Ubuntu
policykit-desktop-privileges package

Typo in UDisks action

Bug #1899019 reported by kev
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
policykit-desktop-privileges (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

It appears that com.ubuntu.desktop.pkla contains a typo in the UDisks section:

[Mounting, checking, etc. of internal drives]
Identity=unix-group:admin;unix-group:sudo
Action=org.freedesktop.udisks.filesystem-*;org.freedesktop.udisks.drive-ata-smart*;org.freedesktop.udisks2.filesystem-mount-system;org.freedesktop.udisks2.encrypted-unlock-system;org.freedesktop.udisks2.filesystem-fstab;
ResultActive=yes

Notice that the first two actions contain the string "udisks", rather than "udisks2", which appears to be a typo.

However, the typo is actually a lucky accident because it is preventing a vulnerability in UDisks from being exploited. The vulnerable code in UDisks is protected by the `org.freedesktop.udisks2.filesystem-take-ownership` polkit action, so it will become accessible if the typo is fixed. I have separately reported the UDisks vulnerability to the maintainers of UDisks. I have attached a copy of that report for your information.

I would recommend removing the first two actions from this file. Since they don't currently work, presumably nobody will miss them if they are removed.

Revision history for this message
kev (kbackhouse2000) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

That's not a typo, those are the rules for udisks v1 which we shipped in older releases at the same time as udisks2. We should remove them, they haven't been needed for a long time now.

Revision history for this message
kev (kbackhouse2000) wrote :

Hi Marc. Thanks! I heard back from the UDisks2 team, who said the same thing: these policies are correct, but refer to an obsolete version of the software. They also said that they are already aware of the symlink issue in TakeOwnership method, but do not consider it a vulnerability because the vulnerable code is gated by polkit. So I am happy to close this issue.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Kevin, thanks for the excellent GHSL-2020-161 report. Given that the polkit rules are intentional, if ancient, and the udisks2 team doesn't want to treat the symlink finding as a security bug, I'm going to open this publicly and mark it wontfix, to reflect what's likely going to happen for our currently released systems.

I do hope upstream handles the symlink discovery eventually but I can appreciate why they wouldn't want to handle it as a security issue.

Thanks

information type: Private Security → Public Security
Changed in policykit-desktop-privileges (Ubuntu):
status: New → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package policykit-desktop-privileges - 0.22

---------------
policykit-desktop-privileges (0.22) mantic; urgency=medium

  * Include a .rules in the new javascript format for newer polkitd
  * Remove old legacy udisks1 actions (lp: #1899019)
  * Remove the network manager system connection override
    there is a similar entry included in the network-manager package
  * Update copyright, debhelper and standards version
  * Remove old breaks, update for the new polkitd binary naming

 -- Sebastien Bacher <email address hidden> Mon, 05 Jun 2023 11:58:29 +0200

Changed in policykit-desktop-privileges (Ubuntu):
status: Won't Fix → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.