Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Please pre-approve the following changes for caja in Debian jessie:
+ * debian/patches:
++ Add 0004_avoid-automounts-while-screen-is-locked.patch. Don't mount
+ newly added USB flash drives / optical disks / etc. while a session
+ is locked by the screensaver. Delay the automounting action until the
+ session has been unlocked again. (Closes: #781608).
- This patch fixes a nasty issue in caja when using the Change User
feature in KDM or GDM3.
Flashdrives and optical disks will now only get automounted after the
session of a user has been unlocked. In previous versions of caja in
Debian, the flash drive / disc would have been mounted by the locked
session (and by the running session on another VT).
Except from this being a security issue (but a no-dsa as stated by the
security team), the observed behaviour lead into a race condition between
the in parallel running MATE desktop sessions. All of them would have
tried to mount freshly inserted devices simultaneously which often made
flash drives and discs unaccessible for the currently active MATE desktop
session (because caja inside a locked session would have been faster and
thus locked the device).
light+love,
Mike
-- System Information:
Debian Release: 8.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru caja-1.8.2/debian/changelog caja-1.8.2/debian/changelog
--- caja-1.8.2/debian/changelog 2015-03-23 18:19:22.0 +0100
+++ caja-1.8.2/debian/changelog 2015-05-11 09:28:52.0 +0200
@@ -1,3 +1,13 @@
+caja (1.8.2-3+deb8u1) jessie-proposed-updates; urgency=medium
+
+ * debian/patches:
++ Add 0004_avoid-automounts-while-screen-is-locked.patch. Don't mount
+ newly added USB flash drives / optical disks / etc. while a session
+ is locked by the screensaver. Delay the automounting action until the
+ session has been unlocked again. (Closes: #781608).
+
+ -- Mike Gabriel sunwea...@debian.org Mon, 11 May 2015 09:28:03 +0200
+
caja (1.8.2-3) unstable; urgency=medium
* debian/control:
diff -Nru caja-1.8.2/debian/patches/0004_avoid-automounts-while-screen-is-locked.patch caja-1.8.2/debian/patches/0004_avoid-automounts-while-screen-is-locked.patch
--- caja-1.8.2/debian/patches/0004_avoid-automounts-while-screen-is-locked.patch 1970-01-01 01:00:00.0 +0100
+++ caja-1.8.2/debian/patches/0004_avoid-automounts-while-screen-is-locked.patch 2015-05-11 09:26:06.0 +0200
@@ -0,0 +1,334 @@
+From adc45ec84298f6246d9ed219607bb5c169f50e08 Mon Sep 17 00:00:00 2001
+From: tarakbumba tarakbu...@gmail.com
+Date: Tue, 7 Apr 2015 00:07:27 +0300
+Subject: [PATCH 1/2] Fix for https://github.com/mate-desktop/caja/issues/398
+
+On the Shmoocon at 2011 there was a presentation by Jon Larimer demonstrating
+how to abuse vulnerabilities and bugs, or even just creating socially or
+security compromising thumbnails in mounting and thumbnailing, which happens
+on automounting USB drives. This is a particular issue when this happens on a
+locked box where the attacker doesn't otherwise have access to the user
+account:
+
+http://www.net-security.org/secworld.php?id=10544
+
+Disable automounting if the MATE screen saver is currently locked.
+
+See also https://bugzilla.gnome.org/show_bug.cgi?id=642020
+
+This commit is merely based on :
+https://git.gnome.org/browse/nautilus/commit/?h=gnome-2-32id=b7262fa945ef1ea936c15f0d248ad7a024d97dca
+
+v2: Patch rebased against caja 1.8.x (Mike Gabriel)
+---
+ src/caja-application.c | 232 -
+ src/caja-application.h | 4 +
+ 2 files changed, 232 insertions(+), 4 deletions(-)
+
+--- a/src/caja-application.c
b/src/caja-application.c
+@@ -122,7 +122,10 @@
+ static void volume_added_callback (GVolumeMonitor *monitor,
+ GVolume *volume,
+ CajaApplication *application);
+-static void drive_connected_callback (GVolumeMonitor *monitor,
++static void volume_removed_callback(GVolumeMonitor *monitor,
++ GVolume *volume,
++ CajaApplication *application);
++ static void drive_connected_callback (GVolumeMonitor *monitor,
+ GDrive *drive,
+ CajaApplication *application);
+ static void drive_listen_for_eject_button (GDrive *drive,
+@@ -362,7 +365,18 @@
+
+ g_object_unref (application-unique_app);
+
+-if (application-automount_idle_id != 0)
++ if (application-ss_watch_id 0)
++ {
++