There's still a symlink race condition. If at first the symlink points to /dev/something-legit or /media/something-legit, the symlink can be swapped easily by hooking into inotify's IN_ACCESS and changing what it points to just in time for mount to be called with the s ymlink pointing someplace naughty. An example of the technique is presented here: http://www.exploit-db.com/exploits/17932/ .
So, the vulnerability still stands. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
