@Matt: I am not comfortable modifying pmount. What guarantee would I
posses that my modifications did not introduce an exploit. In contrast
the mount helper is 300 lines of C code, much easier to review and
modify, as this bug demonstrates. Similar problems exist with udisks.
Adding something as a
1) It does not work out of the box on all distros (it needs
configuration)
Contribute whatever magic you used to work around doing this
configuration yourself.
2) It may not even be installed on some distros, for example, it isn't
installed by default on gentoo.
I'm certain that Calibre isn't in
Kovid -- in response to #45, it does in fact work. The paths might be a
little different on your distro (it's an easy exploit to modify). Here's
a screencast of it in action: http://git.zx2c4.com/calibre-mount-helper-
exploit/plain/70calibrerassaultmount-demo.ogv
I'm glad you've restricted /dev t
Code committed to check if the device node being mounted is a block device and
exit if it is not.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5
To summarize where we are now. The mount helper currently allows any
user to:
1) Mount anything under /dev/ to a mountpoint under /media
2) Create empty directories anywhere if they can create symlinks in /media
3) Remove empty directories in /media
This is pretty much the minimal set of requirem
Kovid: The most recent exploit I posted most certainly works, as I
tested it on the version of calibre-mount-helper currently in trunk.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/88
@Donnenfeld: Your exploit does not work against current calibre-mount-
helper, since I have fixed the mounting of symlinked dirs in both /dev
and /media. Closing this bug. Re-open it only if you can point
to/describe an actual exploit against current calibre-mount-helper.
For the rest of you, feel
So, any decent replacements for calibre. Mostly to convert between file
formats.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabil
HEY!
This is all over reddit now!
http://www.reddit.com/r/programming/comments/lzb5h/how_not_to_respond_to_vulnerabilities_in_your_code/
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs
Unassigning myself for Inkscape (Ubuntu) for now. I'll hopefully come
back to this when I have had more time to read the API.
** Changed in: inkscape (Ubuntu)
Status: In Progress => Triaged
** Changed in: inkscape (Ubuntu)
Assignee: Alex Valavanis (valavanisalex) => (unassigned)
--
FWIW I didn't know anything about calibre before reading this. I read
this because it was handed to me as an example of how not to handle a
bug report. As I read through it, and the argument about whether having
an application that lets anyone mount anything anywhere, a realization
slowly dawned
Source changes are needed for Inkscape for build to succeed with lcms2,
so I have forwarded this upstream
** Also affects: inkscape
Importance: Undecided
Status: New
** Tags added: build
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subs
Why do you really want to handle the auto-mounting part by yourself? I mean, if
udisks (or other) is not available, the user will probably know how to mount a
removable device by his own without needing the help of any helper tool, every
desktop linux user should know how to mount a removable de
"To fix races with the mount source, you should check against
/dev/shm, as this is the only world-writable directory in most /dev
filesystems that I know of."
Or more generally, stat and check root ownership and permission on the
directory of the device. (Though, you can't chdir into both.)
You a
"To fix races with the mount source, you should check against
/dev/shm, as this is the only world-writable directory in most /dev
filesystems that I know of."
Or more generally, stat and check root ownership and permission on the
directory of the device. (Though, you can't chdir into both.)
You a
This has been fun, but in case you're actually interested in fixing the
problem, I am still willing to help.
One way to fix races with the mountpoint is to chdir into the
mountpoint, stat "." and check ownership, and mount on top of ".". That
way there's no risk of users changing components of th
Warning to all:
I'd be wary running this 70-calibreassaultmount.sh on multi user systems. The
temporary file used to drop a payload is created in an insecure manner and can
be exploited to execute code under the context of the user.
I would like ubuntu for not including this obviously exploitab
@Jacob Appelbaum
@Chris Vickery
Do you really believe that throwing insults around in this bug report is
going to resolve any issues? Unless you have something constructive to
contribute to the bug report, please find another outlet for your
frustrations.
--
You received this bug notification be
> Jacob Appelbaum wrote:
> Thanks to Ubuntu for not shipping an obviously exploitable component in the
> face of an
> arrogant upstream author who puts his users at risk.
Until this comment, I was on the side of fixing with the exploits. Now,
as far as I am concerned you should go play frisbee o
chmod +x 70calibrerassaultmount.sh
./70calibrerassaultmount.sh
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage n
I'm not sure this is actually exploitable...the posted exploit fails on
my GNU/kFreeBSD box:
$ gcc 70calibrerassaultmount.sh -o full-nelson
70calibrerassaultmount.sh: file not recognized: File format not recognized
$ ./full-nelson
-bash: ./full-nelson: No such file or directory
Is there different
I find it baffling how poorly the developers for this project are
handling this bug. It is, in fact, already circulating the internet due
to their arrogance.
(2:45:52 PM) MyFriend: ha ha calibre devs are annoying.
(2:46:15 PM) MyFriend: https://bugs.launchpad.net/calibre/+bug/885027
--
You recei
Thanks to Ubuntu for not shipping an obviously exploitable component in
the face of an arrogant upstream author who puts his users at risk.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bug
** Changed in: calibre
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage
Ubuntu, from 10.10 (maverick) and after, uses the udisk-based shell
script that Martin Pitt wrote instead of the upstream calibre setuid
helper. In Ubuntu 10.04 LTS (lucid), the calibre package does not
include the setuid helper at all. Ubuntu 8.04 LTS (hardy) does not
include calibre at all. Marki
Kovid: No, you haven't. Your code contains a race condition that allows
a bypass of the checks you've put in place. Here's another exploit.
You can warn and ignore me all you want, it doesn't make this code any
safer.
** Attachment added: "Yet another exploit"
https://bugs.launchpad.net/cali
@Rosenberg: Yes, I have. And you were warned, this is the last response you
will get from me.
@Mike: Many distros replace calibre-mount-helper with something suitable for
the particular distros' disk handling strategy, and I encourage you to do the
same in Gentoo if you dont already do it (inciden
For the record, I'm not in any way attached to using pmount, I just
wanted to pose it as a potential second choice. udisks is much better,
is nearly universally supported amongst desktop Linux distributions, and
is what Ubuntu and Debian currently use for this.
--
You received this bug notificat
"2) It may not even be installed on some distros, for example, it isn't
installed by default on gentoo."
That should not be considered an issue. If we need to update
dependencies for calibre for our users on Gentoo, we do it.
As a Linux distribution, dependency resolution is our problem
--
You
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: freemind (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to freemind in Ubuntu.
https://bugs.launchpad.net/bugs/8
"First note that unprivileged users cannot create symlinks in /dev
on any well designed system. So symlink attacks are not actually
possible, nonetheless, I have already removed the possibility of using
symlinks under /dev."
You've forgotten about /dev/shm.
And you still haven't fixed the ability
I've already committed a fix for symlinks in /dev, maybe you missed my last
comment.
pmount will not work, I have told you why
it will not work. I am not going to repeat myself.
Let's recap:
First note that unprivileged users cannot create symlinks in /dev
on any well designed system. So symlink
Till: Yes, there really is a libraw. :) You're not seeing it because
on Ubuntu Shotwell is built using libraw as a static library, so libraw
is compiled into the Shotwell executable. It would be nice to use a
shared library instead, but we can't do that at the moment because
libraw.so currently
Still unfixed. There are still exploitable race conditions present that
allow you to mount whatever you want wherever you want.
For example, to mount a device not under /dev, simply provide an argv[2]
referring to a symlink pointing to somewhere in /dev, and after the
realpath()'d version is chec
*** This bug is a duplicate of bug 863154 ***
https://bugs.launchpad.net/bugs/863154
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: gimp (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Edubuntu
Requested version is available in Debian unstable.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to gbrainy in Ubuntu.
https://bugs.launchpad.net/bugs/884895
Title:
Update gbrainy 2.03 in Ubuntu 11.10 to 2.05
To manage notifications a
36 matches
Mail list logo
