Security bug in Calibre

[JoeD]

It may be a local only exploit, but you do need to consider that any user level remote exploit could then piggy back on this to gain full root access. Granted there's likely numerous local level exploits in other apps and it was the remote user level bug that was the really major one.

However, one poster in that bug thread did hit an important issue, calibre or the website should warn users that installing the mount helper will allow any local user to gain root access to the machine. Since as everyone else points out here, for most users they won't care about that, so long as it's local and not remote, but at least those who do care are now informed and can remedy things on their own.

[elcreative]

Quote:

Originally Posted by DiapDealer

Yes, I definitely see finding flaws in applications as a problem. I find fault with people who make full-time careers out of ferreting out said flaws in free software. Especially the ones who start internet vendettas when the developer(s) of said free software don't immediately jump to "correct" what the "expert" sees as "flaws." It's a form of extortion that I find disgusting.

It's open source... if you can't live with the minor security risk it represents (and it is minor as hell)... patch your own copy to fix the potential hole, or stop using the software. It's that simple.


These guys aren't trying to "help." Calibre just happened to be the latest target in their sights. I've seen the tactic used again and again and again with various open-source projects. If it's popular, these rats will eventually come out of their holes at some point and attempt to tear it down. "'Fix' it or we'll start an internet-wide smear campaign."

I actually applaud calibre's developers for not giving in to this kind of extortion.

Here, here... and why not help out by telling the entire world about something you find so anyone who might be a b*****d now knows about it... why not contact the developer privately and keep the discussion that way instead of being the "Look at me, I'm a clever weasel... fix this to suit me or I'll attack you, everything you do, your wife and children, the cats and anything else to do with you" If you've got a problem with the way I do something then a quiet discussion gets more results than standing in the middle of the street screaming and throwing a hissy fit...

And the golden rule... if you don't like it then don't use it... and how many calibre users share their hardware with the entire world... or don't you trust yourselves not to hack your own computer... or maybe get a life...

[DiapDealer]

Quote:

Originally Posted by elcreative

"Look at me, I'm a clever weasel... fix this to suit me or I'll attack you, everything you do, your wife and children, the cats and anything else to do with you"

This... in spades, this.

That's the part of this whole "attention-whoring-masquerading-as-sincere-security-analysis--we're-just-looking-out-for-the-average-peeps-here" tactic that I find the most galling.

Wikipedia entries on the same day as the bug report, for god's sake?! Reddit? This forum? How is this NOT a vendetta?

Actually, I suspect that an alternative, commercial, calibre-like application is soon to be revealed somewhere on the internet. That's what usually follows quickly on the heels of this type of smear campaign; "Oh, BTW... here'$ a $ecure alternative."

[EowynCarter]

Quote:

And the golden rule... if you don't like it then don't use it... and how many calibre users share their hardware with the entire world... or don't you trust yourselves not to hack your own computer... or maybe get a life...

I disagree with that. Criticism is good. Trouble is, sometimes peaple making critics does so in a rude / angry way. Don't means their point isn"t valid and shouldn't be listen too.

[splat]

Quote:

Originally Posted by elcreative

why not contact the developer privately and keep the discussion that way instead of being the "Look at me, I'm a clever weasel... fix this to suit me or I'll attack you,

The bug report was only changed from private to public after Kovid could not see how 3 bugs (out of 5) were a problem and told the submitter to essentially come up with their own solution and implement it for Linux rather than Calibre and then marking the ticket fixed.

It was only then, unfortunately for Kovid, that the bug report went viral (such as here and here) as an example of how not to handle bug reports.

[Serpentine]

Quote:

Originally Posted by splat

It was only then, unfortunately for Kovid, that the bug report went viral

You seem pretty mad for a casual user.

[splat]

Quote:

Originally Posted by DiapDealer

Actually, I suspect that an alternative, commercial, calibre-like application is soon to be revealed somewhere on the internet. That's what usually follows quickly on the heels of this type of smear campaign; "Oh, BTW... here'$ a $ecure alternative."

Oh you and your conspiracies

It's highly unlikely, while there has been lots of grumblings of forking calibre since this happened, I really can't see anyone doing it, let alone trying to charge for it.

[splat]

Quote:

Originally Posted by Serpentine

You seem pretty mad for a casual user.

How is that being mad? elcreative, made assuptions that were in correct as to how this went down and I corrected him or her.

If I was to be mad about anything it'd be for the general lack of regard for the issue and a subset of calibre users (of which I am not).

[DiapDealer]

Quote:

Originally Posted by splat

for the general lack of regard for the issue and a subset of calibre users (of which I am not).

Which makes your overwhelming interest even more puzzling.

[Billi]

splat, just for the sake of fairness and clearness: are you this Jason Donenfeld from the bug track? Thanks.

[splat]

Quote:

Originally Posted by DiapDealer

Which makes your overwhelming interest even more puzzling.

I want to know that when (not if*) bugs for the platform I use are found, they will be taken seriously and fixed rather than have the messenger ignored. At the moment, the way this is being handled it doesn't give me much faith.

Had Kovid been open to suggestions (repeatead offers of help from Dan Rosenburg) in the first place instead of offering sarcastic replies and ignoring people this would probably not have blown up in the way that it has.

*no system is bug free

[splat]

Quote:

Originally Posted by Billi

splat, just for the sake of fairness and clearness: are you this Jason Donenfeld from the bug track? Thanks.

100% hand on heart I am not Dan or Jason and have not posted to the bugs page.

[DiapDealer]

So how, exactly, did you happen across this particular (previously private) bug report for an open-source ebook management application that you admittedly don't use yourself?

[slm]

This thread--and the bug report--seem to have crossed two different worldviews.

One group wants a program that works. Just works. And they don't need to understand the guts or the complexities unless they want to.

The other does not want any program to exist if in some circumstances on some machines in some environments anyone with enough technical knowledge might get higher access privileges than are granted to the program.

I suppose there is a class of circumstances where the second worldview is sensible. But on this forum, and for the vast majority of Calibre users, I'm betting the first view prevails.

Security always comes with inconvenience. Convenience always comes with insecurity. Calibre is not an OS. Get over it.

(I guess you can sense my worldview.)

[splat]

Quote:

Originally Posted by DiapDealer

So how, exactly, did you happen across this particular (previously private) bug report

I was linked to it on IRC about 20min prior to posting this thread, which given by the time stamps on the bug tracker was 1ish days after the initial bug report.

Quote:

Originally Posted by DiapDealer

for an open-source ebook management application that you admittedly don't use yourself?

Re-read what I said, I never said I did not use calibre, I said I was not one of the affected users (as I do not use Linux).