edubuntu-bugs team mailing list archive

Thread
Date

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

To: edubuntu-bugs@xxxxxxxxxxxxxxxxxxx
From: Dan Rosenberg <885027@xxxxxxxxxxxxxxxxxx>
Date: Thu, 03 Nov 2011 20:07:41 -0000
Reply-to: Bug 885027 <885027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This has been fun, but in case you're actually interested in fixing the
problem, I am still willing to help.

One way to fix races with the mountpoint is to chdir into the
mountpoint, stat "." and check ownership, and mount on top of ".".  That
way there's no risk of users changing components of the mountpoint path
out from under you.  If the chdir fails, give a non-descriptive error
message that does not delineate between the cause of failure for the
chdir (otherwise an attacker can use this to determine the existence of
files and directories in search paths he can't navigate to).

To fix races with the mount source, you should check against /dev/shm,
as this is the only world-writable directory in most /dev filesystems
that I know of.

That would at least solve the two biggest problems here, and then we can
move on to addressing the smaller ones.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027

Title:
  SUID Mount Helper has 5 Major Vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions

Follow ups

Re: [Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
From: Jason A. Donenfeld, 2011-11-03