Security bug in Calibre

[splat]

(Sorry for the cross post but felt this was important enough to get a bit of a wider audience.)

For anyone who takes system security seriously please be aware of a local root exploit for current version of calibre

Proof of concept exploit:
http://www.exploit-db.com/exploits/18071/

Details
https://bugs.launchpad.net/calibre/+bug/885027

Everyone should make sure they update their software as soon as an update with patches is released.

[DiapDealer]

Vendettas are so ugly.

[Bilbo1967]

Quote:

Originally Posted by DiapDealer

Vendettas are so ugly.

That may be true, but a real refutation would help both me and any future users of Caliber who happen along here.

[DiapDealer]

Quote:

Originally Posted by Bilbo1967

That may be true, but a real refutation would help both me and any future users of Caliber who happen along here.

A "real" refutation is a pipe-dream. It's a moving target. Read the bug report and its subsequent comments and make an informed decision on whether the vulnerabilities are something you need to get worked up over as an end-user... or whether they represent the efforts of an overzealous "security expert" who's going to find an exploit in every single application they choose to target.

[JoeD]

Why does calibre need to handle mounting in the first place? Do the various linux distro's not already provide a way to mount usb disks? Been a while since i used linux but I remember it been pretty much automated for any removable drive to be mounted.

Having not used calibre on linux though, I may be missing a key point in the arguement

[Serpentine]

I love the registration date of some of the users in that thread, how odd!

[jgaiser]

Non-issue. Local exploit only.

[elcreative]

Really dangerous... considering that most calibre users are personal users and don't allow the world and casual passers-by, to have access to their computers physically and should be using decent firewall/security software when net connected... plus I wonder how many people actually keep calibre running 24hours a day, personally I only open it when I'm actually using it!

[jgaiser]

Local exploits are pretty meaningless to 99% (I don't dare say 100%) of home Linux users. If I have physical access to your machine and the drives are not encrypted, that machine is mine. It's as simple as a flash drive with a live linux distribution. I'm not going to get worked up over a possible local security problem in Calibre.

[Baldrake]

Removed -previous poster said it better...

[Fbone]

For once Windows users can ignore this security concern.

[abookreader]

Quote:

Originally Posted by jgaiser

Local exploits are pretty meaningless to 99% (I don't dare say 100%) of home Linux users. If I have physical access to your machine and the drives are not encrypted, that machine is mine. It's as simple as a flash drive with a live linux distribution. I'm not going to get worked up over a possible local security problem in Calibre.

If you get physical access to my machine I guess that pretty much means you've stolen it anyway. You probably have my tv too.

[splat]

Quote:

Originally Posted by DiapDealer

an overzealous "security expert" who's going to find an exploit in every single application they choose to target.

Do you really not see finding flaws in applications as a problem?

These guys are trying to help and unfortunately the impression I get from Kovid is that it's bare minimum to fix the issue is being done, which results in it being easily worked around time and time again.

There's no dishonour in asking for help if you don't understand something, attacking someone trying to help you is just arrogant (yes I'm aware some of the other posters in the bug report are being d**ks too).

Heck he was given suggestions of using various other more secure apps rather than his own homegrown code. His reply boiled down to, it's not installed on my gentoo box so no. Even when a lead developer for Gentoo comes on and says it's gentoo's issue to fix dependency issues it's a no go.

The mind boggles.

[Rob Lister]

Quote:

Originally Posted by abookreader

If you get physical access to my machine I guess that pretty much means you've stolen it anyway. You probably have my tv too.

[DiapDealer]

Quote:

Originally Posted by splat

Do you really not see finding flaws in applications as a problem?

Yes, I definitely see finding flaws in applications as a problem. I find fault with people who make full-time careers out of ferreting out said flaws in free software. Especially the ones who start internet vendettas when the developer(s) of said free software don't immediately jump to "correct" what the "expert" sees as "flaws." It's a form of extortion that I find disgusting.

It's open source... if you can't live with the minor security risk it represents (and it is minor as hell)... patch your own copy to fix the potential hole, or stop using the software. It's that simple.

Quote:

These guys are trying to help and unfortunately the impression I get from Kovid is that it's bare minimum to fix the issue is being done, which results in it being easily worked around time and time again.

These guys aren't trying to "help." Calibre just happened to be the latest target in their sights. I've seen the tactic used again and again and again with various open-source projects. If it's popular, these rats will eventually come out of their holes at some point and attempt to tear it down. "'Fix' it or we'll start an internet-wide smear campaign."

I actually applaud calibre's developers for not giving in to this kind of extortion.