edubuntu-bugs team mailing list archive

Thread
Date

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

To: edubuntu-bugs@xxxxxxxxxxxxxxxxxxx
From: Schwern <schwern@xxxxxxxxx>
Date: Thu, 03 Nov 2011 23:08:03 -0000
Reply-to: Bug 885027 <885027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

FWIW I didn't know anything about calibre before reading this.  I read
this because it was handed to me as an example of how not to handle a
bug report.  As I read through it, and the argument about whether having
an application that lets anyone mount anything anywhere, a realization
slowly dawned on me...

This is not a disk utility.

This is an ebook reader!

As far as the user knows, this is not "a program designed to let an
unprivileged user mount/unmount/eject anything he wants", it's a program
designed to read ebooks.  Mounting disks is a minor convenience
function.  As such, most users will have no idea they've just installed
a security hole so that the reader can do the equivalent of putting the
book away for me.  Not worth it.

@ravomavain is absolutely right, let users mount their own disks using
the OS' own utilities.  Every OS has user friendly ways to do that (if
not, the user has problems which should not be the responsibility of an
ebook reader to fix).  Every other application seems to do fine without
it's own mount function.  If you can't do it securely, and it's not the
primary function of your application, don't do it at all!  I know you're
trying to help, but really... that's ok.  I can mount a disk.  Thanks.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027

Title:
  SUID Mount Helper has 5 Major Vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions