Control: severity -1 grave Hi Simon,
[not the maintainer here] On Mon, Jun 18, 2018 at 02:14:03PM +0100, Simon McVittie wrote: > Source: cantata > Version: 2.3.0.ds1-1 > Severity: important > Tags: security > > cantata contains a helper program cantata-mounter > which runs as root (via D-Bus activation) and allows > unprivileged users to do privileged mount operations via D-Bus > IPC. This turns out to have several security vulnerabilities > (<http://www.openwall.com/lists/oss-security/2018/06/18/1>) with the > worst-case impact being local root privilege escalation. > > Mitigation: the Debian packaging doesn't seem to build cantata-mounter > (or at least https://packages.debian.org/unstable/cantata says it isn't > in the binary package for the architectures I tried). However, d/rules > doesn't *explicitly* disable it, so I think there's a risk that it might > become enabled by mistake in a future upload. > > Please close this bug when either cantata-mounter is specifically > disabled, or the upstream source has been upgraded to a version that no > longer includes cantata-mounter. I might be wrong, but according to the http://www.openwall.com/lists/oss-security/2018/06/18/1 and this looks true for unstable and testing, which have 2.3.0.ds1-1 "The daemon code is part of cantata since version 2.0.0 and it is built by default in versions 2.3.0 and 2.3.1. Before 2.3.0 it was only built if `-DENABLE_REMOTE_DEVICES=ON` was passed to the cmake invocation." Unstable binary package has both /usr/share/dbus-1/system-services/mpd.cantata.mounter.service and /usr/lib/cantata/cantata-mounter Just not to be sorry afterwards, I'm raising the severity for this bug. For stretch and older I think this is less of a problem, because cantata-mounter is not build, and the service not installed. Regards, Salvatore _______________________________________________ pkg-multimedia-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
