CVE-2019-13226

Name of the Vulnerable Software and Affected Versions deepin-clone versions prior to 1.1.3

Description The issue allows an unprivileged user to prepare a symlink at a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system.

Recommendations For deepin-clone versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the /tmp/.deepin-clone/mount/ directory to prevent an unprivileged user from creating a symlink at the predictable path.