Hillwood Yang

**Name of the Vulnerable Software and Affected Versions** deepin-clone versions prior to 1.1.3 **Description** The issue allows an unprivileged user to prepare a symlink at a predictable path `/tmp/.deepin-clone/mount/<block-dev-basename>` in the `Helper::temporaryMountDevice()` function to temporarily mount a file system as root. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system. **Recommendations** For deepin-clone versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/tmp/.deepin-clone/mount/` directory to prevent an unprivileged user from creating a symlink at the predictable path.

**Name of the Vulnerable Software and Affected Versions** deepin-clone versions prior to 1.1.3 **Description** The issue allows an unprivileged user to potentially create or overwrite files in arbitrary file system locations by preparing a symlink attack at the fixed path /tmp/.deepin-clone.log. The content of the created or overwritten files is not controlled by the attacker. **Recommendations** For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the /tmp/.deepin-clone.log file to prevent symlink attacks until the update is applied.

**Name of the Vulnerable Software and Affected Versions** deepin-clone versions prior to 1.1.3 **Description** The issue allows an unprivileged user to potentially create or overwrite files in arbitrary file system locations by preparing a symlink attack in the /tmp/repo.iso path used by the BootDoctor::fix() function. Although the content is not directly controlled by the attacker, winning a race condition to replace the /tmp/repo.iso symlink with an attacker-controlled ISO file may lead to further privilege escalation. **Recommendations** For deepin-clone versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the /tmp/repo.iso path to prevent symlink attacks until the update is applied.

**Name of the Vulnerable Software and Affected Versions** deepin-clone versions prior to 1.1.3 **Description** The issue allows an unprivileged user to create or overwrite files in arbitrary file system locations by preparing a symlink attack. This is due to the use of a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, which follows symlinks. However, the content of the files is not controlled by the attacker. **Recommendations** For deepin-clone versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the /tmp/partclone.log file to prevent symlink attacks until a patch is available.