Paul Collinson

**Name of the Vulnerable Software and Affected Versions** libimobiledevice version 1.1.4 **Description** The issue allows local users to overwrite arbitrary files via a symlink attack on certain files in /tmp/root/.config/libimobiledevice/ when $HOME and $XDG CONFIG HOME are not set. The affected files include `HostCertificate.pem`, `HostPrivateKey.pem`, `libimobiledevicerc`, `RootCertificate.pem`, and `RootPrivateKey.pem`. **Recommendations** For libimobiledevice version 1.1.4, consider setting $HOME and $XDG CONFIG HOME environment variables to prevent the symlink attack. As a temporary workaround, restrict write access to the /tmp/root/.config/libimobiledevice/ directory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.