edubuntu-bugs team mailing list archive

Thread
Date

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

To: edubuntu-bugs@xxxxxxxxxxxxxxxxxxx
From: "Jason A. Donenfeld" <885027@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Nov 2011 18:41:05 -0000
Reply-to: Bug 885027 <885027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

@Kovid

Shucks. Just as I was beginning to make progress on .80 Calibrer!
http://git.zx2c4.com/calibre-mount-helper-exploit/tree/80calibrerassaultmount.c

But you still have major problems in the code -- there are still two
race conditions, with the one exploited in .70 the most dangerous.
Namely, it's still possible to mount over any directory on the system.
To fix this, you need to chdir(realpath) and then stat(".") to ensure
root ownership, and then from that point on, only refer to the directory
by "." -- making this change will be a significant leap forward. Check
out Dan's comment for more details.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027

Title:
  SUID Mount Helper has 5 Major Vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions