@yorugecko : Thanks for the info ; I saw yesterday on a Virtual machine
of 11.10 the Xorg server update and i thought too it will solve the
solution. Too bad I can't really test my graphic tablet threw a Virtual
Machine to confirm, but i'm pretty sure it's ok since my old solution
was to update th
Ignore my last comment - I were just able to reproduce it Sorry for
the ones who got their hopes up :(
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to gimp in Ubuntu.
https://bugs.launchpad.net/bugs/863154
Title:
Wacom Bamboo One
An effective workaround for me is to turn off X-tilt and Y-tilt in the
input-device settings.
I didn't have to do this in 11.04, and I don't know what it effects -
but as far as this bug go - it's an effective workaround, as I haven't
been able to reproduce it since.
--
You received this bug not
There is no /media on BSD.
(Other than that, YMMD.)
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage notificatio
As I have already said, in a previous response, I would be delighted if
someone developed a zero config library that worked across linux distributions
and BSDs to mount USB devices. What's needed is that it allow:
1) The mounting of any USB block device identified by device node
to a mountpoi
I agree with Preston. Discussion rapidly devolved from the beginning
into accusations thrown around. Everybody is in a bad mood when they
report bugs and when they receive bugs. Extra care must be taken by
everyone to avoid inflammation. It would be helpful if the folks
involved apologized, bac
this problem has disappeared for me with the last 11.10 update!
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to gimp in Ubuntu.
https://bugs.launchpad.net/bugs/863154
Title:
Wacom Bamboo One tablet random coordinate malfunctions
To m
@kovid:
I understand that you have a full plate, but your initial reaction was
not just to question the legitimacy of the exploits but to dismiss them
as sanctimonious when people kept insisting that the issues were more
severe than you assumed. However, that you are apologetic is to be
respected.
@preston:
Well, let me say that if I was the one that first showed attitude, I
apologize. But you have to remember that I do *all* calibre bug triage (besides
doing a large part of the developement). I get to deal with lots of bug
reports from people, the vast majority of which are dubious at best
@Dan: You were on my ignore list, which meant I never saw your exploit (I
interact with launchpad via email). I only saw it when Jason mentioned it in a
post of his. If I had seen it earlier, I would have attempted to fix it. See
for instance my posts asking Jason for news on an updated exploit.
@Kovid
Great to hear!
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage notifications about this bug go to:
https
@Dan:
Right.
In other words, mount /dev/sdaX to /dev/newfolder using the race
condition exploited in .70-calibrer. Then build the stager in
/dev/newfolder/home/username/whatever. Then use the race exploited in
.80-calibrer to toggle whatever between being a symlink to /dev/sda and
being the stage
@kovid
Your behavior toward Dan is confusing, as he has been cordial and
informative. There is nothing to suggest he has been a "destructive
influence" in any of his posts. It was you who first showed attitude
toward both Dan and Jason in posts #7 and #9, the consequences being a
bug report that h
@Jason: Well, if you do not wish to help, that leaves me with no choice but to
remove the mount helper. I think it's a pity, for those people for whom
device detection in calibre will stop working out of the box. But, I tried, to
the best of my ability. I had hoped that we could work together to ma
@Dan: As I suspected, you're in this not to contribute something to the
community, but as a destructive influence. You will not be missed. Try
and remember that I am not attempting to fix calibre-mount-helper for
some sort of personal gain, but simply to allow people using calibre to
have the best
My final word is that you should give up trying to reinvent the wheel,
and use a method supplied by the distro for mounting disks. It's not
worth my time to play whack-a-mole here. As Dan said, "Usually I get
paid good money to own software this hard, and I don't think you're
worth making an except
I keep trying to leave this bug report but I keep getting dragged in.
It's worse than Twitter.
"As I suspected, you're in this not to contribute something to the
community, but as a destructive influence. You will not be missed."
You seriously think I came to this thread to start a fight with you
@Kovid:
Yet you continue to ignore some major advice about how to fix it. Have
you chdir'd yet? No. Still vulnerable.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SU
Hello. I've attached a patch for you, as requested. It replaces the
mount helper with the nice udisks-based script that ubuntu ships. For
distributions that do not support udisks, they can add their own. Or,
you can write something different. In light of this, you might consider
removing the follow
Please note that I misjudged just how broken this code is, and
restricting /dev/shm is not enough to prevent from mounting arbitrary
devices. I expect Jason will show you how.
Just so this is perfectly clear: what's happening in this bug report
right now is a perfect example of how *not* to do se
Unfortunately, the saga continues. Your /shm/ check doesn't do anything,
because, as it turns out, because you realpath twice, I don't need to
use /shm/ at all! Your code is still broken. Giving up should still be
an option on the table for you. In case, however, you've become
determined and still
It's way past my bedtime, so I'd appreciate it if you could post the patch to
mount-helper (by now you should be as familiar with the code as I am). If not,
I'll get to it tomorrow. And thanks for the help.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which
@Kovid
Shucks. Just as I was beginning to make progress on .80 Calibrer!
http://git.zx2c4.com/calibre-mount-helper-exploit/tree/80calibrerassaultmount.c
But you still have major problems in the code -- there are still two
race conditions, with the one exploited in .70 the most dangerous.
Namely,
@Jason: One more commit that adds nother point of failure to your last
exploit (rev 10791)
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major
FWIW, Thunar running a similar gauntlet, toward GIO, and the issues of handling
different pluggable devices:
http://gezeiten.org/post/2010/01/Thunar-volman-and-the-deprecation-of-HAL
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to cali
Do you seriously think your little hackish script works better than HAL?
If so, I recommend to do something about your cognitive problems.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bug
HAL never worked perfectly on anything. That was the reason it was deprecated.
http://en.wikipedia.org/wiki/HAL_(software)#Deprecated
Seriously, if you spent a moment glancing over the calibre feature list, or
actually using it, you would know that it connects to ebook reader devices,
devices tha
The correct way to make it secure is to remove it.
The way to make it WORK is to remove it. By calling a specific, broken
setuid helper, calibre puts a risk on the system, but it also fails to
accomplish the task, since it should actually be done through the native
OS tools, and can conflict with
"Removing or limiting the ability to interact with devices significantly
reduces calibre's usefulness on Linux. So you can see why Kovid wants to
work on making it secure instead of blindly removing it."
If Kovid actually wanted to "work on making it secure", he might listen
to the explicit sugges
> Seriously, what is the point of a mount helper in an ebook reader
application?
calibre's focus is ebook management. Interaction between your dedicated
ebook reader and your library. The aim is to be to ebooks and ebook
reading device what iTunes is to the iPod. calibre does have an ebook
reading
Same problem here with Wacom Bamboo pen&touch and with a Wacom Intuos
4M
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to gimp in Ubuntu.
https://bugs.launchpad.net/bugs/863154
Title:
Wacom Bamboo One tablet random coordinate malfunct
GIO works perfectly fine with HAL, which has been working on all BSD
systems and Solaris for a number of years already.
Seriously, what is the point of a mount helper in an ebook reader
application? What you are trying to achieve is as if Mozilla was
shipping network drivers together with their br
@Josselin: Thanks for the suggestion. calibre already uses udisks when
available. The problem is to find something that works on older systems and on
BSD. If I were developing only for modern linux distros, I'd be quite happy to
abandon the mount helper altogether in favor of udisks. As it is, I w
Kovid: Hopefully you're willing to resume discussion with me, as I am
interested in helping resolve these issues.
The current checks in place are insufficient to prevent users from
mounting any device to any location, because there are timing issues
that may be exploited. Here are the following s
@Kovid: if you’re looking for a high-level library to manage mounts,
you’re not short on options. The easiest one being of course GIO, which
will use either of udisks or HAL as backend depending on the OS.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which
What I haven't figured out yet: will calibre install the mount helper no
matter what, or only on linux systems which are lacking a suitable
alternative?
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.laun
@evan: Certainly an install time question asking the user if they want
to install the mount helper is an option. One that I can fallback to if
we determine that the mount helper indeed cannot be made secure.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, whi
@Kovind: I understand your desire to maintain compatibility with
environments that lack pmount as an option. How about adding support for
pmount OR your mount helper, perhaps via a compiler directive? Make
pmount the secure default; if a handful of people want to use Calibre in
an environment that
> @Jason: Any news on your attempt at a new exploit?
Jason's last post was approximately midnight his time. I'm going to
assume he's asleep right now and won't be working on a new exploit until
tonight or possibly tomorrow.
--
You received this bug notification because you are a member of Edubun
I wish to apologize to the community for my post #35. It served no
useful purpose. Thanks are due to you all for constructively ignoring
it.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bu
@halfdog: Indeed, a standalone, zero config library that allows
unprivileged programs to securely mount and eject USB drives would be a
blessing for several programs, not just calibre. I have learned a great
deal in the process of fixing the issues brought up in this bug report
and if it turns out
Since Ubuntu uses the latest Chromium, it's fixed here as well.
** Changed in: chromium-browser (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to gimp in Ubuntu.
https://bugs.launchpad.net/bugs/
@Kovid: I am not comfortable with you modifying pmount either. You seem
to have good ideas about usability but about security not so much. I
will simply uninstall calibre for now.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre i
This discussion has some similarities to problems with fusermount
binary, see https://bugzilla.redhat.com/show_bug.cgi?id=651183 for good
arguments while fixing races there. Perhaps something could be reused,
or create a libsecuremount with workaround while linux (u)mount-syscalls
are problematic,
44 matches
Mail list logo
