Ubuntu
usb-creator package

usb-creator-helper allows any user to umount any filesystem

Bug #771553 reported by Evan Broder on 2011-04-26

268

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	usb-creator (Ubuntu)	Fix Released	High	Kees Cook

Bug Description

Binary package hint: usb-creator-common

/usr/share/usb-creator/usb-creator-helper exposes a method called UnmountFile over D-Bus which passes its argument directly to umount.

This lets any user unmount an arbitrary filesystem by running something like:

dbus-send --system --type=method_call --print-reply --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.UnmountFile string:/boot

Related branches

lp:usb-creator

lp:ubuntu/lucid-security/usb-creator

lp:ubuntu/maverick-security/usb-creator

lp:ubuntu/natty-security/usb-creator

lp:ubuntu/oneiric/usb-creator

CVE References

2011-1828

Jamie Strandboge (jdstrand) on 2011-04-27

Changed in usb-creator (Ubuntu):
assignee:	nobody → Kees Cook (kees)
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

Kees Cook (kees) wrote on 2011-04-27:

CVE-2011-1828

Revision history for this message

Kees Cook (kees) wrote on 2011-04-27:

It looks like the com.ubuntu.USBCreator.UnmountFile method is not polkit-wrapped. The others look to be checked, so that's good.

Evan (ev) on 2011-04-28

Changed in usb-creator (Ubuntu):
status:	Triaged → Fix Committed

Revision history for this message

Evan (ev) wrote on 2011-04-28:

usb-creator.patch Edit (93.3 KiB, text/plain)

Revision history for this message

Evan (ev) wrote on 2011-04-28:

maverick Edit (1.2 KiB, text/plain)

Revision history for this message

Evan (ev) wrote on 2011-04-28:

maverick Edit (2.6 KiB, text/plain)

Lets try this again...

Revision history for this message

Evan (ev) wrote on 2011-04-28:

natty Edit (2.6 KiB, text/plain)

Revision history for this message

Evan (ev) wrote on 2011-04-28:

lucid Edit (2.6 KiB, text/plain)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-05-02:

This bug was fixed in the package usb-creator - 0.2.28.3

---------------
usb-creator (0.2.28.3) natty-security; urgency=low

  [ Marc Deslauriers ]
  * SECURITY UPDATE: unprivileged disk operations (LP: #771553)
    - CVE-2011-1828
  * setup.cfg: Specify policykit policy file as xml_file so it gets
    translated properly instead of being malformed.

[ Evan Dandrea ]
* Guard UnmountFile with PolicyKit (LP: #771553).
-- Marc Deslauriers <email address hidden> Fri, 29 Apr 2011 13:06:10 -0400

Changed in usb-creator (Ubuntu):
status:	Fix Committed → Fix Released

Marc Deslauriers (mdeslaur) on 2011-05-02

visibility:

private → public

Revision history for this message

Mario Limonciello (superm1) wrote on 2011-07-26:

This has a negative side effect that in the process of writing a USB disk you are now asked several times to enter a password. Can this be cached?

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuusb-creator package

usb-creator-helper allows any user to umount any filesystem

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
usb-creator package