Still unfixed. There are still exploitable race conditions present that allow you to mount whatever you want wherever you want.
For example, to mount a device not under /dev, simply provide an argv[2] referring to a symlink pointing to somewhere in /dev, and after the realpath()'d version is checked, switch the target to somewhere else. If you want to do this properly, you need to update the device source such that after calling realpath(), all subsequent references to the device are to the realpath()'d version. The same trick can be applied to mount on top of arbitrary mountpoints (which is a local root hole). First mount something you can write to onto a mountpoint in /media, and then exploit the race condition similar to above (switching from a mountpoint within /media to anywhere you like). Even without these critical bugs, being able to mount anything in /dev on top of anything in /media is not a good idea - pmount restricts this to removable devices or devices whitelisted in a configuration file (/etc/pmount.allow). And you've done nothing to address the previously mentioned abilities to play with creating and removing arbitrary directories/files. I strongly recommend giving up on implementing this yourself and instead creating a dependency on pmount or bundling it with your package (it's GPLv3, so it's license-compatible). It is very difficult to do what you want to do safely, and it is unacceptable to permit root privilege escalation vulnerabilities without documenting it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
