edubuntu-bugs team mailing list archive

[Dan Rosenberg <885027@xxxxxxxxxxxxxxxxxx>]

Still unfixed.  There are still exploitable race conditions present that
allow you to mount whatever you want wherever you want.

For example, to mount a device not under /dev, simply provide an argv[2]
referring to a symlink pointing to somewhere in /dev, and after the
realpath()'d version is checked, switch the target to somewhere else.
If you want to do this properly, you need to update the device source
such that after calling realpath(), all subsequent references to the
device are to the realpath()'d version.

The same trick can be applied to mount on top of arbitrary mountpoints
(which is a local root hole).  First mount something you can write to
onto a mountpoint in /media, and then exploit the race condition similar
to above (switching from a mountpoint within /media to anywhere you
like).

Even without these critical bugs, being able to mount anything in /dev
on top of anything in /media is not a good idea - pmount restricts this
to removable devices or devices whitelisted in a configuration file
(/etc/pmount.allow).  And you've done nothing to address the previously
mentioned abilities to play with creating and removing arbitrary
directories/files.  I strongly recommend giving up on implementing this
yourself and instead creating a dependency on pmount or bundling it with
your package (it's GPLv3, so it's license-compatible).  It is very
difficult to do what you want to do safely, and it is unacceptable to
permit root privilege escalation vulnerabilities without documenting it.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027

Title:
  SUID Mount Helper has 5 Major Vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions