oss-sec mailing list archives

CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked

From: Mike Gabriel <mike.gabriel () das-netzwerkteam de>
Date: Fri, 03 Apr 2015 19:29:04 +0000

Application: Caja (file browser of the MATE desktop environment)
Upstream-Source: https://github.com/mate-desktop/caja
Vulnerability type: auto-run drive-by attack [1]

Description: caja automounts USB flash drives and CD/DVD drives whilesession is locked


Abstract:
 To avoid auto-run drive-by attacks by a physically proximate attacker on
 the system from USB auto-mounting screen is locked, the desktop should
 delay automounting until the screen is unlocked (to not interfere with
 the case of sitting back down at your system, plugging in a device,
 and then unlocking your screen).

Affected versions: all known versions
Upstream bug report: https://github.com/mate-desktop/caja/issues/398

To my knowledge, no CVE has been requested, so far.

The issue was first reported on Debian BTS:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781608#5

Mike


[1] http://www.net-security.org/secworld.php?id=10544


--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel () das-netzwerkteam de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Attachment: _bin
Description: Digitale PGP-Signatur

Current thread:

CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked Mike Gabriel (Apr 03)
- Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked cve-assign (Apr 04)
  - Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked Mike Gabriel (May 04)