Launchpad CVE tracker

CVE 2014-1422

In Ubuntu's trust-store, if a user revokes location access from an application, the location is still available to the application because the application will honour incorrect, cached permissions. This is because the cache was not ordered by creation time by the Select struct in src/core/trust/impl/sqlite3/store.cpp. Fixed in trust-store (Ubuntu) version 1.1.0+15.04.20150123-0ubuntu1 and trust-store (Ubuntu RTM) version 1.1.0+15.04.20150123~rtm-0ubuntu1.

Related bugs and status

CVE-2014-1422 (Candidate) is related to these bugs:

Bug #1387734: Location service uses the cached authorization, even if the user denied location access to an app

		In	Importance	Status
1387734	Location service uses the cached authorization, even if the user denied location access to an app	location-service (Ubuntu)	Critical	Invalid
1387734	Location service uses the cached authorization, even if the user denied location access to an app	trust-store	Critical	Fix Released
1387734	Location service uses the cached authorization, even if the user denied location access to an app	trust-store (Ubuntu)	Critical	Fix Released
1387734	Location service uses the cached authorization, even if the user denied location access to an app	trust-store (Ubuntu RTM)	Critical	Fix Released
1387734	Location service uses the cached authorization, even if the user denied location access to an app	location-service (Ubuntu Utopic)	Undecided	Invalid
1387734	Location service uses the cached authorization, even if the user denied location access to an app	trust-store (Ubuntu Utopic)	Critical	Fix Released
1387734	Location service uses the cached authorization, even if the user denied location access to an app	location-service (Ubuntu Vivid)	Critical	Invalid
1387734	Location service uses the cached authorization, even if the user denied location access to an app	trust-store (Ubuntu Vivid)	Critical	Fix Released
1387734	Location service uses the cached authorization, even if the user denied location access to an app	Canonical System Image	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2014-1422

References