CVE-2019-13229

Name of the Vulnerable Software and Affected Versions deepin-clone versions prior to 1.1.3

Description The issue allows an unprivileged user to create or overwrite files in arbitrary file system locations by preparing a symlink attack. This is due to the use of a fixed path /tmp/partclone.log in the Helper::getPartitionSizeInfo() function to write a log file as root, which follows symlinks. However, the content of the files is not controlled by the attacker.

Recommendations For deepin-clone versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the /tmp/partclone.log file to prevent symlink attacks until a patch is available.