edubuntu-bugs team mailing list archive

Thread
Date

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

To: edubuntu-bugs@xxxxxxxxxxxxxxxxxxx
From: Dan Rosenberg <885027@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Nov 2011 19:16:07 -0000
Reply-to: Bug 885027 <885027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Please note that I misjudged just how broken this code is, and
restricting /dev/shm is not enough to prevent from mounting arbitrary
devices.  I expect Jason will show you how.

Just so this is perfectly clear: what's happening in this bug report
right now is a perfect example of how *not* to do security response.
When faced with two people who clearly know a few things about secure
coding, rather than taking their advice and actually fixing the root
cause of the problem (or abandon it as a hopeless situation, which is
probably the more appropriate response), you've chosen to waste our time
by demanding that we write weaponized exploits to exploit what most
people already know to be exploitable.  To top it off, when shown
repeatedly how your half-baked "fixes" don't actually fix anything,
rather than taking our advice you just add another small hurdle that can
be trivially bypassed.  It would be sad if it weren't so funny.

I've decided that it's time to stop beating a dead horse.  Usually I get
paid good money to own software this hard, and I don't think you're
worth making an exception.  Best of luck, I'm sure you'll figure it out
eventually.

-- 
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027

Title:
  SUID Mount Helper has 5 Major Vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions