[Android-tools-devel] Bug#1068343: adb: move-log-file-to-proper-dir.patch is incorrect (CVE-2012-5564)

[Max Nikulin]

Package: adb
Version: 1:29.0.6-28

This is a follow-up to
- #688280 android-tools: CVE-2012-5564: android-tools-adb creates a file 
with a static file name in /tmp
- #823792 adb creates its log file in /tmp

adb still creates log files in /tmp and
move-log-file-to-proper-dir.patch aimed to use /run/user
for log files does not work as expected.

The upstream bug
https://issuetracker.google.com/issues/37008476
"The adb server has a hardcoded write to /tmp/adb.log."
was marked as "Won't fix".

It seems, stat is incorrectly called for the expected file name, so the 
test fails after reboot. The directory name should be used instead.
I expect something like

+    const char *xdg_dir = getenv("XDG_RUNTIME_DIR");
+    std::string log_dir = xdg_dir ? xdg_dir
+      : android::base::StringPrintf("/run/user/%u", getuid());
+    struct stat st = {0};
+    if (stat(log_dir.c_str(), &st) == 0) {
+      return log_dir + "/adb.log";
+    }

I do not consider it as a serious security issue since
"sysctl fs.protected_symlinks" is set by default nowadays.
https://docs.kernel.org/admin-guide/sysctl/fs.html#protected-symlinks

Perhaps there are cases (a lab for students) when somebody may create a
file with a UID of another user (e.g. /tmp/adb.1001.log) causing some
annoyance. As a workaround the following snippet may be sourced when
user environment is initialized:

if [ -z "$ANDROID_ADB_LOG_PATH" ]; then
     android_adb_log_dir="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
     if [ -d "$android_adb_log_dir" ]; then
         export ANDROID_ADB_LOG_PATH="$android_adb_log_dir/adb.log"
     else
         printf "%s: does not exist, adb log would be created in %s\n" \
             "$android_adb_log_dir" "${TMPDIR:-/tmp}" 1>&2
     fi
fi

I believe, the patch should be either dropped or fixed. In the latter
case log file location should be documented in
/usr/share/doc/adb/README.Debian