oss-sec mailing list archives
CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked
From: Mike Gabriel <mike.gabriel () das-netzwerkteam de>
Date: Fri, 03 Apr 2015 19:29:04 +0000
Application: Caja (file browser of the MATE desktop environment) Upstream-Source: https://github.com/mate-desktop/caja Vulnerability type: auto-run drive-by attack [1]Description: caja automounts USB flash drives and CD/DVD drives while session is locked
Abstract: To avoid auto-run drive-by attacks by a physically proximate attacker on the system from USB auto-mounting screen is locked, the desktop should delay automounting until the screen is unlocked (to not interfere with the case of sitting back down at your system, plugging in a device, and then unlocking your screen). Affected versions: all known versions Upstream bug report: https://github.com/mate-desktop/caja/issues/398 To my knowledge, no CVE has been requested, so far. The issue was first reported on Debian BTS: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781608#5 Mike [1] http://www.net-security.org/secworld.php?id=10544 -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel () das-netzwerkteam de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
_bin
Description: Digitale PGP-Signatur
Current thread:
- CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked Mike Gabriel (Apr 03)