[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
This bug was fixed in the package gsettings-desktop-schemas - 45~rc-1ubuntu1 --- gsettings-desktop-schemas (45~rc-1ubuntu1) mantic; urgency=medium * Merge with Debian. Remaining changes: - Add ubuntu_lock-on-suspend.patch - Add dark-theme migration script using dh-migrations * Drop Breaks: ukwm because ukwm still runs but fails to build from source for unrelated reasons gsettings-desktop-schemas (45~rc-1) unstable; urgency=medium * New upstream release - media-handling: Don't autostart software by default when media is inserted (LP: #1983778, LP: #1617620) * Add Breaks against packages that used dropped toggle-shaded * Drop obsolete Breaks gsettings-desktop-schemas (44.0-2) unstable; urgency=medium * Update standards version to 4.6.2, no changes needed * Release to unstable -- Jeremy Bícha Thu, 07 Sep 2023 13:24:00 -0400 ** Changed in: gsettings-desktop-schemas (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gsettings-desktop-schemas in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in GSettings Desktop Schemas: Fix Released Status in gsettings-desktop-schemas package in Ubuntu: Fix Released Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/gsettings-desktop-schemas/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
** Changed in: gsettings-desktop-schemas Status: New => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in GSettings Desktop Schemas: Fix Released Status in gnome-control-center package in Ubuntu: Confirmed Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/gsettings-desktop-schemas/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
** Changed in: gsettings-desktop-schemas Status: Unknown => New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in GSettings Desktop Schemas: New Status in gnome-control-center package in Ubuntu: Confirmed Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/gsettings-desktop-schemas/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
** Bug watch added: gitlab.gnome.org/GNOME/gsettings-desktop-schemas/-/issues #46 https://gitlab.gnome.org/GNOME/gsettings-desktop-schemas/-/issues/46 ** Changed in: gsettings-desktop-schemas Status: Fix Released => Unknown ** Changed in: gsettings-desktop-schemas Remote watch: gitlab.gnome.org/GNOME/gnome-control-center/-/issues #2522 => gitlab.gnome.org/GNOME/gsettings-desktop-schemas/-/issues #46 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in GSettings Desktop Schemas: Unknown Status in gnome-control-center package in Ubuntu: Confirmed Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/gsettings-desktop-schemas/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
** Project changed: gnome-control-center => gsettings-desktop-schemas -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in GSettings Desktop Schemas: Fix Released Status in gnome-control-center package in Ubuntu: Confirmed Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/gsettings-desktop-schemas/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
** Changed in: gnome-control-center Status: New => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in gnome-control-center: Fix Released Status in gnome-control-center package in Ubuntu: Confirmed Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-control-center/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
** Changed in: gnome-control-center Status: Unknown => New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in gnome-control-center: New Status in gnome-control-center package in Ubuntu: Confirmed Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-control-center/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
** Bug watch added: gitlab.gnome.org/GNOME/gnome-control-center/-/issues #2522 https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/2522 ** Also affects: gnome-control-center via https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/2522 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in gnome-control-center: Unknown Status in gnome-control-center package in Ubuntu: Confirmed Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-control-center/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
Hey Marc, Per your request, bug number is: #2522 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in gnome-control-center package in Ubuntu: Confirmed Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
I personally don't think the reasons you've listed above are good enough to change the default setting, but please file a bug with the upstream project and you can convince them to change them: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues Once you've filed a bug with the GNOME project, please paste the bug number here. Thanks! ** Changed in: gnome-control-center (Ubuntu) Status: Incomplete => Confirmed ** Changed in: gnome-control-center (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in gnome-control-center package in Ubuntu: Confirmed Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
Hey @Marc Deslauriers (mdeslaur) , I appreciate your reply, but please consider the following: Reason #1: Having that pop-up screen easily allows to perform the execution of a software. Imagine, for example, a malicious person in a College or some other public place - quickly inserting a USB device to a briefly unattended laptop and quickly clicking "Run" on the warning dialog. These things may happen! I've witnessed students conspire to do that! Why would Ubuntu make it so easy for people to execute software automatically? Reason #2: In the security aspect, the default approach should be to avoid any execution of software, or at least make it more difficult. Automatic execution of software which is in a USB drive is considered a bad practice and is outdated. Reason #3 I think that most people don't use an automatic execution of software. Thus, why would Ubuntu even allow it to happen so easily? Any person who use automatic execution could configure the appropriate configs. But there is no reason for it to be allowed by default. --- Bottom line, we are in an era where all options for Removable Media should be "Do nothing" and the tickbox of "Never prompt or start programs on media insertion" should be ticked. The user has the option to change these configs. Preferably, only admin (verified with password) is allowed to change these configs. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in gnome-control-center package in Ubuntu: Incomplete Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1983778] Re: Major security issue in Ubuntu Desktop default config - Removable Media
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1983778 Title: Major security issue in Ubuntu Desktop default config - Removable Media Status in gnome-control-center package in Ubuntu: Incomplete Bug description: There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 ! Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist! I don’t know the reason for it, but default values for “Removable Media” are VERY Risky! It will automatically run the software which is attached to the removable media. Why? Why has Ubuntu still didn’t disable that option? The following is the default configuration (the “bad” configuration): https://imgur.com/XXXQlV2 The following is the configuration which Ubuntu should be having (it is the fix to the problem): https://imgur.com/a/0JeM6ve Please change the default configurations for Ubuntu! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1983778/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp