CVE-2012-5644

Vulnerability

A flaw in libuser versions prior to 0.60 (as shipped in Red Hat Enterprise Linux and Debian derivatives) causes an information disclosure condition when moving a user's home directory. The home directory is created with world-readable permissions before the move operation completes, allowing other local users to access the directory contents during a window of exposure [1][2]. The Debian package database confirms the issue is addressed in libuser versions 1:0.60~dfsg-1 for unstable, while older releases (squeeze, wheezy) are marked as no-DSA [4].

Exploitation

An authenticated local user must have access to the system at the time a user's home directory is being relocated. No special network position or additional privileges are required; the attacker simply reads files in the destination directory while it remains world-readable due to the permission misconfiguration during the move [2].

Impact

Successful exploitation allows a local attacker to read any files that are placed in the new home directory prior to the permission correction. This leads to information disclosure, potentially exposing sensitive user data such as SSH keys, configuration files, or personal documents [1][2]. The compromised data may belong to any user whose home directory is moved.

Mitigation

Red Hat assigned this issue a low-severity rating and marked it WONTFIX for affected products, recommending users avoid moving home directories via libuser or apply manual permission correction as a workaround [2]. Debian released fixed packages (1:0.60~dfsg-1) in unstable and later suites; older stable releases (wheezy, squeeze) are not planned for a security update [4]. Users should upgrade to a patched version where available or restrict local access to migrated home directories.