Location service uses cached authorization even after revocation
CVE-2014-1422

5MEDIUM

Key Information:

Vendor: Canonical
Status: Trust-store (ubuntu); Trust-store (ubuntu Rtm)
Vendor: CVE Published:; 22 July 2020

What is CVE-2014-1422?

In Ubuntu's trust-store, if a user revokes location access from an application, the location is still available to the application because the application will honour incorrect, cached permissions. This is because the cache was not ordered by creation time by the Select struct in src/core/trust/impl/sqlite3/store.cpp. Fixed in trust-store (Ubuntu) version 1.1.0+15.04.20150123-0ubuntu1 and trust-store (Ubuntu RTM) version 1.1.0+15.04.20150123~rtm-0ubuntu1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

trust-store (Ubuntu RTM) 1.1.0 < 1.1.0+15.04.20150123~rtm-0ubuntu1

trust-store (Ubuntu) 1.1.0 < 1.1.0+15.04.20150123-0ubuntu1

References

https://launchpad.net/bugs/1387734

x_refsource_CONFIRM

https://bazaar.launchpad.net/~phablet-team/trust-store/tr...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 22, 2020
Vulnerability Reserved
Jan 13, 2014

Credit

David Barth

JSON

Canonical