuntu.
+ New upstream version. Closes: #709369
+ Includes fix for CVE-2013-2142: insecure /tmp usage. Closes: #710885
+ Compatible with newer libusbmuxd. Closes: #682275
+ New upstream version does not use gnutls_*_set_priority functions
anymore. Closes: #624066
+ Package builds. Closes: #713689
+ Does not depend on libusbmuxd1. Closes: #725637
* configure with --disable-silent-rules
* Delete ubuntu-revision on symbol string_concat@Base in
debian/libimobiledevice4.symbols.
* Update authors and download location in debian/copyright.
Checksums-Sha1:
e9037e9e64f7f1fe518c50623b3eb66578e54e59 2648 libimobiledevice_1.1.5-0.1.dsc
1c2ce186787fe661d2ef5a1be170ddbe5f85db77 577138 libimobiledevice_1.1.5.orig.tar.bz2
21f53b5e5a1bcd415bef94d895476630284c9740 15214 libimobiledevice_1.1.5-0.1.debian.tar.gz
befbbbf35f548179da71ec53eae39de3053fc89d 51060 libimobiledevice4_1.1.5-0.1_i386.deb
9f376bccccd4fe9f4530de2dec80e80893292ce6 52040 libimobiledevice-dev_1.1.5-0.1_i386.deb
470b00ca7b2b56cd5cc53d6a99f296b594a094a9 463852 libimobiledevice4-dbg_1.1.5-0.1_i386.deb
02453a14826f445682be4b8aff9619fdb9cc5006 105096 python-imobiledevice_1.1.5-0.1_i386.deb
abc48676647b3d02ceb52ba1ed519165676362cf 62336 libimobiledevice-utils_1.1.5-0.1_i386.deb
c2b3dae17ddb01f331624d4645442026ff0ef667 108084 libimobiledevice-doc_1.1.5-0.1_all.deb
Checksums-Sha256:
bb4c73cee3958c49a4dffe08e2e836ed438ad3e3363ff2888e6f658c393a0661 2648 libimobiledevice_1.1.5-0.1.dsc
d52ecd069dfc0abe8a81ed0718540df2def2f84b44e88ea783d44312b6f5f33e 577138 libimobiledevice_1.1.5.orig.tar.bz2
722730ab35b577e747646d93e77e26f119f91e725e197125f32d83dfca352b0d 15214 libimobiledevice_1.1.5-0.1.debian.tar.gz
08118fd4ad3f0a066d0247e78fd8c54f630209e9c5d1c214619e7b05aeccbb39 51060 libimobiledevice4_1.1.5-0.1_i386.deb
a44e037ddf810a30787349c7f04c11e7499801bf684e0a6a98bb191900b1ba1c 52040 libimobiledevice-dev_1.1.5-0.1_i386.deb
6e914550bab035c7f8ef7ae2ca3980717d85220b4846db12492ef158e45b2258 463852 libimobiledevice4-dbg_1.1.5-0.1_i386.deb
a3713ad79b3605ea898f920f054f39a24057203686a111aa817adbfdf9e6e838 105096 python-imobiledevice_1.1.5-0.1_i386.deb
5a5ce1fa6e349b988e434517462b14eec94e6605bb09304c4fcc5be998a8e06e 62336 libimobiledevice-utils_1.1.5-0.1_i386.deb
f4e3880a119f8a2b27331cd90f83cdd75a61085b4df441f6eff524111f90820e 108084 libimobiledevice-doc_1.1.5-0.1_all.deb
Files:
a6b6bfb34b47f4a9a39129445005e20c 2648 libs optional libimobiledevice_1.1.5-0.1.dsc
d9debdcf71508dee2c85b60b28ccddd4 577138 libs optional libimobiledevice_1.1.5.orig.tar.bz2
c34f66a0f1aa2d741861c370ed4529b4 15214 libs optional libimobiledevice_1.1.5-0.1.debian.tar.gz
81d6397e560b7eed02b26d55c0821475 51060 libs optional libimobiledevice4_1.1.5-0.1_i386.deb
f0df17036adcb66a01f6daa8bcb1b64b 52040 libdevel optional libimobiledevice-dev_1.1.5-0.1_i386.deb
05d1a906c74e7e8ad7300be1ec5471b9 463852 debug extra libimobiledevice4-dbg_1.1.5-0.1_i386.deb
dd0bf85c27bda7b5724d96077e02cc28 105096 python optional python-imobiledevice_1.1.5-0.1_i386.deb
1213e2695a965660057eed9131782baa 62336 utils optional libimobiledevice-utils_1.1.5-0.1_i386.deb
8fc5cc81b7fc4f5fc94329b595907ae9 108084 doc optional libimobiledevice-doc_1.1.5-0.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJSWYQFAAoJEKVPAYVDghSEFxMP/iAUlgCGvHQUcO1+OP4ZLPGJ
DYHvzBCkDMGO+/j4Ru69hLPHRvTx3HOC5EvC8VPAb1PsE0cRVqaxJLiV1XRVElz6
Im4UZo3bY9ycJYybz77dWa8BwBPdD2PgT6TLZyLiPmoLMgWbMPwwN5deq2qPqppP
ZXJ9sK/fPhZuQ+i3Dv3flCRuP61GuYY2MUJqYxBgmlU/3ctRT6HzWhMzOo80r6fp
5W+XEaCjnncoJSh7Fzt3zhlLnNI9FCNN1BCYlLd5wqKHcT4Tk6hLQW7SaYlV4dfT
JyObKOG7ObRUmNTkWPjop7NrUrD1CGNysLUJJE7nt+KMIme7Echs/q33JPhKsba6
d1U8D/DGWGw/hDkynzOLUW++jJBnDs42ASYvmNB2IEFDAQabW/xoHbWVrpO2WkQ6
FotbDag4QCXvnnn2NlRTGXwng3k4Dt52xAz5e2zgdmUkdPA6sh4Wz87Uq4F28ge6
O0G07QSkTZoYYi2APXM8tB0CXqwIEkuOyREqB/Vcs1c4NOpyhkmJjZ89gRT+aYAE
vPEKfobLCCapa6oFDf5LW0yDouHGstNIkhAvqltv7DPy0bhzQUwcq5Ht6mjT+NdQ
JOe05fxs1RCflB7nwPJbubFBJOPu8vA4w3fEgrLcSQuJ4dVPv+UwAbtAH/9yTJKB
7nVqvRtN9kAkezhXwi+5
=qRFW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 20 Dec 2013 07:29:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:15:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon