GCVE - cpe:2.3:a:deepin:deepin-clone:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:deepin:deepin-clone:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Deepin (`26f6ea36-40df-5075-8a07-f166559a4f15`)
Product	Deepin Clone (`f4a05c89-e2cc-5663-a750-9cc1056c14fb`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/linuxdeepin/deepin-clone`	purl2cpe	2026-06-01 10:11:31.927092
`pkg:rpm/fedora/deepin-clone`	purl2cpe	2026-06-01 10:11:31.927094
`pkg:rpm/opensuse/deepin-clone`	purl2cpe	2026-06-01 10:11:31.927095

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2019-13228`	vulnerable	2026-06-08 05:12:42.011460	Details available deepin-clone before 1.1.3 uses a fixed path /tmp/repo.iso in the BootDoctor::fix() function to download an ISO file, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. By winning a race condition to replace the /tmp/repo.iso symlink by an attacker controlled ISO file, further privilege escalation may be possible. Published: 2019-07-04T11:33:08.000Z Updated: 2024-08-04T23:49:24.323Z Open on db.gcve.eu Reference links https://bugzilla.suse.com/show_bug.cgi?id=1130388 https://github.com/linuxdeepin/deepin-clone/commit/e079f3e2712b4f8c28e3e63e71ba1a1f90fce1ab http://www.openwall.com/lists/oss-security/2019/07/04/1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TCHGRJV5CWTMYEE5B5C2FNMCFVP45S7H/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-13227`	vulnerable	2026-06-08 05:12:42.010967	Details available In GUI mode, deepin-clone before 1.1.3 creates a log file at the fixed path /tmp/.deepin-clone.log as root, and follows symlinks there. An unprivileged user can prepare a symlink attack there to create or overwrite files in arbitrary file system locations. The content is not attacker controlled. Published: 2019-07-04T11:32:59.000Z Updated: 2024-08-04T23:49:23.912Z Open on db.gcve.eu Reference links https://bugzilla.suse.com/show_bug.cgi?id=1130388 https://github.com/linuxdeepin/deepin-clone/commit/e079f3e2712b4f8c28e3e63e71ba1a1f90fce1ab http://www.openwall.com/lists/oss-security/2019/07/04/1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TCHGRJV5CWTMYEE5B5C2FNMCFVP45S7H/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-13226`	vulnerable	2026-06-08 05:12:42.010483	Details available deepin-clone before 1.1.3 uses a predictable path /tmp/.deepin-clone/mount/<block-dev-basename> in the Helper::temporaryMountDevice() function to temporarily mount a file system as root. An unprivileged user can prepare a symlink at this location to have the file system mounted in an arbitrary location. By winning a race condition, the attacker can also enter the mount point, thereby preventing a subsequent unmount of the file system. Published: 2019-07-04T11:32:50.000Z Updated: 2024-08-04T23:49:23.882Z Open on db.gcve.eu Reference links https://bugzilla.suse.com/show_bug.cgi?id=1130388 https://github.com/linuxdeepin/deepin-clone/commit/e079f3e2712b4f8c28e3e63e71ba1a1f90fce1ab http://www.openwall.com/lists/oss-security/2019/07/04/1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TCHGRJV5CWTMYEE5B5C2FNMCFVP45S7H/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.