Local root exploit in Calibre

splat · 11-03-2011, 06:12 PM

For anyone who takes system security seriously please be aware of a local root exploit for current version of calibre

Proof of concept exploit:
http://www.exploit-db.com/exploits/18071/

Details
https://bugs.launchpad.net/calibre/+bug/885027

VicLavigne · 11-03-2011, 11:45 PM

Looking over the links, this security hole seems to be related to Linux distros.

I've looked over the posts and not sure if this is a meaningful security exploit or not .... meaningful as in the sense that you're likely to have a bad outcome. Some of the chatter on the internet related to this don't even seen to know what Calibre is for.

Vic

kovidgoyal · 11-04-2011, 12:55 AM

That exploit is relevant only on a multi-user linux/bsd system. It's a privilege escalation exploit, i.e. it allows a non-root user to become root.
This has actual bad effects (in terms of access to user data) only on a system with more than one non root user, which does not include the vast majority of desktop/laptops.

Furthermore, the exploit will be closed in the next calibre release.

splat · 11-04-2011, 08:13 AM

Quote:

Originally Posted by kovidgoyal

This has actual bad effects (in terms of access to user data) only on a system with more than one non root user, which does not include the vast majority of desktop/laptops.

and that makes it ok? (Dan says it best) Rule #1: If it's possible it will happen.

Quote:

Originally Posted by kovidgoyal

Furthermore, the exploit will be closed in the next calibre release.

Probably not...

Instead of just patching each exploit, fix the inherent flaw! It really is ok to just ask for help from those who are offering it instead of just ignoring them

kovidgoyal · 11-04-2011, 08:16 AM

One more for the ignore list.

DoctorOhh · 11-04-2011, 08:24 AM

Your focus is really quite narrow and misleading.

Quote:

Originally Posted by splat

Instead of just patching each exploit, fix the inherent flaw! It really is ok to just ask for help from those who are offering it instead of just ignoring them

You link to an early post but fail to acknowledge the end posts. Try reading through the entire bug report, say comment 48 onwards.

Quote:

Originally Posted by kovidgoyal

One more for the ignore list.

There is no place for folks that purposefully tell part of the story.

splat · 11-04-2011, 08:38 AM

Quote:

Originally Posted by dwanthny

Try reading through the entire bug report, say comment 48 onwards.

I did. See my "probably not" link, which is in reference to post 49. Followed on in 54 and 56.

Don't like something better put head in the sand, that always works well

DiapDealer · 11-04-2011, 08:45 AM

Quote:

Don't like something better put head in the sand, that always works well

Yeah, because the "Don't like something? Better start an internet vendetta" approach works soooo much better. And is much classier to boot.

splat · 11-04-2011, 08:56 AM

Quote:

Originally Posted by DiapDealer

Yeah, because the "Don't like something? Better start an internet vendetta" approach works soooo much better. And is much classier to boot.

It was not a vendetta, it was posted as a PSA for those who want to be made aware that they might be running insecure software.

You stick with your conspiracy theories that evil security researchers are out to get the good guy developers.

theducks · 11-04-2011, 09:09 AM

@Splat
I am all for a 'Heads Up' about potential problems, but you are taking it over the top.

You join MR in 2006, make 90+ posts between then and now and tell Kovid that he must drop everything and secure the Linux distribution for maybe the 1 in 5000+ of those users that just might be running on a system that that possibility could exist

I think Kovid's list should forewarn those few affected users that the choice of system to run Calibre on should be considered.

DiapDealer · 11-04-2011, 09:18 AM

Quote:

It was not a vendetta, it was posted as a PSA for those who want to be made aware that they might be running insecure software.

You're right... I apologize. The one person that the potential root exploit might have affected probably appreciates the PSA. You're a lifesaver. Carry on and feel good.

splat · 11-04-2011, 09:26 AM

Quote:

Originally Posted by theducks

You join MR in 2006, make 90+ posts between then and now and tell Kovid that he must drop everything and secure the Linux distribution for maybe the 1 in 5000+ of those users that just might be running on a system that that possibility could exist

When I joined or how many posts I have is completely irrelevant.

I'm not demanding he drop everything. There was a bug report, it'd be nice if instead of ignoring the messengers that it gets addressed properly. If he needs the time to do it by all means take it, just don't trivialize it, let those who may be affected, know and give steps to mitigate until fixed.

Quote:

Originally Posted by theducks

I think Kovid's list should forewarn those few affected users that the choice of system to run Calibre on should be considered.

Perfectly workable and acceptable (at least from my point of view) and has already been suggested in the bug thread.

Starson17 · 11-04-2011, 10:12 AM

The Calibre Wikipedia entry has a reference to this issue.

I'm a fan of both Calibre and Wikipedia. I'd like Wikipedia to be correct. It states:

Quote:

On November 2, 2011, a series of exploits were reported in Calibre that enabled users to gain root access through a poorly designed and implemented SUID disk mounting program that was part of the distribution. The developer, Kovid Goyal, refused to take the helpful bug reports seriously, instead taking them as personal attacks. He stated that Calibre was designed to run on end user computers, so it was not important to protect against malicious privilege escalation, because "for the vast majority of calibre users, this is a non issue". After he was unable to patch all the vulnerabilities that were pointed out, he then announced that he was going to ignore the bug reports because of their tone. An article on reddit titled How not to respond to vulnerabilities in your code discussed the incident.

IMO, this fails to note that the "series of exploits" relates only to Linux, not Windows or OSX. Specifically, it relates to the "mount helper" used for USB mounting of ereader devices. The mount helper is found only in the binary Linux install and package maintainers for specific flavors of Linux can and do remove that component if their particular Linux flavor does not need it. It's only there to make sure that calibre can be installed on all flavors of Linux.

It also fails to note that the exploits apply only when the Linux OS fails to supply a more secure method of mounting which calibre tries to use first: udisks. It does not mention that exploits have been closed and Kovid's response to a possible updated exploit is:

Quote:

I look forward to the updated exploit. If/when you attach it, I will review if it can be closed. If it can, I will fix it, if not, then I will nuke calibre-mount-helper. Linux users will just have to live with no out of the box experience. Hopefully, most of them are used to that.

As one who doesn't even run calibre on my Debian System, I don't feel comfortable correcting this entry or trying to balance it, but I'd urge people on both sides of this issue, who know the details, to work to get the Wikipedia entry made fair, balanced and accurate.

frostschutz · 11-04-2011, 10:46 AM

Thanks for the info. I removed the suid bit of the mount helper. I'll also make sure it stays that way on my system. Giving a binary suid-root is dangerous and should be avoided at all costs. Removing it entirely seems the best option to me.

EowynCarter · 11-04-2011, 11:07 AM

Quote:

Originally Posted by theducks

@Splat
I am all for a 'Heads Up' about potential problems, but you are taking it over the top.

You join MR in 2006, make 90+ posts between then and now and tell Kovid that he must drop everything and secure the Linux distribution for maybe the 1 in 5000+ of those users that just might be running on a system that that possibility could exist

I think Kovid's list should forewarn those few affected users that the choice of system to run Calibre on should be considered.

Yeah sure, linux user are minority, who cares

Well, I, as linux certainly care. it's tipical about there : hey why should kovid spend time on function X, i don't want / need it, so it's useless.

It seams to me that the exploit can only be used by someone actually in front of the computer. Fixing it would be nice, but not if it means breaking thing for us linux users. (No one i can't trust will touch my computer anyway.)

Not that I care about that particular issue, as i don't use calibre.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Calibre loads books into Root of SD card, help please	vitalichka	Library Management	4	03-06-2011 06:47 PM
Calibre on linux: root password for unmounting?	mhomann	Devices	14	02-05-2011 11:26 AM
Adobe Reader 9 new exploit in the wild	doctorow	News	2	02-20-2009 03:38 PM
iLiad Huge exploit found in 2.7	arivero	iRex Developer's Corner	86	11-26-2006 04:49 PM
Serious exploit in Greasemonkey 0.4	Alexander Turcic	Lounge	2	07-19-2005 04:59 AM

11-03-2011, 06:12 PM	#1
splat Zealot Posts: 106 Karma: 348 Join Date: Dec 2006	Local root exploit in Calibre For anyone who takes system security seriously please be aware of a local root exploit for current version of calibre Proof of concept exploit: http://www.exploit-db.com/exploits/18071/ Details https://bugs.launchpad.net/calibre/+bug/885027

11-03-2011, 11:45 PM	#2
VicLavigne e-reading since 2008 Posts: 197 Karma: 112730 Join Date: Oct 2008 Location: Hinesville Georgia Device: Nook STR, Sony PRS-T1	Looking over the links, this security hole seems to be related to Linux distros. I've looked over the posts and not sure if this is a meaningful security exploit or not .... meaningful as in the sense that you're likely to have a bad outcome. Some of the chatter on the internet related to this don't even seen to know what Calibre is for. Vic

11-04-2011, 12:55 AM	#3
kovidgoyal creator of calibre Posts: 44,028 Karma: 22669822 Join Date: Oct 2006 Location: Mumbai, India Device: Various	That exploit is relevant only on a multi-user linux/bsd system. It's a privilege escalation exploit, i.e. it allows a non-root user to become root. This has actual bad effects (in terms of access to user data) only on a system with more than one non root user, which does not include the vast majority of desktop/laptops. Furthermore, the exploit will be closed in the next calibre release.

11-04-2011, 08:16 AM	#5
kovidgoyal creator of calibre Posts: 44,028 Karma: 22669822 Join Date: Oct 2006 Location: Mumbai, India Device: Various	One more for the ignore list.

11-04-2011, 09:09 AM	#10
theducks Well trained by Cats Posts: 29,994 Karma: 56143932 Join Date: Aug 2009 Location: The Central Coast of California Device: Kobo Libra2,Kobo Aura2v1, K4NT(Fixed: New Bat.), Galaxy Tab A	@Splat I am all for a 'Heads Up' about potential problems, but you are taking it over the top. You join MR in 2006, make 90+ posts between then and now and tell Kovid that he must drop everything and secure the Linux distribution for maybe the 1 in 5000+ of those users that just might be running on a system that that possibility could exist I think Kovid's list should forewarn those few affected users that the choice of system to run Calibre on should be considered.

11-04-2011, 10:46 AM	#14
frostschutz Linux User Posts: 2,279 Karma: 6123806 Join Date: Sep 2010 Location: Heidelberg, Germany Device: none	Thanks for the info. I removed the suid bit of the mount helper. I'll also make sure it stays that way on my system. Giving a binary suid-root is dangerous and should be avoided at all costs. Removing it entirely seems the best option to me.

Advert

Advert