Security problems (unacceptable behaviour) in sharing content via FSStore backend
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Coherence |
Fix Released
|
Unknown
|
|||
coherence (Ubuntu) |
Won't Fix
|
Low
|
Unassigned |
Bug Description
I have reported this bug upstream also -http://
Here are the actual problems:
There are a couple of security problems when using the FSStore backend in Coherence 0.6.6.2. They consist in an unacceptable behaviour like sharing inappropriate content without users to be aware of... Namely:
1. When the plugin is used without any content option (i.e. content is None) it by default shares the Music, Videos and Pictures folders (using the xdg.py return values). This can be tested by starting applet-coherence for example. It uses
"coherence --plugin=
as a command line and thus exporting the above mentioned folders (this is when there is no ~/.coherence config file which is the default state of the package).
* Problem: The problem is that the user is not aware of this behaviour and these folders could contain sensitive materials that the user does not want to share.
* Solution: It is much better to use as default share folder the XDG_PUBLICSHARE
2. When an empty content is passed to update_config() in FSStore backend (for example when all content is removed by the export widget in av_widgets.py), the os.path.abspath("") expands to the user's home folder thus exporting all his folders and files there. This is totally unacceptable. This case can be tested using the Nautilus coherence extensions with a "Sharing as a Media Server" option.
I have created a patch to fix these problems.
The sources debdiff file is between coherence_
I know that adding new features to a package in maverick-security is unacceptable, but i put a very small fix to the applet-coherence too fixing upstream bug i have reported for the applet too - http://
It doesn't change the functionality so much so i hope it will remain.
The tests i have run on my maverick with this package are ok and no bugs found till now...
I put this as a security vulnerability because sharing users' content without their explicit notice is unacceptable.
Anyway it is up to you how you will react.
I have the package in my PPA too - https:/
And ... I will add another bug for the small fixes of applet-coherence too.
Changed in coherence: | |
status: | Unknown → New |
tags: | added: patch |
visibility: | private → public |
Changed in coherence (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in coherence: | |
status: | New → Fix Released |
Coherence is not part of the ESM supported packages list: /wiki.ubuntu. com/SecurityTea m/ESM/14. 04#A14. 04_Infrastructu re_ESM_ Packages
https:/
So marking it Won't Fix