Package: mtpfs Version: 0.9-3+b1 Severity: grave Tags: security Justification: user security hole (and possible data loss)
mtpfs from testing (the one from unstable is OK) is highly broken when an external SD card is installed, yielding possible security problems and data loss. With a SD card installed in my Galaxy Note II, I get: # ls -l /media/mtp total 0 drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Alarms drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Android drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 DCIM drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Download drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Download drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 LOST.DIR drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Movies drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Music drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Music drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Notifications drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Pictures drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Playlists drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Playlists drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Podcasts drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Ringtones drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 S Note drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Samsung drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 cloudagent drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 samsungapps See the duplicate directories. They actually come from both the internal card (/storage/sdcard0/) and the external one (/storage/extSdCard/). The external one seems to have the precedence. So, if the user stores a private file into e.g. /media/mtp/Music/ the file will end up on the external SD card instead of the phone, which is a problem if the user shares the SD card with other people. The user may also want to remove files from /media/mtp/Music/ e.g. with rm /media/mtp/Music/* expecting that the files from the phone will be removed, but this will remove the files from the SD card! -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mtpfs depends on: ii fuse-utils 2.9.0-2 ii libc6 2.13-37 ii libfuse2 2.9.2-2 ii libglib2.0-0 2.33.12+really2.32.4-3 ii libid3tag0 0.15.1b-10 ii libmad0 0.15.1b-7 ii libmtp9 1.1.5-1 mtpfs recommends no packages. mtpfs suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
