[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4124 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4125 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4126 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
I have been an avid advocate of calibre among foss circles. Given how things turned up, I would like to apologize to all people that had (possibly) their computers compromised and -in specific- to my friend Zet. Kudos go to Kovid, Dan and Jason. I will continue to support and evangelize calibre. Only one local exploit in the last 5 years 3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Now that calibre-mount-helper has been removed, shouldn't the install script look for it and remove it? That way folks that upgrade won't end up with a dangling copy? Or do I misunderstand how the install/upgrade process goes? jake -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Kovid, Because of the treatment you demonstrate towards your users, I have decided to uninstall calibre, effective immediately. Sincerely, Leon Kaiser of the GNAA PS: Can anyone suggest any alternatives to calibre? ** Attachment added: The fix! https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2585968/+files/fix.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Also pardon my bad English noncontributing comment (this one too). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
I was quite concerned and excited when I learned that I've got calibre-mount-helper and saw these exploits getting lot of attention. my initial instinct was to uninstall calibre. Call me paranoid but it questions the security of the rest of the package as well. So I tested one of them: .50 version. Didn't work, then I tried .60 and .70. didn't work as well. I was disappointed. I was curious so I tried: $ cat /usr/bin/calibre-mount-helper And this is what I got: #!/bin/sh # This is a dummy script shipped in the fedora calibre package. # Since we have better/safer/easier ways to mount mass storage devices # there's no need to have a suid binary try and do this. # This script simply exits telling calibre that the device is already # been mounted by your desktop. exit 1 Thats when I remembered why I like Fedora. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Fou-Lu - Please, grow up. With much difficulty, he has removed the broken functionality/exploitable code. @Thorsten - I have /media on FreeBSD 8.2. That's where KDE likes to mount things for me. @Kovid - HAL was deprecated on linux, but not on BSD. Instead the issues in HAL were fixed, and the HAL we have on BSD is much improved compared with whatever HAL was last developed in the Linux kernel. As far as I can tell, GIO is working fine with HAL on my system, though I can't say I've done any programming with it; I've always found it sufficient to mount/unmount manually using the dolphin file browser. As it sounds like many distros have already been specifically patching your application before distributing it in their repos, perhaps it would be good to survey what various package managers are doing on Fedora, Debian/Ubuntu, FreeBSD (it's in ports...), OpenSuse, etc. Perhaps a consensus can be found that you've overlooked. Or maybe a single binary that works everywhere without compiling solution just isn't appropriate for the unix world. Certainly I make sure my users have a very good reason for installing anything from upstream sources on our network. If somethings in the repositories/ports collection, then there better be something seriously wrong with it to allow upgrading from somewhere else. I can certainly remember a few cases where the upstream developer was feigning ignorance while carefully crafting network security holes which package maintainers dutifully patched, until the project was finally excluded from the repos. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
More clear had I written With much regret, he -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Bob/Paul He treated his userbase with contempt and disrespect. I refuse to use anything made by this man. Leon Kaiser of the GNAA. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
A typical example how one should _not_ report bug, and how one should _not_ respond to bug reports! Too much ego from reporter and developer only lead to great loss for Linux/BSD users. For bug reporters, please provide a link to amazing software/patch you wrote before you start preaching software practices! For developers, please treat your users with respect! At the end, the bug at least show the sorry state we have on Linux in regards of modern programs dealing with various devices. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
As calibre user I want it to work out of the box, but I would prefer having to execute it as root every time just to have its full features, rather than giving every user on the system the ability of become root. I agree with ravomavain on this, gksu is the way to go. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
OFF-TOPIC This thread has been tagged as How to Absolutely Not React To Vulnerabilities In Your Code by Packet-Storm http://packetstormsecurity.org/news/view/20122/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
As calibre user I want it to work out of the box ... I agree with ravomavain on this, gksu is the way to go. The mount helper was only used if udisks is not present. calibre still works out of the box on the vast majority of modern Linux distros. Adding support for gksu would require dependencies (and the inclusion) on GTK, PolicyKit and gksu-polkit. I don't see it being very likely that a distro that does not support udisks will support all of the requirements for gksu. Remember the mount helper was only a fall back when better methods (udisk) was not present. Also calibre is a Qt project. A Qt (not GTK) solution would make more sense. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
While I fully agree that any form of vulnerability should be fixed, I think many here are doing Kovid wrong. a) He is providing the currently greatest piece of software for ebook management for free, donating large portions of his free time into the project b) Giving full support here and on the mobileread.com forum c) Has the full right to be proud of his work and initially doubt and/or question vulnerability reports from an unknown source d) Has shown that he is willing to learn and improve once he was convinced that people like Dan Rosenberg and Jason A. Donenfeld are really experts in their profession and know what they are talking about The three main actors (Kovid, Dan, Jason) had a very emotional and kind of non-constructive start (for me attributable to all three - no offence meant) but it turned to the better. Kovid initially being very usability minded while Dan and Jason being completely security minded they came to a more mutual understanding during this discussion. And given the nature of a discussion, defending once position until being convinced is just normal. Exaggerated and insulting comments like treating users with disrespect, I will uninstall Calibre..., Perfect example of how not to react to bug reports are neither appropriate nor justified. From my side a big thumbs up for Kovid, Dan and Jason and many thanks for your contributions to the Open Source world. Kind regards -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
..but for those who want to switch it should be noted that there is the package fbreader which is also not bad, here in Launchpad to find at: https://launchpad.net/fbreader I only write this because of the question for alternatives - and one of the greatest strenghts of open-source software is the freedom to choose. But of course, I also hope the people who want to help and the developer, get together and we getting a secure ebook reader again. If not, I also want to say that there is another big strength of open- source software: The possibility to fork... ;) Just my 5 eurocents.. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
..but for those who want to switch it should be noted that there is the package fbreader which is also not bad, here in Launchpad to find at: https://launchpad.net/fbreader FBReader is only a reader. calibre is a reader, manager, news downloader, converter, and more. But of course, I also hope the people who want to help and the developer, get together and we getting a secure ebook reader again. It is secure. If you had read any of the number of posts where multiple people have said that the mount helper (the insecure component) is now removed you would realize this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
The mount helper was only used if udisks is not present. calibre still works out of the box on the vast majority of modern Linux distros. Please correct me if I'm wrong, even if you have a modern distro with udisks, if you installed calibre via the official binary install, which is recommended in the website (Please do not use your distribution provided calibre package, as those are often buggy/outdated. Instead use the Binary install described below. ) then calibre-mount-helper gets installed automatically even if udisks is present. Doesn't matter if calibre uses it or not. Every user that followed that advise is now vulnerable to privilege escalation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Neo139, That's why the mount helper has been removed. It introduces a security vulnerability so the issue is resolved by not installing it on users systems going forward. Just like with any other program a user will need to update to take advantage of security fixes. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Gentlemen, Kovid fixed this bug by removing the component (which was the right way to do it). I expect he's going to release the fixed version very soon and then everyone who updates will be safe - regardless of using a distro package or the binary installer. Can we let this go now? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovid The cross-platform library you are looking for already exists; why would anyone gather with you to write a new one? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
I am quite surprised how long this thread has gotten. I side with Kovid. I admire him for doing this app. Because ever since Red Hat 7 or 8 I keep reading on the open source (not free software!) forums something along the lines of „if you need it — go build it, now p*** off as we're doing something cool”. He has gotten up and wrote this which is quite unique at the moment. Also he bothers to keep it updated quite often while most of the open source projects (including corporate backed Open Office for example) stagnate. I also admire him for not playing the racism card. From what I gather most of you come from the so–called western world, and in my life of working for outsourced companies I've seen quite a few orientals supporting their lack of education, language and coding skills with this. This is the best he can do. If you can do better, please help him patch it. I do agree that he has an „interface” problem, which is more than obvious in his forum postings on mobileread. To my shame I admit I do not know much more than tasted a few curry dishes about his culture. Just try to put yourself in his shoes. Maybe what comes up after a translation as rude, harsh or plain stupid may just be sound normal to him. And attacking him just because of a misunderstanding can just make things worse. Maybe posting an „unsafe app” label might help. Most probably just diasabling some functions would make more people mad than those who would be happy. Myself I'm sure I'd be split between the two. Also, maybe reading closer the software licence as of „no liability whatsoever” would make people more aware. Maybe just by signing Kovid Goyal should be enough of a warning. He could have posted as Jon Johnson just as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
For example, to mount a device not under /dev, simply provide an argv[2] referring to a symlink pointing to somewhere in /dev, and after the realpath()'d version is checked, switch the target to somewhere else. If you want to do this properly, you need to update the device source such that after calling realpath(), all subsequent references to the device are to the realpath()'d version. Kovid - This is a Time of Check/Time of Use (TOCTOU). You can read more about in Bishop and Dilger's paper at http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
I side with Kovid. I admire him for doing this app. Because ever since Red Hat 7 or 8 I keep reading on the open source (not free software!) forums something along the lines of „if you need it — go build it, now p*** off as we're doing something cool”. He has gotten up and wrote this which is quite unique at the moment. Also he bothers to keep it updated quite often while most of the open source projects (including corporate backed Open Office for example) stagnate. Siddartha - I believe most of the problem was Kovid's handling the remediations. I'm not familiar with Donenfeld (my apologies), but Rosenberg is *often* credited with CVE's for his bug hunting abilities. Check the next set of kernel patches - I would wager Rosenberg has three or four to his credit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
This discussion has some similarities to problems with fusermount binary, see https://bugzilla.redhat.com/show_bug.cgi?id=651183 for good arguments while fixing races there. Perhaps something could be reused, or create a libsecuremount with workaround while linux (u)mount-syscalls are problematic, which is used from fusermount/smb mount/ ... ** Bug watch added: Red Hat Bugzilla #651183 https://bugzilla.redhat.com/show_bug.cgi?id=651183 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovid: I am not comfortable with you modifying pmount either. You seem to have good ideas about usability but about security not so much. I will simply uninstall calibre for now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@halfdog: Indeed, a standalone, zero config library that allows unprivileged programs to securely mount and eject USB drives would be a blessing for several programs, not just calibre. I have learned a great deal in the process of fixing the issues brought up in this bug report and if it turns out that the mount helper can be made secure enough, then it is a good candidate for the role. It is a simple 300 lines of easily compiled C code that works on FreeBSD, NetBSD and all linux flavors. I would hate to have to abandon all the calibre users on older distributions and BSDs for the absence of such a library. @Jason: Any news on your attempt at a new exploit? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
I wish to apologize to the community for my post #35. It served no useful purpose. Thanks are due to you all for constructively ignoring it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Jason: Any news on your attempt at a new exploit? Jason's last post was approximately midnight his time. I'm going to assume he's asleep right now and won't be working on a new exploit until tonight or possibly tomorrow. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovind: I understand your desire to maintain compatibility with environments that lack pmount as an option. How about adding support for pmount OR your mount helper, perhaps via a compiler directive? Make pmount the secure default; if a handful of people want to use Calibre in an environment that doesn't support pmount, they can change the directive and compile it themselves. Forgive me if this proposal isn't a viable option; I am ignorant to the complexity of the task at hand. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@evan: Certainly an install time question asking the user if they want to install the mount helper is an option. One that I can fallback to if we determine that the mount helper indeed cannot be made secure. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
What I haven't figured out yet: will calibre install the mount helper no matter what, or only on linux systems which are lacking a suitable alternative? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovid: if you’re looking for a high-level library to manage mounts, you’re not short on options. The easiest one being of course GIO, which will use either of udisks or HAL as backend depending on the OS. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Kovid: Hopefully you're willing to resume discussion with me, as I am interested in helping resolve these issues. The current checks in place are insufficient to prevent users from mounting any device to any location, because there are timing issues that may be exploited. Here are the following steps that are performed by calibre-mount-helper to verify that the mountpoint resides in /media, based on latest trunk: --- in main(): 1. Resolve realpath() of mountpoint, use this from now on in check_mount_point(): 2. If the path exists, call realpath() again and check that the result of this begins with /media 3. Check that the result of the first realpath begins with /media in do_mount(): 4. Create the directory if it does not exist 5. Call realpath() again and check that the result of this begins with /media 6. Create the marker and mount on top of the mountpoint --- This is subject to race conditions, because an attacker can do the following: 1. Use calibre-mount-helper to mount a legitimate filesystem into /media/staging, just so the attacker can now write somewhere in /media 2. Invoke calibre-mount-helper again, this time to mount a filesystem on top of /media/staging/mp 3. The instant calibre-mount-helper creates the /media/staging/mp directory (which previously did not exist) and places the marker file inside (but before it completes the mounting), move the mp directory out of the way and replace it with a symbolic link to wherever the attacker wants to mount to. Because mount() follows symbolic links, this will allow the attacker to mount on top of whatever he wants. You've recently attempted to restrict the mount device to a block device, but these restrictions are subject to similar timing issues that may be exploited in conjunction with the above problems. In this case, the steps performed by calibre-mount-helper are as follows: --- in main(): 1. Call realpath() and use this from now on in check_dev(): 2. Call realpath() again and check that the result begins with /dev/ 3. Call stat() on the original device name and check that it's a block device in do_mount(): 4. Mount the device --- This can be exploited to allow for arbitrary filesystems to be mounted as follows: 1. Originally, place a file at /dev/shm/overlay 2. Invoke calibre-mount-helper 3. After calibre-mount-helper calls realpath() for the first time (the result of which will be /dev/shm/overlay), replace /dev/shm/overlay with a symbolic link to /dev/sda1 or similar 4. After the call to stat(), which will follow the symbolic link and confirm the device is a block device, replace the symbolic link with a symbolic link to the filesystem you want to mount 5. calibre-mount-helper will mount this filesystem --- These types of races can be exploited with precision using the inotify subsystem. The proper solution is to chdir() into the mountpoint before mounting there, calling realpath() on ., verifying it's in /media, calling stat() on ., verifying it belongs to the user, and then mounting on .. To fix the device issue, you should verify the device is root- owned and is not in /dev/shm. I hope this clears things up. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
GIO works perfectly fine with HAL, which has been working on all BSD systems and Solaris for a number of years already. Seriously, what is the point of a mount helper in an ebook reader application? What you are trying to achieve is as if Mozilla was shipping network drivers together with their browser. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Seriously, what is the point of a mount helper in an ebook reader application? calibre's focus is ebook management. Interaction between your dedicated ebook reader and your library. The aim is to be to ebooks and ebook reading device what iTunes is to the iPod. calibre does have an ebook reading feature but it is not calibre's focus. The two main reasons people use calibre are ebook management between library and devices and conversion between ebook formats. Typically people convert so they can read a book on a device that doesn't support the original format. Removing or limiting the ability to interact with devices significantly reduces calibre's usefulness on Linux. So you can see why Kovid wants to work on making it secure instead of blindly removing it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Removing or limiting the ability to interact with devices significantly reduces calibre's usefulness on Linux. So you can see why Kovid wants to work on making it secure instead of blindly removing it. If Kovid actually wanted to work on making it secure, he might listen to the explicit suggestions I have given him on how to do so instead of ignoring me for some reason I don't understand. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
The correct way to make it secure is to remove it. The way to make it WORK is to remove it. By calling a specific, broken setuid helper, calibre puts a risk on the system, but it also fails to accomplish the task, since it should actually be done through the native OS tools, and can conflict with whatever the OS is already doing with removable devices. Again, you must use GIO. It will correctly interact with the OS, report when devices are inserted/mounted/unmounted and allow you to interact with those devices without breaking havoc. The solutions you are currently looking at are way beyond broken. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Do you seriously think your little hackish script works better than HAL? If so, I recommend to do something about your cognitive problems. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
FWIW, Thunar running a similar gauntlet, toward GIO, and the issues of handling different pluggable devices: http://gezeiten.org/post/2010/01/Thunar-volman-and-the-deprecation-of-HAL -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovid Shucks. Just as I was beginning to make progress on .80 Calibrer! http://git.zx2c4.com/calibre-mount-helper-exploit/tree/80calibrerassaultmount.c But you still have major problems in the code -- there are still two race conditions, with the one exploited in .70 the most dangerous. Namely, it's still possible to mount over any directory on the system. To fix this, you need to chdir(realpath) and then stat(.) to ensure root ownership, and then from that point on, only refer to the directory by . -- making this change will be a significant leap forward. Check out Dan's comment for more details. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Unfortunately, the saga continues. Your /shm/ check doesn't do anything,
because, as it turns out, because you realpath twice, I don't need to
use /shm/ at all! Your code is still broken. Giving up should still be
an option on the table for you. In case, however, you've become
determined and still want to fix things, I've traced through the code
for your recent commit showing you where and how things are broken.
/tmp/burrito is a file
argv[2] = /tmp/burrito
332 if (strncmp(action, mount, 5) == 0) {
333 dev = realpath(argv[2], NULL);
dev = /tmp/burrito
334 if (dev == NULL) {
335 fprintf(stderr, Failed to resolve device node.\n);
336 exit(EXIT_FAILURE);
337 }
339 check_dev(dev);
239 void check_dev(const char *dev) {
dev = /tmp/burrito
240 char buffer[PATH_MAX+1];
241 struct stat file_info;
242
243 if (dev == NULL || strlen(dev) strlen(DEV)) {
244 fprintf(stderr, Invalid arguments\n);
245 exit(EXIT_FAILURE);
246 }
JUST BEFORE this next line, we modify /tmp/burrito so that it points to
/dev/sda
/tmp/burrito = --/dev/sda
247
248 if (realpath(dev, buffer) == NULL) {
249 fprintf(stderr, Unable to resolve dev path\n);
250 exit(EXIT_FAILURE);
251 }
buffer = /dev/sda
252
253 if (strncmp(DEV, buffer, strlen(DEV)) != 0) {
254 fprintf(stderr, Trying to operate on a dev node not under
/dev\n);
255 exit(EXIT_FAILURE);
256 }
this last block passes!
257
258 if (stat(dev, file_info) != 0) {
259 fprintf(stderr, stat call on dev node failed\n);
260 exit(EXIT_FAILURE);
261 }
262
263 if (strstr(dev, /shm/) != NULL) {
264 fprintf(stderr, naughty, naughty!\n);
265 exit(EXIT_FAILURE);
266 }
dev doesnt contain /shm/, since it's /tmp/burrito
267
268 if (!S_ISBLK(file_info.st_mode)) {
269 fprintf(stderr, dev node is not a block device\n);
270 exit(EXIT_FAILURE);
271 }
stat follows the link, so it sees /dev/sda which is a block device, so this
passes
272
273 }
:-)
As well, the problem presented in .70-Calibrer HAS NOT BEEN FIXED. You can
still mount over /etc/pam.d or wherever due to the still existing race there.
Implement the chdir logic that I've outlined above.
Then, just after this code block, change /tmp/burrito to point to anything --
any file image at all. No shm needed :-).
** Changed in: calibre
Status: Fix Released = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage notifications about this bug go to:
https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Please note that I misjudged just how broken this code is, and restricting /dev/shm is not enough to prevent from mounting arbitrary devices. I expect Jason will show you how. Just so this is perfectly clear: what's happening in this bug report right now is a perfect example of how *not* to do security response. When faced with two people who clearly know a few things about secure coding, rather than taking their advice and actually fixing the root cause of the problem (or abandon it as a hopeless situation, which is probably the more appropriate response), you've chosen to waste our time by demanding that we write weaponized exploits to exploit what most people already know to be exploitable. To top it off, when shown repeatedly how your half-baked fixes don't actually fix anything, rather than taking our advice you just add another small hurdle that can be trivially bypassed. It would be sad if it weren't so funny. I've decided that it's time to stop beating a dead horse. Usually I get paid good money to own software this hard, and I don't think you're worth making an exception. Best of luck, I'm sure you'll figure it out eventually. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Hello. I've attached a patch for you, as requested. It replaces the mount helper with the nice udisks-based script that ubuntu ships. For distributions that do not support udisks, they can add their own. Or, you can write something different. In light of this, you might consider removing the following text from your website: Please do not use your distribution provided calibre package, as those are often buggy/outdated. Instead use the Binary install described below. Goodbye. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovid: Yet you continue to ignore some major advice about how to fix it. Have you chdir'd yet? No. Still vulnerable. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
I keep trying to leave this bug report but I keep getting dragged in. It's worse than Twitter. As I suspected, you're in this not to contribute something to the community, but as a destructive influence. You will not be missed. You seriously think I came to this thread to start a fight with you? What about the several *hundred* other security bugs I've fixed in open source software on my own free time? Every time I was convinced of the existence of an actual exploit, I have attempted to fix it. Except for the part where I posted a working exploit and you completely ignored me. Maybe my fixes were naive, but dont forget that it's a lot easier to find holes in something, than to build somethig without holes in the first place. I disagree, I think it's more like it's easier to do something properly from the beginning than to patch a broken implementation one exploit at a time. Your code is still broken, you can mount a legitimate block device on top of another directory in /dev by exploiting the mountpoint race that still exists, and then use that now-writable directory in /dev to mount an arbitrary filesystem on top of wherever. I suggest you accept Jason's patch and stop trying to fix this code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Dan: As I suspected, you're in this not to contribute something to the community, but as a destructive influence. You will not be missed. Try and remember that I am not attempting to fix calibre-mount-helper for some sort of personal gain, but simply to allow people using calibre to have the best possible experience. I readily admit I don't know as much about secure coding as you do, but hey, at least one of us is trying to learn something. Look back at the start of this bug report. Every time I was convinced of the existence of an actual exploit, I have attempted to fix it. Maybe my fixes were naive, but dont forget that it's a lot easier to find holes in something, than to build somethig without holes in the first place. @Jason: Indeed, I did overlook the second realpath call, now fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
My final word is that you should give up trying to reinvent the wheel, and use a method supplied by the distro for mounting disks. It's not worth my time to play whack-a-mole here. As Dan said, Usually I get paid good money to own software this hard, and I don't think you're worth making an exception. Indeed. The solution is easy and obvious, but it involves backing away from stubbornness and accepting that the distro-supplied tools handle mounting inline with distro policy, and it isn't your place to reinvent things. Take a look at Gentoo Mike's post from a while back -- it's dead on. Besides, you haven't even begun to address issues #1-#3. I believe this discussion is over. Goodbye Kovid. I wish you well with Calibre and that you can restore the security confidence of your users. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@kovid Your behavior toward Dan is confusing, as he has been cordial and informative. There is nothing to suggest he has been a destructive influence in any of his posts. It was you who first showed attitude toward both Dan and Jason in posts #7 and #9, the consequences being a bug report that has now received a lot of attention elsewhere for the wrong reasons. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Dan: Right. In other words, mount /dev/sdaX to /dev/newfolder using the race condition exploited in .70-calibrer. Then build the stager in /dev/newfolder/home/username/whatever. Then use the race exploited in .80-calibrer to toggle whatever between being a symlink to /dev/sda and being the stager. The tricks are endless. OKAY GOODBYE BUGREPORT. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovid Great to hear! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@kovid: I understand that you have a full plate, but your initial reaction was not just to question the legitimacy of the exploits but to dismiss them as sanctimonious when people kept insisting that the issues were more severe than you assumed. However, that you are apologetic is to be respected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
I agree with Preston. Discussion rapidly devolved from the beginning into accusations thrown around. Everybody is in a bad mood when they report bugs and when they receive bugs. Extra care must be taken by everyone to avoid inflammation. It would be helpful if the folks involved apologized, backed up and tried again. What I would suggest to move forward is to see if anyone would like to volunteer to do the work on a rewrite. The discussion has been focused on patching and breaking the existing implementation and arguing if it can be done better. Nobody was ever asked for volunteers for a rewrite and that sort of discussion scares volunteers away. @kovid What you can do now, as project owner, is create a branch and let people try and write a secure, cross platform capable mounter. You don't have to do much more than provide the branch and answer questions about the implementation as needed. Most of your job will be to stay out of the way. Let the volunteers work on their problem and see where it goes. @Jason @Dan others: Would you be willing to work on a cross platform mounter, either for calibre or as a 3rd party tool/library calibre could use? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
There is no /media on BSD. (Other than that, YMMD.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Still unfixed. There are still exploitable race conditions present that allow you to mount whatever you want wherever you want. For example, to mount a device not under /dev, simply provide an argv[2] referring to a symlink pointing to somewhere in /dev, and after the realpath()'d version is checked, switch the target to somewhere else. If you want to do this properly, you need to update the device source such that after calling realpath(), all subsequent references to the device are to the realpath()'d version. The same trick can be applied to mount on top of arbitrary mountpoints (which is a local root hole). First mount something you can write to onto a mountpoint in /media, and then exploit the race condition similar to above (switching from a mountpoint within /media to anywhere you like). Even without these critical bugs, being able to mount anything in /dev on top of anything in /media is not a good idea - pmount restricts this to removable devices or devices whitelisted in a configuration file (/etc/pmount.allow). And you've done nothing to address the previously mentioned abilities to play with creating and removing arbitrary directories/files. I strongly recommend giving up on implementing this yourself and instead creating a dependency on pmount or bundling it with your package (it's GPLv3, so it's license-compatible). It is very difficult to do what you want to do safely, and it is unacceptable to permit root privilege escalation vulnerabilities without documenting it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
First note that unprivileged users cannot create symlinks in /dev on any well designed system. So symlink attacks are not actually possible, nonetheless, I have already removed the possibility of using symlinks under /dev. You've forgotten about /dev/shm. And you still haven't fixed the ability to mount on top of any directory via symlinks, which has already been demonstrated to allow escalation to root. Just a note about all the histrionics around critical security exploits. calibre is designed to run mainly on end user computers (single user, typically a desktop or a laptop). On such a machine if a malicous program can run with user privileges it already has access to everything that actually matters on the system, namely the user's data. Privilege escalation would be useful only in trying to hide the traces of the intrusion. The damage is already done. Undoubtedly there are plenty of scenarios where that is not true, but the fact remains that for the vast majority of calibre users, this is a non issue. So kindly tone down the hyperbole, and restrict your posts to discussion of calibre-mount-helper, otherwise you will be ignored. Even if this is the case for the majority of calibre users, I wouldn't consider this acceptable unless there was a big flashing banner when you install calibre that says if you install this every user can gain root privileges. There are plenty of multi-user environments, and plenty of situations where compromising a user account isn't as bad as gaining root access. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
2) It may not even be installed on some distros, for example, it isn't installed by default on gentoo. That should not be considered an issue. If we need to update dependencies for calibre for our users on Gentoo, we do it. As a Linux distribution, dependency resolution is our problem -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
For the record, I'm not in any way attached to using pmount, I just wanted to pose it as a potential second choice. udisks is much better, is nearly universally supported amongst desktop Linux distributions, and is what Ubuntu and Debian currently use for this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Kovid: No, you haven't. Your code contains a race condition that allows a bypass of the checks you've put in place. Here's another exploit. You can warn and ignore me all you want, it doesn't make this code any safer. ** Attachment added: Yet another exploit https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2584435/+files/70calibrerassaultmount.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
** Changed in: calibre Status: Fix Released = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Ubuntu, from 10.10 (maverick) and after, uses the udisk-based shell script that Martin Pitt wrote instead of the upstream calibre setuid helper. In Ubuntu 10.04 LTS (lucid), the calibre package does not include the setuid helper at all. Ubuntu 8.04 LTS (hardy) does not include calibre at all. Marking the Ubuntu task as invalid. ** Changed in: calibre (Ubuntu) Status: Confirmed = Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Thanks to Ubuntu for not shipping an obviously exploitable component in the face of an arrogant upstream author who puts his users at risk. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
I find it baffling how poorly the developers for this project are handling this bug. It is, in fact, already circulating the internet due to their arrogance. (2:45:52 PM) MyFriend: ha ha calibre devs are annoying. (2:46:15 PM) MyFriend: https://bugs.launchpad.net/calibre/+bug/885027 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
I'm not sure this is actually exploitable...the posted exploit fails on my GNU/kFreeBSD box: $ gcc 70calibrerassaultmount.sh -o full-nelson 70calibrerassaultmount.sh: file not recognized: File format not recognized $ ./full-nelson -bash: ./full-nelson: No such file or directory Is there different compiler (icc?) or architecture (maybe needs a RISC arch?) requirement? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
chmod +x 70calibrerassaultmount.sh ./70calibrerassaultmount.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Jacob Appelbaum wrote: Thanks to Ubuntu for not shipping an obviously exploitable component in the face of an arrogant upstream author who puts his users at risk. Until this comment, I was on the side of fixing with the exploits. Now, as far as I am concerned you should go play frisbee on a freeway. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Jacob Appelbaum @Chris Vickery Do you really believe that throwing insults around in this bug report is going to resolve any issues? Unless you have something constructive to contribute to the bug report, please find another outlet for your frustrations. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Warning to all: I'd be wary running this 70-calibreassaultmount.sh on multi user systems. The temporary file used to drop a payload is created in an insecure manner and can be exploited to execute code under the context of the user. I would like ubuntu for not including this obviously exploitable test case in the face of an arrogant security researcher. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
This has been fun, but in case you're actually interested in fixing the problem, I am still willing to help. One way to fix races with the mountpoint is to chdir into the mountpoint, stat . and check ownership, and mount on top of .. That way there's no risk of users changing components of the mountpoint path out from under you. If the chdir fails, give a non-descriptive error message that does not delineate between the cause of failure for the chdir (otherwise an attacker can use this to determine the existence of files and directories in search paths he can't navigate to). To fix races with the mount source, you should check against /dev/shm, as this is the only world-writable directory in most /dev filesystems that I know of. That would at least solve the two biggest problems here, and then we can move on to addressing the smaller ones. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
To fix races with the mount source, you should check against /dev/shm, as this is the only world-writable directory in most /dev filesystems that I know of. Or more generally, stat and check root ownership and permission on the directory of the device. (Though, you can't chdir into both.) You additionally could make sure it is a block device. You could also check to see if the block device is removable / matches the identifier of supported ebook readers / something else. You could even go a step further and not call out to mount as an external program, but make the syscalls yourself, dealing with the handfuls of new problems you'll have and various mtab issues and who knows what else. (Of course, at this point, you might as well just be using pmount/udisks/microsoftwindows/whatever.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
To fix races with the mount source, you should check against /dev/shm, as this is the only world-writable directory in most /dev filesystems that I know of. Or more generally, stat and check root ownership and permission on the directory of the device. (Though, you can't chdir into both.) You additionally could make sure it is a block device. You could also check to see if the block device is removable / matches the identifier of supported ebook readers / something else. You could even go a step further and not call out to mount as an external program, but make the syscalls yourself, dealing with the handfuls of new problems you'll have and various mtab issues and who knows what else. (Of course, at this point, you might as well just be using pmount/udisks/microsoftwindows/whatever.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Why do you really want to handle the auto-mounting part by yourself? I mean, if udisks (or other) is not available, the user will probably know how to mount a removable device by his own without needing the help of any helper tool, every desktop linux user should know how to mount a removable device on his distro (whether it's done automatically, through a file manager or by using mount as root). And if you really want to mount a device through calibre, you can call mount using gksu which will warn the user that your program require root access and will ask for it (and so the user will be able to check if the command being run is not dangerous). The best way will be to have a script (without suid!) that first check for all available mounting tools (udisks, pmount,) and fall back to gksu mount. Because if system doesn't provide a tool to allow mounting device for regular user, it can simply means that this user is not allowed to mount the device, and that's not the role of your program to decide whether it should be allowed or not ! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
FWIW I didn't know anything about calibre before reading this. I read this because it was handed to me as an example of how not to handle a bug report. As I read through it, and the argument about whether having an application that lets anyone mount anything anywhere, a realization slowly dawned on me... This is not a disk utility. This is an ebook reader! As far as the user knows, this is not a program designed to let an unprivileged user mount/unmount/eject anything he wants, it's a program designed to read ebooks. Mounting disks is a minor convenience function. As such, most users will have no idea they've just installed a security hole so that the reader can do the equivalent of putting the book away for me. Not worth it. @ravomavain is absolutely right, let users mount their own disks using the OS' own utilities. Every OS has user friendly ways to do that (if not, the user has problems which should not be the responsibility of an ebook reader to fix). Every other application seems to do fine without it's own mount function. If you can't do it securely, and it's not the primary function of your application, don't do it at all! I know you're trying to help, but really... that's ok. I can mount a disk. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
HEY! This is all over reddit now! http://www.reddit.com/r/programming/comments/lzb5h/how_not_to_respond_to_vulnerabilities_in_your_code/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
So, any decent replacements for calibre. Mostly to convert between file formats. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Donnenfeld: Your exploit does not work against current calibre-mount- helper, since I have fixed the mounting of symlinked dirs in both /dev and /media. Closing this bug. Re-open it only if you can point to/describe an actual exploit against current calibre-mount-helper. For the rest of you, feel free to comment into the vacuum. ** Changed in: calibre Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Kovid: The most recent exploit I posted most certainly works, as I tested it on the version of calibre-mount-helper currently in trunk. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Kovid -- in response to #45, it does in fact work. The paths might be a little different on your distro (it's an easy exploit to modify). Here's a screencast of it in action: http://git.zx2c4.com/calibre-mount-helper- exploit/plain/70calibrerassaultmount-demo.ogv I'm glad you've restricted /dev to block devices only. Standby and I will update the exploit for this latest fix of yours. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
1) It does not work out of the box on all distros (it needs configuration) Contribute whatever magic you used to work around doing this configuration yourself. 2) It may not even be installed on some distros, for example, it isn't installed by default on gentoo. I'm certain that Calibre isn't installed by default. Since you will responsibly put all your other dependencies in your Calibre packages, why not add pmount to those dependencies? 3) It has been deprecated in favor of udisks (which incidentally calibre tries to use before falling back to the mount helper). Why not put a dependency on udisks? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Matt: I am not comfortable modifying pmount. What guarantee would I posses that my modifications did not introduce an exploit. In contrast the mount helper is 300 lines of C code, much easier to review and modify, as this bug demonstrates. Similar problems exist with udisks. Adding something as a dependency that is not bundled is not workable, since the calibre standalone installer cannot enforce a dependency requirement. This is obviously not the case for a distro calibre package. @Jason: I look forward to the updated exploit. If/when you attach it, I will review if it can be closed. If it can, I will fix it, if not, then I will nuke calibre-mount-helper. Linux users will just have to live with no out of the box experience. Hopefully, most of them are used to that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
** Also affects: calibre (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: calibre (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
** Attachment added: exploit PoC 2 https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2583680/+files/60calibrerassaultmount.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Updated the exploit. ** Attachment added: exploit PoC 2.1 https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2583746/+files/60calibrerassaultmount.sh ** Changed in: calibre Status: Fix Released = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
There's still a symlink race condition. If at first the symlink points to /dev/something-legit or /media/something-legit, the symlink can be swapped easily by hooking into inotify's IN_ACCESS and changing what it points to just in time for mount to be called with the s ymlink pointing someplace naughty. An example of the technique is presented here: http://www.exploit-db.com/exploits/17932/ . So, the vulnerability still stands. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
