I keep trying to leave this bug report but I keep getting dragged in.
It's worse than Twitter.
"As I suspected, you're in this not to contribute something to the
community, but as a destructive influence. You will not be missed."
You seriously think I came to this thread to start a fight with you
Please note that I misjudged just how broken this code is, and
restricting /dev/shm is not enough to prevent from mounting arbitrary
devices. I expect Jason will show you how.
Just so this is perfectly clear: what's happening in this bug report
right now is a perfect example of how *not* to do se
"Removing or limiting the ability to interact with devices significantly
reduces calibre's usefulness on Linux. So you can see why Kovid wants to
work on making it secure instead of blindly removing it."
If Kovid actually wanted to "work on making it secure", he might listen
to the explicit sugges
Kovid: Hopefully you're willing to resume discussion with me, as I am
interested in helping resolve these issues.
The current checks in place are insufficient to prevent users from
mounting any device to any location, because there are timing issues
that may be exploited. Here are the following s
Kovid: The most recent exploit I posted most certainly works, as I
tested it on the version of calibre-mount-helper currently in trunk.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SU
This has been fun, but in case you're actually interested in fixing the
problem, I am still willing to help.
One way to fix races with the mountpoint is to chdir into the
mountpoint, stat "." and check ownership, and mount on top of ".". That
way there's no risk of users changing components of th
Kovid: No, you haven't. Your code contains a race condition that allows
a bypass of the checks you've put in place. Here's another exploit.
You can warn and ignore me all you want, it doesn't make this code any
safer.
** Attachment added: "Yet another exploit"
https://bugs.launchpad.net/cali
For the record, I'm not in any way attached to using pmount, I just
wanted to pose it as a potential second choice. udisks is much better,
is nearly universally supported amongst desktop Linux distributions, and
is what Ubuntu and Debian currently use for this.
--
You received this bug notificat
"First note that unprivileged users cannot create symlinks in /dev
on any well designed system. So symlink attacks are not actually
possible, nonetheless, I have already removed the possibility of using
symlinks under /dev."
You've forgotten about /dev/shm.
And you still haven't fixed the ability
Still unfixed. There are still exploitable race conditions present that
allow you to mount whatever you want wherever you want.
For example, to mount a device not under /dev, simply provide an argv[2]
referring to a symlink pointing to somewhere in /dev, and after the
realpath()'d version is chec
Sigh. For the record, this issue existed prior to the recent
fixes...sorry for missing it. Additionally, this by itself doesn't seem
to be a vulnerability, since a mis-assigned group ID on mtab doesn't
actually allow the unprivileged user to cross any privilege boundaries.
But good catch, definit
This bug affects me too. I'm unable to attach the document or Apport
log for this crash since my document contains private data, but a stack
trace can be found below. The bug is due to invoking
rtl_str_getLength() on a NULL value.
Version is:
LibreOffice 3.3.2
OOO330m19 (Build:202)
tag libreoff
Yes, especially since the WMV issue is publicly visible in ffmpeg's bug
tracker. Thanks for waiting.
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690169
Title:
Me
** Description changed:
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/696616
Title:
Heap corruption in font parsing with FreeType2 backend
--
ubuntu-bugs mailing
** Attachment added: "Crashes poppler"
https://bugs.launchpad.net/bugs/685653/+attachment/1756707/+files/crash.pdf
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/685653
Title:
libpoppler crashes
Public bug reported:
Attached file created via fuzzing crashes poppler (tested with both
evince and pdftotext). It appears to be due to excessive, possibly
recursive malloc calls that cause stack exhaustion. Almost definitely
not security-relevant.
** Affects: poppler (Ubuntu)
Importance:
Patch v3, fixed casts to work properly on 64-bit machines.
** Patch added: "Fix version 3"
http://launchpadlibrarian.net/53168981/readelf-fix-v3.patch
--
readelf: fixes for multiple crashes
https://bugs.launchpad.net/bugs/614206
You received this bug notification because you are a member of U
Upstream bug entry
http://sourceware.org/bugzilla/show_bug.cgi?id=11889
** Bug watch added: Sourceware.org Bugzilla #11889
http://sourceware.org/bugzilla/show_bug.cgi?id=11889
--
readelf: fixes for multiple crashes
https://bugs.launchpad.net/bugs/614206
You received this bug notification beca
Apologies, minor indexing tweak.
** Patch added: "Patch v2"
http://launchpadlibrarian.net/53144133/readelf-crashes.patch
--
readelf: fixes for multiple crashes
https://bugs.launchpad.net/bugs/614206
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
** Patch added: "Patch for readelf crashes"
http://launchpadlibrarian.net/53143685/readelf-crashes.patch
--
readelf: fixes for multiple crashes
https://bugs.launchpad.net/bugs/614206
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
Public bug reported:
Binary package hint: binutils
readelf crashes very easily when parsing malformed binaries. The
attached patch fixes three floating point exceptions (divide-by-zero)
and approximately 13 out-of-bounds reads (due to null pointer
dereference, integer overflows, and bad array in
jduck rightly noticed that my previous fix would break certain
functionality (like %0a in URLs), since '0' ASCII also returns 0 from
hex_decode(). This new patch is better, and is thanks to him.
** Patch added: "Better patch"
http://launchpadlibrarian.net/53134271/lynx-fix-2.patch
--
Heap ov
** Visibility changed to: Public
--
Heap overflow when parsing malformed URLs
https://bugs.launchpad.net/bugs/613254
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.
Made public with commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395
Second item listed was identified as not being a security issue and may
not be necessary to "fix".
** Visibility changed to: Public
--
btrfs security is
8.71 is not vulnerable to the first bug (stack overflow in token
parsing), but is vulnerable to the second (infinite recursion memory
corruption).
--
Multiple memory corruption vulnerabilities in Ghostscript
https://bugs.launchpad.net/bugs/546009
You received this bug notification because you are
** Visibility changed to: Public
--
Multiple memory corruption vulnerabilities in Ghostscript
https://bugs.launchpad.net/bugs/546009
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.co
CVE-2010-0750
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-0750
--
pkexec information disclosure vulnerability
https://bugs.launchpad.net/bugs/532852
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bu
Public bug reported:
Binary package hint: policykit-1
I reported this bug upstream along with a patch, I just wanted to
crosspost it here:
https://bugs.freedesktop.org/show_bug.cgi?id=27330
In pkexec.c, user information is looked up using getpwnam_r. The program
checks if the return code is no
As promised...this takes the same approach as before - dropping the egid
before calls to open() or creat(). I made another pass through the code
to make sure there weren't any other vulnerable calls, so this should
finally kill these bugs. I tested using the reproducer to confirm it
fixes the rac
New patch coming right up, ready in 10 minutes.
--
Emacs movemail race condition
https://bugs.launchpad.net/bugs/531569
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://list
The fix has been signed off and committed upstream:
http://cgit.freedesktop.org/PolicyKit/commit/?id=14bdfd816512a82b1ad258fa143ae5faa945df8a
Kees, do issues this minor typically get CVE's? Your call.
--
pkexec information disclosure vulnerability
https://bugs.launchpad.net/bugs/532852
You re
I filed a bug entry upstream, and included an updated version of the
patch (only change was removing the now-unnecessary stat struct
declaration):
https://bugs.freedesktop.org/show_bug.cgi?id=26982
** Bug watch added: freedesktop.org Bugzilla #26982
https://bugs.freedesktop.org/show_bug.cgi?id
New patch added. I see no reason to allow pkexec to execute targets
that are not accessible to the executing user because of directory
permissions. This is such a limited use case anyway that this doesn't
really affect functionality.
I replaced the stat() call entirely with access() using F_OK,
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-0012
--
Local file overwriting due to directory traversal
https://bugs.launchpad.net/bugs/500625
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailin
34 matches
Mail list logo
