CVE-2013-2142

Name of the Vulnerable Software and Affected Versions libimobiledevice version 1.1.4

Description The issue allows local users to overwrite arbitrary files via a symlink attack on certain files in /tmp/root/.config/libimobiledevice/ when $HOME and $XDG CONFIG HOME are not set. The affected files include HostCertificate.pem, HostPrivateKey.pem, libimobiledevicerc, RootCertificate.pem, and RootPrivateKey.pem.

Recommendations For libimobiledevice version 1.1.4, consider setting $HOME and $XDG CONFIG HOME environment variables to prevent the symlink attack. As a temporary workaround, restrict write access to the /tmp/root/.config/libimobiledevice/ directory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.