Source: cantata Version: 2.3.0.ds1-1 Severity: important Tags: security cantata contains a helper program cantata-mounter which runs as root (via D-Bus activation) and allows unprivileged users to do privileged mount operations via D-Bus IPC. This turns out to have several security vulnerabilities (<http://www.openwall.com/lists/oss-security/2018/06/18/1>) with the worst-case impact being local root privilege escalation.
Mitigation: the Debian packaging doesn't seem to build cantata-mounter (or at least https://packages.debian.org/unstable/cantata says it isn't in the binary package for the architectures I tried). However, d/rules doesn't *explicitly* disable it, so I think there's a risk that it might become enabled by mistake in a future upload. Please close this bug when either cantata-mounter is specifically disabled, or the upstream source has been upgraded to a version that no longer includes cantata-mounter. Thanks, smcv
