Local root exploit in Calibre - Page 2

jgaiser · 11-04-2011, 11:15 AM

I'm going to repeat what I said on the other "The Sky Is Falling" thread.

Local exploits are pretty meaningless to 99% (I don't dare say 100%) of home Linux users. If I have physical access to your machine and the drives are not encrypted, that machine is mine. It's as simple as a flash drive with a live linux distribution. I'm not going to get worked up over a possible local security problem in Calibre.

It's good to be aware of problems. But in this case, the Sky is *not* falling.

frostschutz · 11-04-2011, 12:41 PM

Quote:

Originally Posted by jgaiser

Local exploits are pretty meaningless to 99% (I don't dare say 100%) of home Linux users. If I have physical access to your machine and the drives are not encrypted, that machine is mine. It's as simple as a flash drive with a live linux distribution. I'm not going to get worked up over a possible local security problem in Calibre.

You imply physical access and local problem, but all it takes for an attacker is to offer a Calibre plugin for download really. If Calibre provides both the local root exploit and the trust needed to get users to execute their code, that's a very serious issue.

Security is one of the reasons why people choose Linux. However it's only secure as long as every security issue, no matter how small, is taken very seriously and fixed soonest possible.

You can't talk an issue like this away - you can only fix it.

kovidgoyal · 11-04-2011, 12:57 PM

Quote:

Originally Posted by frostschutz

Security is one of the reasons why people choose Linux. However it's only secure as long as every security issue, no matter how small, is taken very seriously and fixed soonest possible.

You mean faster than the one day it was fixed in and the three days that the fix will be available for download?

Quote:

You can't talk an issue like this away - you can only fix it.

This exploit gives someone who already has access to everything important on a single user system, some more, largely useless access. I'll repeat this, as it doesn't seem to sink in. For the vast majority of single user systems (i.e. almost every laptop or desktop out there) this exploit is irrelevant.

splat · 11-04-2011, 12:59 PM

Quote:

Originally Posted by frostschutz

You imply physical access and local problem, but all it takes for an attacker is to offer a Calibre plugin for download really. If Calibre provides both the local root exploit and the trust needed to get users to execute their code, that's a very serious issue.

Pretty much this, it's how a vast majority of the Windows bugs are exploited. It might be a local exploit but there are many ways for a remote attacker to leverage it to gain access.

ldolse · 11-04-2011, 01:06 PM

Quote:

Originally Posted by frostschutz

You imply physical access and local problem, but all it takes for an attacker is to offer a Calibre plugin for download really. If Calibre provides both the local root exploit and the trust needed to get users to execute their code, that's a very serious issue.

Security is one of the reasons why people choose Linux. However it's only secure as long as every security issue, no matter how small, is taken very seriously and fixed soonest possible.

You can't talk an issue like this away - you can only fix it.

A hypothetical but valid scenario. One could work around that by restricting device Interface drivers from user installable plugins - that way any code with the ability to call the mount function always needs to be vetted through the main release process. Anyway Calibre already warns users that plugins represent real security vulnerabilities, as they can bundle arbitrary executable code and launch it - I don't think a hacker looking to deliver a Trojan via a Calibre plugin needs to use an approach this obscure. As Kovid and the others have already said - the hacker needs to gain access to something else in order for the exploit to be useful, in this example it's the user's trust, which is true of any Trojan.

splat · 11-04-2011, 01:11 PM

Quote:

Originally Posted by ldolse

the hacker needs to gain access to something else in order for the exploit to succeed, in this example it's the user's trust, which is true of any Trojan.

You should always assume the trust is there, users are idiots. A developer should take that into account and not allow their project to be used to take advantage of a users system.

jgaiser · 11-04-2011, 02:45 PM

Quote:

Originally Posted by frostschutz

You can't talk an issue like this away - you can only fix it.

And you can't talk it into a problem bigger than it really is.

If I worried about every *minor* security problem there was with Linux and it's applications I'd never turn my machine on and certainly never get online. I understand the issues. Most of the people here understand the issues. Can we drop this and move on?

theducks · 11-04-2011, 04:21 PM

Most of the Windows in my house are large enough to climb through and attack my Linux systems.

Large windows = a real Security vulnerability and must be fixed immediately

nickredding · 11-04-2011, 05:01 PM

Quote:

Originally Posted by splat

... users are idiots.

Speak for yourself.

user_none · 11-04-2011, 05:34 PM

The mount helper has been removed, a decision I'm in agreement with and believe is the correct course of action.

CRussel · 11-05-2011, 01:23 AM

I got my start in this business as a UNIX system administrator. I know what root is. And even though I've been off UNIX for years, and mostly write about Windows now, I'll state unequivocally that if I have physical access to your machine, I own it, short of encrypted system disks (and even those, under some highly technical situations). So a "local only" exploit just really doesn't get me excited. Yes, certainly, it should get fixed. But let's not get our knickers in a twist.

frostschutz · 11-05-2011, 10:09 AM

Quote:

Originally Posted by user_none

The mount helper has been removed, a decision I'm in agreement with and believe is the correct course of action.

+1

Gentoo already removed it (replaced in favour of Debian's alternative). As a result the Gentoo package now pulls in udisks as a dependency. I tested it and it works fine for me. For Gentoo users who didn't have udisks installed before that, it's an improvement in both security and usability.

EowynCarter · 11-05-2011, 01:19 PM

Quote:

Originally Posted by user_none

The mount helper has been removed, a decision I'm in agreement with and believe is the correct course of action.

What does that change for us linux users ?

user_none · 11-05-2011, 01:45 PM

Quote:

Originally Posted by EowynCarter

What does that change for us linux users ?

If you use a distro that includes udisks (Fedora, Ubuntu, Debian, Suse...), nothing. Ubuntu 10.04 Lucid was the first Ubuntu release with udisks support. If you use an old distro then auto mounting and unmounting of devices no longer works.

kovidgoyal · 11-05-2011, 10:03 PM

Quote:

Originally Posted by user_none

If you use a distro that includes udisks (Fedora, Ubuntu, Debian, Suse...), nothing. Ubuntu 10.04 Lucid was the first Ubuntu release with udisks support. If you use an old distro then auto mounting and unmounting of devices no longer works.

That means that if you are on a distro/BSD without a working udisks, then device detection in calibre will not work unless you manually mount the device (or arrange to have it automounted before starting calibre).

It might actually work if you mount it manually even after starting calibre, but that is not very reliable.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Calibre loads books into Root of SD card, help please	vitalichka	Library Management	4	03-06-2011 06:47 PM
Calibre on linux: root password for unmounting?	mhomann	Devices	14	02-05-2011 11:26 AM
Adobe Reader 9 new exploit in the wild	doctorow	News	2	02-20-2009 03:38 PM
iLiad Huge exploit found in 2.7	arivero	iRex Developer's Corner	86	11-26-2006 04:49 PM
Serious exploit in Greasemonkey 0.4	Alexander Turcic	Lounge	2	07-19-2005 04:59 AM

11-04-2011, 11:15 AM	#16
jgaiser Omnivorous Posts: 3,283 Karma: 27978909 Join Date: Feb 2008 Location: Rural NW Oregon Device: Kindle Voyage, Kindle Fire HD, Kindle 3, KPW1	I'm going to repeat what I said on the other "The Sky Is Falling" thread. Local exploits are pretty meaningless to 99% (I don't dare say 100%) of home Linux users. If I have physical access to your machine and the drives are not encrypted, that machine is mine. It's as simple as a flash drive with a live linux distribution. I'm not going to get worked up over a possible local security problem in Calibre. It's good to be aware of problems. But in this case, the Sky is not falling.

11-04-2011, 04:21 PM	#23
theducks Well trained by Cats Posts: 31,079 Karma: 60358908 Join Date: Aug 2009 Location: The Central Coast of California Device: Kobo Libra2,Kobo Aura2v1, K4NT(Fixed: New Bat.), Galaxy Tab A	Most of the Windows in my house are large enough to climb through and attack my Linux systems. Large windows = a real Security vulnerability and must be fixed immediately

11-04-2011, 05:34 PM	#25
user_none Sigil & calibre developer Posts: 2,487 Karma: 1063785 Join Date: Jan 2009 Location: Florida, USA Device: Nook STR	The mount helper has been removed, a decision I'm in agreement with and believe is the correct course of action.

11-05-2011, 01:23 AM	#26
CRussel (he/him/his) Posts: 12,296 Karma: 80074820 Join Date: Jul 2010 Location: Sunshine Coast, BC Device: Oasis (Gen3),Paperwhite (Gen10), Voyage, Paperwhite(orig), iPad Air M3	I got my start in this business as a UNIX system administrator. I know what root is. And even though I've been off UNIX for years, and mostly write about Windows now, I'll state unequivocally that if I have physical access to your machine, I own it, short of encrypted system disks (and even those, under some highly technical situations). So a "local only" exploit just really doesn't get me excited. Yes, certainly, it should get fixed. But let's not get our knickers in a twist.

Advert

Advert