Using calibre safely?
sktsee
sktseer at gmail.com
Wed Nov 30 18:07:29 UTC 2011
On 11/30/2011 11:22 AM, Kevin O'Gorman wrote:
> On Wed, Nov 30, 2011 at 5:26 AM, sktsee<sktseer at gmail.com> wrote:
>> On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
>>>
>>> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<shaun at oneil.me.uk> wrote:
>>>>
>>>> Hi Kevin,
>>>>
>>>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>>>
>>>>> For a few months now I've been using calibre to access the 100-or-so
>>>>> ebooks that I have (mostly DRM-free PDFs).
>>>>> I just became aware of a vulnerability built in to calibre.
>>>>> I am not enormously worried because this is a one-user system, and the
>>>>> vulnerability seems to involve privilege
>>>>> escalation by authorized users.
>>>>
>>>>
>>>> The escalation that made the rounds lately does *not* affect Ubuntu
>>>> (since 10.10), or most other distros. The 'helper' was replaced by the
>>>> packager by something which better integrated with the methods Ubuntu uses
>>>> for mounting disks - see
>>>> https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>>>
>>>
>>> I'm not using the Ubuntu version, but instead I use the calibre python
>>> installer. I much prefer the modern version, and 10.04 LTS is just so
>>> out of date. So I'm going to have to roll my own security. I'll have
>>> a look at that launchpad bug.
>>>
>>
>> http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210
>>
>> title: "Remove the suid mount helper used on linux and bsd, as it proved
>> impossible to make it secure."
>>
>> This entry was under the version 0.8.25 section of calibre's changelog and
>> took effect 2011-11-06. The current version is 0.8.28 so that particular
>> issue has been remedied.
>>
>
> Not really. Natty shows version 0.7.44 in the repositories. The
> current version from
> the source is 0.8.28, and it still has the offending mount helper at
> /opt/calibre/bin/calibre-mount-helper.
>
> I guess I'll just delete it each time I upgrade.
>
Actually it's been remedied in Ubuntu packages since Maverick.
http://changelogs.ubuntu.com/changelogs/pool/universe/c/calibre/calibre_0.7.44+dfsg-1build1/changelog
calibre (0.7.2+dfsg-1) unstable; urgency=low
* New major upstream version. See
http://calibre-ebook.com/new-in/seven for
details.
* Refresh patches to apply cleanly.
* debian/control: Bump python-cssutils to >= 0.9.7~ to ensure the
existence
of the CSSRuleList.rulesOfType attribute. This makes epub
conversion work
again. (Closes: #584756)
* Add debian/local/calibre-mount-helper: Simple and safe replacement
for upstream's calibre-mount-helper, using udisks --mount and eject.
(Closes: #584915, LP: #561958)
And with respect to Lucid's version, I don't think it ever was a problem
since, AFAICT, that version didn't have calibre-mount-helper included.
It's certainly not in the package's filelist.
http://packages.ubuntu.com/lucid/all/calibre/filelist
As Hakan mentioned in his reply, what calibre-mount-helper does now is
simply call udisks to mount/unmount devices. This process no longer
requires setuid privileges for calibre-mount-helper, which is what the
entire brouhaha centered around.
--
sktsee
More information about the ubuntu-users
mailing list