Thread: Local root exploit in Calibre
View Single Post
Old 11-04-2011, 10:12 AM   #13
Starson17
Wizard
Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.Starson17 can program the VCR without an owner's manual.
 
Posts: 4,004
Karma: 177841
Join Date: Dec 2009
Device: WinMo: IPAQ; Android: HTC HD2, Archos 7o; Java:Gravity T
The Calibre Wikipedia entry has a reference to this issue.

I'm a fan of both Calibre and Wikipedia. I'd like Wikipedia to be correct. It states:
Quote:
On November 2, 2011, a series of exploits were reported in Calibre that enabled users to gain root access through a poorly designed and implemented SUID disk mounting program that was part of the distribution. The developer, Kovid Goyal, refused to take the helpful bug reports seriously, instead taking them as personal attacks. He stated that Calibre was designed to run on end user computers, so it was not important to protect against malicious privilege escalation, because "for the vast majority of calibre users, this is a non issue". After he was unable to patch all the vulnerabilities that were pointed out, he then announced that he was going to ignore the bug reports because of their tone. An article on reddit titled How not to respond to vulnerabilities in your code discussed the incident.
IMO, this fails to note that the "series of exploits" relates only to Linux, not Windows or OSX. Specifically, it relates to the "mount helper" used for USB mounting of ereader devices. The mount helper is found only in the binary Linux install and package maintainers for specific flavors of Linux can and do remove that component if their particular Linux flavor does not need it. It's only there to make sure that calibre can be installed on all flavors of Linux.

It also fails to note that the exploits apply only when the Linux OS fails to supply a more secure method of mounting which calibre tries to use first: udisks. It does not mention that exploits have been closed and Kovid's response to a possible updated exploit is:

Quote:
I look forward to the updated exploit. If/when you attach it, I will review if it can be closed. If it can, I will fix it, if not, then I will nuke calibre-mount-helper. Linux users will just have to live with no out of the box experience. Hopefully, most of them are used to that.
As one who doesn't even run calibre on my Debian System, I don't feel comfortable correcting this entry or trying to balance it, but I'd urge people on both sides of this issue, who know the details, to work to get the Wikipedia entry made fair, balanced and accurate.
Starson17 is offline   Reply With Quote