Hello Kevin, thanks for the excellent GHSL-2020-161 report. Given that
the polkit rules are intentional, if ancient, and the udisks2 team
doesn't want to treat the symlink finding as a security bug, I'm going
to open this publicly and mark it wontfix, to reflect what's likely
going to happen for our currently released systems.
I do hope upstream handles the symlink discovery eventually but I can
appreciate why they wouldn't want to handle it as a security issue.
Thanks
** Information type changed from Private Security to Public Security
** Changed in: policykit-desktop-privileges (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to policykit-desktop-privileges in Ubuntu.
https://bugs.launchpad.net/bugs/1899019
Title:
Typo in UDisks action
Status in policykit-desktop-privileges package in Ubuntu:
Won't Fix
Bug description:
It appears that com.ubuntu.desktop.pkla contains a typo in the UDisks
section:
[Mounting, checking, etc. of internal drives]
Identity=unix-group:admin;unix-group:sudo
Action=org.freedesktop.udisks.filesystem-*;org.freedesktop.udisks.drive-ata-smart*;org.freedesktop.udisks2.filesystem-mount-system;org.freedesktop.udisks2.encrypted-unlock-system;org.freedesktop.udisks2.filesystem-fstab;
ResultActive=yes
Notice that the first two actions contain the string "udisks", rather
than "udisks2", which appears to be a typo.
However, the typo is actually a lucky accident because it is
preventing a vulnerability in UDisks from being exploited. The
vulnerable code in UDisks is protected by the `org.freedesktop.udisks2
.filesystem-take-ownership` polkit action, so it will become
accessible if the typo is fixed. I have separately reported the UDisks
vulnerability to the maintainers of UDisks. I have attached a copy of
that report for your information.
I would recommend removing the first two actions from this file. Since
they don't currently work, presumably nobody will miss them if they
are removed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-desktop-privileges/+bug/1899019/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
