** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4124
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4125
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4126
--
You received this bug notification because you are a member of Edub
I have been an avid advocate of calibre among foss circles. Given how
things turned up, I would like to apologize to all people that had
(possibly) their computers compromised and -in specific- to my friend
Zet.
Kudos go to Kovid, Dan and Jason.
I will continue to support and evangelize calibre.
Now that calibre-mount-helper has been removed, shouldn't the install
script look for it and remove it? That way folks that upgrade won't end
up with a dangling copy? Or do I misunderstand how the install/upgrade
process goes?
jake
--
You received this bug notification because you are a member
"I side with Kovid. I admire him for doing this app. Because ever since
Red Hat 7 or 8 I keep reading on the open source (not free software!)
forums something along the lines of „if you need it — go build it, now
p*** off as we're doing something cool”. He has gotten up and wrote this
which is quit
"For example, to mount a device not under /dev, simply provide an argv[2]
referring to a symlink pointing to somewhere in /dev, and after the
realpath()'d version is checked, switch the target to somewhere else. If you
want to do this properly, you need to update the device source such that afte
I am quite surprised how long this thread has gotten.
I side with Kovid. I admire him for doing this app. Because ever since
Red Hat 7 or 8 I keep reading on the open source (not free software!)
forums something along the lines of „if you need it — go build it, now
p*** off as we're doing somethin
@Kovid
The cross-platform library you are looking for already exists; why would
anyone gather with you to write a new one?
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
Gentlemen, Kovid fixed this bug by removing the component (which was the
right way to do it). I expect he's going to release the fixed version
very soon and then everyone who updates will be safe - regardless of
using a distro package or the binary installer.
Can we let this go now?
--
You recei
@Neo139, That's why the mount helper has been removed. It introduces a
security vulnerability so the issue is resolved by not installing it on
users systems going forward. Just like with any other program a user
will need to update to take advantage of security fixes.
--
You received this bug not
>The mount helper was only used if udisks is not present. calibre still
works out of the box on the vast majority of modern Linux distros.
Please correct me if I'm wrong,
even if you have a modern distro with udisks, if you installed calibre via the
official binary install, which is recommended i
> ..but for those who want to switch it should be noted that there is
the package "fbreader" which is also not bad, here in Launchpad to find
at: https://launchpad.net/fbreader
FBReader is only a reader. calibre is a reader, manager, news
downloader, converter, and more.
> But of course, I also h
..but for those who want to switch it should be noted that there is the
package "fbreader" which is also not bad, here in Launchpad to find at:
https://launchpad.net/fbreader
I only write this because of the question for alternatives - and one of
the greatest strenghts of open-source software is t
While I fully agree that any form of vulnerability should be fixed, I
think many here are doing Kovid wrong.
a) He is providing the currently greatest piece of software for ebook
management for free, donating large portions of his free time into the
project
b) Giving full support here and on the
> As calibre user I want it to work out of the box ... I agree with
ravomavain on this, gksu is the way to go.
The mount helper was only used if udisks is not present. calibre still
works out of the box on the vast majority of modern Linux distros.
Adding support for gksu would require dependenci
OFF-TOPIC
This thread has been tagged as "How to Absolutely Not React To
Vulnerabilities In Your Code" by Packet-Storm
http://packetstormsecurity.org/news/view/20122/
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
ht
As calibre user I want it to work out of the box, but I would prefer
having to execute it as root every time just to have its full features,
rather than giving every user on the system the ability of become root.
I agree with ravomavain on this, gksu is the way to go.
--
You received this bug not
A typical example how one should _not_ report bug, and how one should _not_
respond to bug reports! Too much ego from reporter and developer only lead to
great loss for Linux/BSD users.
For bug reporters, please provide a link to amazing software/patch you wrote
before you start preaching softwa
@Bob/Paul He treated his userbase with contempt and disrespect. I refuse
to use anything made by this man.
Leon Kaiser of the GNAA.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/8850
More clear had I written "With much regret, he...".
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage notification
@Fou-Lu - Please, grow up. With much difficulty, he has removed the
broken functionality/exploitable code.
@Thorsten - I have /media on FreeBSD 8.2. That's where KDE likes to
mount things for me.
@Kovid - HAL was deprecated on linux, but not on BSD. Instead the issues
in HAL were fixed, and the H
I was quite concerned and excited when I learned that I've got
calibre-mount-helper and saw these exploits getting lot of attention. my
initial instinct was to uninstall calibre. Call me paranoid but it questions
the security of the rest of the package as well. So I tested one of them:
.50 vers
Also pardon my bad English noncontributing comment (this one too).
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To man
Kovid,
Because of the treatment you demonstrate towards your users, I have
decided to uninstall calibre, effective immediately.
Sincerely,
Leon Kaiser of the GNAA
PS: Can anyone suggest any alternatives to calibre?
** Attachment added: "The fix!"
https://bugs.launchpad.net/calibre/+bug/88
There is no /media on BSD.
(Other than that, YMMD.)
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage notificatio
I agree with Preston. Discussion rapidly devolved from the beginning
into accusations thrown around. Everybody is in a bad mood when they
report bugs and when they receive bugs. Extra care must be taken by
everyone to avoid inflammation. It would be helpful if the folks
involved apologized, bac
@kovid:
I understand that you have a full plate, but your initial reaction was
not just to question the legitimacy of the exploits but to dismiss them
as sanctimonious when people kept insisting that the issues were more
severe than you assumed. However, that you are apologetic is to be
respected.
@Kovid
Great to hear!
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage notifications about this bug go to:
https
@Dan:
Right.
In other words, mount /dev/sdaX to /dev/newfolder using the race
condition exploited in .70-calibrer. Then build the stager in
/dev/newfolder/home/username/whatever. Then use the race exploited in
.80-calibrer to toggle whatever between being a symlink to /dev/sda and
being the stage
@kovid
Your behavior toward Dan is confusing, as he has been cordial and
informative. There is nothing to suggest he has been a "destructive
influence" in any of his posts. It was you who first showed attitude
toward both Dan and Jason in posts #7 and #9, the consequences being a
bug report that h
@Dan: As I suspected, you're in this not to contribute something to the
community, but as a destructive influence. You will not be missed. Try
and remember that I am not attempting to fix calibre-mount-helper for
some sort of personal gain, but simply to allow people using calibre to
have the best
My final word is that you should give up trying to reinvent the wheel,
and use a method supplied by the distro for mounting disks. It's not
worth my time to play whack-a-mole here. As Dan said, "Usually I get
paid good money to own software this hard, and I don't think you're
worth making an except
I keep trying to leave this bug report but I keep getting dragged in.
It's worse than Twitter.
"As I suspected, you're in this not to contribute something to the
community, but as a destructive influence. You will not be missed."
You seriously think I came to this thread to start a fight with you
@Kovid:
Yet you continue to ignore some major advice about how to fix it. Have
you chdir'd yet? No. Still vulnerable.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SU
Hello. I've attached a patch for you, as requested. It replaces the
mount helper with the nice udisks-based script that ubuntu ships. For
distributions that do not support udisks, they can add their own. Or,
you can write something different. In light of this, you might consider
removing the follow
Please note that I misjudged just how broken this code is, and
restricting /dev/shm is not enough to prevent from mounting arbitrary
devices. I expect Jason will show you how.
Just so this is perfectly clear: what's happening in this bug report
right now is a perfect example of how *not* to do se
Unfortunately, the saga continues. Your /shm/ check doesn't do anything,
because, as it turns out, because you realpath twice, I don't need to
use /shm/ at all! Your code is still broken. Giving up should still be
an option on the table for you. In case, however, you've become
determined and still
@Kovid
Shucks. Just as I was beginning to make progress on .80 Calibrer!
http://git.zx2c4.com/calibre-mount-helper-exploit/tree/80calibrerassaultmount.c
But you still have major problems in the code -- there are still two
race conditions, with the one exploited in .70 the most dangerous.
Namely,
FWIW, Thunar running a similar gauntlet, toward GIO, and the issues of handling
different pluggable devices:
http://gezeiten.org/post/2010/01/Thunar-volman-and-the-deprecation-of-HAL
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to cali
Do you seriously think your little hackish script works better than HAL?
If so, I recommend to do something about your cognitive problems.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bug
The correct way to make it secure is to remove it.
The way to make it WORK is to remove it. By calling a specific, broken
setuid helper, calibre puts a risk on the system, but it also fails to
accomplish the task, since it should actually be done through the native
OS tools, and can conflict with
"Removing or limiting the ability to interact with devices significantly
reduces calibre's usefulness on Linux. So you can see why Kovid wants to
work on making it secure instead of blindly removing it."
If Kovid actually wanted to "work on making it secure", he might listen
to the explicit sugges
> Seriously, what is the point of a mount helper in an ebook reader
application?
calibre's focus is ebook management. Interaction between your dedicated
ebook reader and your library. The aim is to be to ebooks and ebook
reading device what iTunes is to the iPod. calibre does have an ebook
reading
GIO works perfectly fine with HAL, which has been working on all BSD
systems and Solaris for a number of years already.
Seriously, what is the point of a mount helper in an ebook reader
application? What you are trying to achieve is as if Mozilla was
shipping network drivers together with their br
Kovid: Hopefully you're willing to resume discussion with me, as I am
interested in helping resolve these issues.
The current checks in place are insufficient to prevent users from
mounting any device to any location, because there are timing issues
that may be exploited. Here are the following s
@Kovid: if you’re looking for a high-level library to manage mounts,
you’re not short on options. The easiest one being of course GIO, which
will use either of udisks or HAL as backend depending on the OS.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which
What I haven't figured out yet: will calibre install the mount helper no
matter what, or only on linux systems which are lacking a suitable
alternative?
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.laun
@evan: Certainly an install time question asking the user if they want
to install the mount helper is an option. One that I can fallback to if
we determine that the mount helper indeed cannot be made secure.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, whi
@Kovind: I understand your desire to maintain compatibility with
environments that lack pmount as an option. How about adding support for
pmount OR your mount helper, perhaps via a compiler directive? Make
pmount the secure default; if a handful of people want to use Calibre in
an environment that
> @Jason: Any news on your attempt at a new exploit?
Jason's last post was approximately midnight his time. I'm going to
assume he's asleep right now and won't be working on a new exploit until
tonight or possibly tomorrow.
--
You received this bug notification because you are a member of Edubun
I wish to apologize to the community for my post #35. It served no
useful purpose. Thanks are due to you all for constructively ignoring
it.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bu
@halfdog: Indeed, a standalone, zero config library that allows
unprivileged programs to securely mount and eject USB drives would be a
blessing for several programs, not just calibre. I have learned a great
deal in the process of fixing the issues brought up in this bug report
and if it turns out
@Kovid: I am not comfortable with you modifying pmount either. You seem
to have good ideas about usability but about security not so much. I
will simply uninstall calibre for now.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre i
This discussion has some similarities to problems with fusermount
binary, see https://bugzilla.redhat.com/show_bug.cgi?id=651183 for good
arguments while fixing races there. Perhaps something could be reused,
or create a libsecuremount with workaround while linux (u)mount-syscalls
are problematic,
@Matt: I am not comfortable modifying pmount. What guarantee would I
posses that my modifications did not introduce an exploit. In contrast
the mount helper is 300 lines of C code, much easier to review and
modify, as this bug demonstrates. Similar problems exist with udisks.
Adding something as a
1) It does not work out of the box on all distros (it needs
configuration)
Contribute whatever magic you used to work around doing this
configuration yourself.
2) It may not even be installed on some distros, for example, it isn't
installed by default on gentoo.
I'm certain that Calibre isn't in
Kovid -- in response to #45, it does in fact work. The paths might be a
little different on your distro (it's an easy exploit to modify). Here's
a screencast of it in action: http://git.zx2c4.com/calibre-mount-helper-
exploit/plain/70calibrerassaultmount-demo.ogv
I'm glad you've restricted /dev t
Kovid: The most recent exploit I posted most certainly works, as I
tested it on the version of calibre-mount-helper currently in trunk.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/88
@Donnenfeld: Your exploit does not work against current calibre-mount-
helper, since I have fixed the mounting of symlinked dirs in both /dev
and /media. Closing this bug. Re-open it only if you can point
to/describe an actual exploit against current calibre-mount-helper.
For the rest of you, feel
So, any decent replacements for calibre. Mostly to convert between file
formats.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabil
HEY!
This is all over reddit now!
http://www.reddit.com/r/programming/comments/lzb5h/how_not_to_respond_to_vulnerabilities_in_your_code/
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs
FWIW I didn't know anything about calibre before reading this. I read
this because it was handed to me as an example of how not to handle a
bug report. As I read through it, and the argument about whether having
an application that lets anyone mount anything anywhere, a realization
slowly dawned
Why do you really want to handle the auto-mounting part by yourself? I mean, if
udisks (or other) is not available, the user will probably know how to mount a
removable device by his own without needing the help of any helper tool, every
desktop linux user should know how to mount a removable de
"To fix races with the mount source, you should check against
/dev/shm, as this is the only world-writable directory in most /dev
filesystems that I know of."
Or more generally, stat and check root ownership and permission on the
directory of the device. (Though, you can't chdir into both.)
You a
"To fix races with the mount source, you should check against
/dev/shm, as this is the only world-writable directory in most /dev
filesystems that I know of."
Or more generally, stat and check root ownership and permission on the
directory of the device. (Though, you can't chdir into both.)
You a
This has been fun, but in case you're actually interested in fixing the
problem, I am still willing to help.
One way to fix races with the mountpoint is to chdir into the
mountpoint, stat "." and check ownership, and mount on top of ".". That
way there's no risk of users changing components of th
Warning to all:
I'd be wary running this 70-calibreassaultmount.sh on multi user systems. The
temporary file used to drop a payload is created in an insecure manner and can
be exploited to execute code under the context of the user.
I would like ubuntu for not including this obviously exploitab
@Jacob Appelbaum
@Chris Vickery
Do you really believe that throwing insults around in this bug report is
going to resolve any issues? Unless you have something constructive to
contribute to the bug report, please find another outlet for your
frustrations.
--
You received this bug notification be
> Jacob Appelbaum wrote:
> Thanks to Ubuntu for not shipping an obviously exploitable component in the
> face of an
> arrogant upstream author who puts his users at risk.
Until this comment, I was on the side of fixing with the exploits. Now,
as far as I am concerned you should go play frisbee o
chmod +x 70calibrerassaultmount.sh
./70calibrerassaultmount.sh
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage n
I'm not sure this is actually exploitable...the posted exploit fails on
my GNU/kFreeBSD box:
$ gcc 70calibrerassaultmount.sh -o full-nelson
70calibrerassaultmount.sh: file not recognized: File format not recognized
$ ./full-nelson
-bash: ./full-nelson: No such file or directory
Is there different
I find it baffling how poorly the developers for this project are
handling this bug. It is, in fact, already circulating the internet due
to their arrogance.
(2:45:52 PM) MyFriend: ha ha calibre devs are annoying.
(2:46:15 PM) MyFriend: https://bugs.launchpad.net/calibre/+bug/885027
--
You recei
Thanks to Ubuntu for not shipping an obviously exploitable component in
the face of an arrogant upstream author who puts his users at risk.
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bug
** Changed in: calibre
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage
Ubuntu, from 10.10 (maverick) and after, uses the udisk-based shell
script that Martin Pitt wrote instead of the upstream calibre setuid
helper. In Ubuntu 10.04 LTS (lucid), the calibre package does not
include the setuid helper at all. Ubuntu 8.04 LTS (hardy) does not
include calibre at all. Marki
Kovid: No, you haven't. Your code contains a race condition that allows
a bypass of the checks you've put in place. Here's another exploit.
You can warn and ignore me all you want, it doesn't make this code any
safer.
** Attachment added: "Yet another exploit"
https://bugs.launchpad.net/cali
For the record, I'm not in any way attached to using pmount, I just
wanted to pose it as a potential second choice. udisks is much better,
is nearly universally supported amongst desktop Linux distributions, and
is what Ubuntu and Debian currently use for this.
--
You received this bug notificat
"2) It may not even be installed on some distros, for example, it isn't
installed by default on gentoo."
That should not be considered an issue. If we need to update
dependencies for calibre for our users on Gentoo, we do it.
As a Linux distribution, dependency resolution is our problem
--
You
"First note that unprivileged users cannot create symlinks in /dev
on any well designed system. So symlink attacks are not actually
possible, nonetheless, I have already removed the possibility of using
symlinks under /dev."
You've forgotten about /dev/shm.
And you still haven't fixed the ability
Still unfixed. There are still exploitable race conditions present that
allow you to mount whatever you want wherever you want.
For example, to mount a device not under /dev, simply provide an argv[2]
referring to a symlink pointing to somewhere in /dev, and after the
realpath()'d version is chec
There's still a symlink race condition. If at first the symlink points
to /dev/something-legit or /media/something-legit, the symlink can be
swapped easily by hooking into inotify's IN_ACCESS and changing what it
points to just in time for mount to be called with the s ymlink pointing
someplace nau
Updated the exploit.
** Attachment added: "exploit PoC 2.1"
https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2583746/+files/60calibrerassaultmount.sh
** Changed in: calibre
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of E
** Attachment added: "exploit PoC 2"
https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2583680/+files/60calibrerassaultmount.sh
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bu
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: calibre (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885
** Also affects: calibre (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Edubuntu
Bugsquad, which is subscribed to calibre in Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabiliti
84 matches
Mail list logo
