usb-creator-helper allows any user to umount any filesystem

Bug #771553 reported by Evan Broder
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
usb-creator (Ubuntu)
Fix Released
High
Kees Cook

Bug Description

Binary package hint: usb-creator-common

/usr/share/usb-creator/usb-creator-helper exposes a method called UnmountFile over D-Bus which passes its argument directly to umount.

This lets any user unmount an arbitrary filesystem by running something like:

dbus-send --system --type=method_call --print-reply --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.UnmountFile string:/boot

Changed in usb-creator (Ubuntu):
assignee: nobody → Kees Cook (kees)
importance: Undecided → High
status: New → Triaged
Revision history for this message
Kees Cook (kees) wrote :

CVE-2011-1828

Revision history for this message
Kees Cook (kees) wrote :

It looks like the com.ubuntu.USBCreator.UnmountFile method is not polkit-wrapped. The others look to be checked, so that's good.

Evan (ev)
Changed in usb-creator (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Evan (ev) wrote :
Revision history for this message
Evan (ev) wrote :
Revision history for this message
Evan (ev) wrote :

Lets try this again...

Revision history for this message
Evan (ev) wrote :
Revision history for this message
Evan (ev) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package usb-creator - 0.2.28.3

---------------
usb-creator (0.2.28.3) natty-security; urgency=low

  [ Marc Deslauriers ]
  * SECURITY UPDATE: unprivileged disk operations (LP: #771553)
    - CVE-2011-1828
  * setup.cfg: Specify policykit policy file as xml_file so it gets
    translated properly instead of being malformed.

  [ Evan Dandrea ]
  * Guard UnmountFile with PolicyKit (LP: #771553).
 -- Marc Deslauriers <email address hidden> Fri, 29 Apr 2011 13:06:10 -0400

Changed in usb-creator (Ubuntu):
status: Fix Committed → Fix Released
visibility: private → public
Revision history for this message
Mario Limonciello (superm1) wrote :

This has a negative side effect that in the process of writing a USB disk you are now asked several times to enter a password. Can this be cached?

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers