Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 23 Feb 2011 10:41:35 -0700
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Physical access vulnerabilities and auto-mounting

* [2011-02-23 08:33:48 +0100] Sebastian Krahmer wrote:

>Unfortunally I think nobody would care. As nobody cared
>that you actually do not need physical access. Via udisks DBUS
>service you can load any LKM via
>
>dbus-send --system --print-reply --dest=org.freedesktop.UDisks          \
>                   /org/freedesktop/UDisks/devices/sr0                  \
>                   org.freedesktop.UDisks.Device.FilesystemMount        \
>                   string:'LKM' array:string:''
>
>I reported that several months ago to upstream but it was frozen to more
>or less a non-issue. Indeed nobody agreed that this is an issue to fix.

Please use CVE-2010-4661 for this udisks flaw.

Some additional references:

https://bugs.freedesktop.org/show_bug.cgi?id=32232
https://bugzilla.redhat.com/show_bug.cgi?id=664082

-- 
Vincent Danen / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.