This has been fun, but in case you're actually interested in fixing the problem, I am still willing to help.
One way to fix races with the mountpoint is to chdir into the mountpoint, stat "." and check ownership, and mount on top of ".". That way there's no risk of users changing components of the mountpoint path out from under you. If the chdir fails, give a non-descriptive error message that does not delineate between the cause of failure for the chdir (otherwise an attacker can use this to determine the existence of files and directories in search paths he can't navigate to). To fix races with the mount source, you should check against /dev/shm, as this is the only world-writable directory in most /dev filesystems that I know of. That would at least solve the two biggest problems here, and then we can move on to addressing the smaller ones. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
