oss-sec mailing list archives

Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked

From: Mike Gabriel <mike.gabriel () das-netzwerkteam de>
Date: Mon, 04 May 2015 13:20:13 +0000

Hi,

sorry for the delay in the follow-up on this.

On  Sa 04 Apr 2015 11:36:41 CEST, cve-assign wrote:

https://bugs.debian.org/781608#15

This deserves a CVE ID


Is upstream planning to announce this as a vulnerability fix? It
appears that this increases security in some environments but
decreases security in others. For example:

  - MATE is used by an organization that requires each person to lock
    their screen if they will be away from the screen, even for a
    moment.

  - The USB device contains sensitive information. The person is
    required to maintain physical control of the USB device at all
    times.

  - The relevant screen is not located in the same room as the
    relevant USB socket. The person is not allowed to change hardware
    locations.

  - The person requires automounting. Workarounds such as a script to
    sleep for a minute and then explicitly do a mount are, for some
    reason, unacceptable.

  - There may be other constraints that aren't directly specified
    here. The bottom line is that, in this environment, the person has
    no way to have the USB device remain inserted at a time when that
    person's screen is unlocked.

This might occur only rarely, and one might argue that the person
isn't allowed to "require" automounting.

In any case, if the situation is roughly like "Upstream doesn't want
automounting when the screen is locked. The previous behavior of
automounting when the screen is locked was an oversight." then there
can be a CVE ID. If the situation isn't like that, and instead is
roughly like "Here's a usually useful security improvement or
defense-in-depth measure," then there can't be a CVE ID.

There now is a pull request on Github [1] to get this issue fixed inCaja. I just (a minute ago) received notification from upstream thatthe PR will get merged ASAP.

So upstream plans to fix this with the next release of caja (probably1.10) and it is considered an issue (similar to how it was consideredan issue in the nautilus browser where Caja has been forked from).


light+love,
Mike (from the Debian MATE Packaging Team)

[1] https://github.com/mate-desktop/caja/pull/400
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel () das-netzwerkteam de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Attachment: _bin
Description: Digitale PGP-Signatur

Current thread:

CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked Mike Gabriel (Apr 03)
- Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked cve-assign (Apr 04)
  - Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked Mike Gabriel (May 04)