Location service uses cached authorization even after revocation
CVE-2014-1422

5MEDIUM

Key Information:

Vendor: Canonical
Status: Trust-store (ubuntu); Trust-store (ubuntu Rtm)
Vendor: CVE Published:; 22 July 2020

Summary

In Ubuntu's trust-store, if a user revokes location access from an application, the location is still available to the application because the application will honour incorrect, cached permissions. This is because the cache was not ordered by creation time by the Select struct in src/core/trust/impl/sqlite3/store.cpp. Fixed in trust-store (Ubuntu) version 1.1.0+15.04.20150123-0ubuntu1 and trust-store (Ubuntu RTM) version 1.1.0+15.04.20150123~rtm-0ubuntu1.

Affected Version(s)

trust-store (Ubuntu RTM) 1.1.0 < 1.1.0+15.04.20150123~rtm-0ubuntu1

trust-store (Ubuntu) 1.1.0 < 1.1.0+15.04.20150123-0ubuntu1

References

https://launchpad.net/bugs/1387734

x_refsource_CONFIRM

https://bazaar.launchpad.net/~phablet-team/trust-store/tr...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 22, 2020
Vulnerability Reserved
Jan 13, 2014

Credit

David Barth