oss-sec mailing list archives
Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked
From: Mike Gabriel <mike.gabriel () das-netzwerkteam de>
Date: Mon, 04 May 2015 13:20:13 +0000
Hi, sorry for the delay in the follow-up on this. On Sa 04 Apr 2015 11:36:41 CEST, cve-assign wrote:
https://bugs.debian.org/781608#15This deserves a CVE IDIs upstream planning to announce this as a vulnerability fix? It appears that this increases security in some environments but decreases security in others. For example: - MATE is used by an organization that requires each person to lock their screen if they will be away from the screen, even for a moment. - The USB device contains sensitive information. The person is required to maintain physical control of the USB device at all times. - The relevant screen is not located in the same room as the relevant USB socket. The person is not allowed to change hardware locations. - The person requires automounting. Workarounds such as a script to sleep for a minute and then explicitly do a mount are, for some reason, unacceptable. - There may be other constraints that aren't directly specified here. The bottom line is that, in this environment, the person has no way to have the USB device remain inserted at a time when that person's screen is unlocked. This might occur only rarely, and one might argue that the person isn't allowed to "require" automounting. In any case, if the situation is roughly like "Upstream doesn't want automounting when the screen is locked. The previous behavior of automounting when the screen is locked was an oversight." then there can be a CVE ID. If the situation isn't like that, and instead is roughly like "Here's a usually useful security improvement or defense-in-depth measure," then there can't be a CVE ID.
There now is a pull request on Github [1] to get this issue fixed in Caja. I just (a minute ago) received notification from upstream that the PR will get merged ASAP.
So upstream plans to fix this with the next release of caja (probably 1.10) and it is considered an issue (similar to how it was considered an issue in the nautilus browser where Caja has been forked from).
light+love, Mike (from the Debian MATE Packaging Team) [1] https://github.com/mate-desktop/caja/pull/400 -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel () das-netzwerkteam de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
_bin
Description: Digitale PGP-Signatur
Current thread:
- CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked Mike Gabriel (Apr 03)
- Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked cve-assign (Apr 04)
- Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked Mike Gabriel (May 04)
- Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked cve-assign (Apr 04)