LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Wednesday's security updates

[Posted November 2, 2011 by corbet]

Mandriva has updated wireshark (another set of dissector vulnerabilities) and phpldapadmin (code injection).

It's also worth noting that any system with calibre installed is subject to several easy local root exploits. Expect distributor updates soon; there will be a closer look at this issue in tomorrow's LWN Weekly Edition.

(Log in to post comments)

Wednesday's security updates

Posted Nov 2, 2011 17:57 UTC (Wed) by nirik (subscriber, #71) [Link]

I'll note that calibre as shipped in Fedora at least doesn't include the suid mount helper (except as a dummy script that has a note that we don't use it).

I suspect other distributors do likewise, so it may be that many folks are not vulnerable to this if they are using their distro packages.

calibre in Ubuntu

Posted Nov 3, 2011 13:57 UTC (Thu) by smb (subscriber, #53308) [Link]

In Ubuntu, in 10.10 (maverick) and beyond, calibre's mount helper is replaced by the non-setuid udisks version that Martin Pitt wrote for Debian. In 10.04 LTS, the calibre package does not include the mount helper at all, and calibre is not in 8.04 LTS (hardy) at all.

Wednesday's security updates

Posted Nov 2, 2011 18:59 UTC (Wed) by gidoca (subscriber, #62438) [Link]

Out of curiosity: what does an ebook management system need a suid mount helper for?

Mount helper

Posted Nov 2, 2011 19:03 UTC (Wed) by corbet (editor, #1) [Link]

Dealing with readers often involves mounting a filesystem exported by the device.

Wednesday's security updates

Posted Nov 3, 2011 7:48 UTC (Thu) by eupator (guest, #44581) [Link]

The calibre author's reaction on the bug (https://bugs.launchpad.net/calibre/+bug/885027) is quite fascinating (do read the thread, my paraphrasing doesn't really do it justice):

* Ok, the user can now do some things with elevated privileges, so what?
* Ok, it is a bug, but I NEED IT!
* You reported the bug, so it's now YOUR responsibility to fix it in a way
that doesn't change how my program works.
* I TOLD YOU to fix it, and you didn't. So it's not a bug.

And the epic:

"Kindly do not lecture me about using a setuid exececutable. Shocking as
that may seem, I am actually aware of the dangers, and even if I weren't,
rest assured that plenty of your ancestors have pointed it out to me in
the past four years. Is it bad to have suid executables, yes. Is there a
workable alternative, no."

It's also amusing to see how he repeatedly papers the bug enough to break the proof-of-concept exploit of the day only.

This kind of attitude never ceases to amaze me.

Amusing? No..

Posted Nov 3, 2011 12:29 UTC (Thu) by renox (subscriber, #23785) [Link]

I don't find this funny because he has a point: the solution pointed (pmount) is 1)not portable because not installed by default in gentoo and must be configured to work 2)deprecated.

IMHO, this kind of issue should be solved by LSB..

Wednesday's security updates

Posted Nov 3, 2011 15:39 UTC (Thu) by ccurtis (guest, #49713) [Link]

I've worked with people like this. They're dangerous.

I'm not claiming to be any kind of security expect, but from just skimming the thread I have to ask why the mountpoint isn't restricted to something under $HOME. After that it's just your standard symlink race condition stuff.

I did like the one comment about Gentoo and pmount though: dependency resolution is the job of the distro.

Wednesday's security updates

Posted Nov 3, 2011 16:35 UTC (Thu) by pataphysician (guest, #73773) [Link]

Calibre uses udisk by default, this mount helper does not need to be installed and most distros seem smart enough not to include it. The helper only gets used if udisk fails and the mount helper is also installed.

This is why the guy doesn't care about the bugs. Any distro looking at security shouldn't really include the mount helper for any reason, even if he fixed the code, but some people know that the security implication on their individual use scenario is inconsequential and they have a ereader that fails to work with udisk properly.

Really it's not bad for the guy to say if you want to use the helper, than you can fix the bugs yourself, as there is no requirement for the helper to be used at all as calibre uses udisk.

Wednesday's security updates

Posted Nov 3, 2011 16:54 UTC (Thu) by mpr22 (subscriber, #60784) [Link]

He should care about the bugs, because they're his responsibility. If he doesn't, he shouldn't be releasing software.

Wednesday's security updates

Posted Nov 3, 2011 17:32 UTC (Thu) by pataphysician (guest, #73773) [Link]

The tool is not fit for a system that cares even a little about security, as even if he made perfect fixes to the security issues, it would still be an unnecessary risk for future issues, either in itself or in exploits in other programs. Calibre already use udisk by default with no security issues, so the extra program is also totally unnecessary in most use scenarios.

That's why the security issues aren't bugs, as this program is not meant to be secure, if you want security let it use the default udisk behavior. The tool is provided if you don't care about security and you want to try and get the ereader working no matter what.

Wednesday's security updates

Posted Nov 3, 2011 17:42 UTC (Thu) by jake (editor, #205) [Link]

> That's why the security issues aren't bugs, as this program is not
> meant to be secure,

but if you install Calibre from source, it installs a setuid calibre-mount-helper program ... whether Calibre actually uses it or not is immaterial as it leaves the dangerous program around for others to use ...

jake

Wednesday's security updates

Posted Nov 3, 2011 18:16 UTC (Thu) by pataphysician (guest, #73773) [Link]

Well I've changed my mind, at first I thought this was only a problem if you went from source, which you always need to do your own due diligence, as many applications will be insecure intalled from source, like mpd for example. I also assumed Calibre would tell you should use always use your distro's version instead of building yourself, unless you know what your doing, as this is what most sane upstreams do.

But they actually do the opposite on their download page, and tell you not to install your distro's version as it will probably be buggy, and you should use their binary installer. So I reverse everything I said, since Calibre is heavily pushing their own build, they should definitely completely remove the mount helper (no matter if they perfectly fix the code) from their build, and including it was really irresponsible.

Wednesday's security updates

Posted Nov 3, 2011 18:10 UTC (Thu) by njs (guest, #40338) [Link]

> This is why the guy doesn't care about the bugs. Any distro looking at security shouldn't really include the mount helper for any reason

This would be a more reasonable argument if he didn't also insist that everyone should avoid their distro packages and install calibre directly from him.

I'm somewhat sympathetic to his point of view, since calibre is fast-moving cross-platform software. But if you're going to take on the role of primary distributer, then you also need to take responsibility for the stuff that distributors do, like integration and security fixes.

Wednesday's security updates

Posted Nov 3, 2011 17:23 UTC (Thu) by slashdot (guest, #22014) [Link]

Wow, an impressive display of incompetence.

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds