Date: Sat, 4 Apr 2015 05:36:41 -0400 (EDT) From: cve-assign@...re.org To: mike.gabriel@...-netzwerkteam.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://bugs.debian.org/781608#15 > This deserves a CVE ID Is upstream planning to announce this as a vulnerability fix? It appears that this increases security in some environments but decreases security in others. For example: - MATE is used by an organization that requires each person to lock their screen if they will be away from the screen, even for a moment. - The USB device contains sensitive information. The person is required to maintain physical control of the USB device at all times. - The relevant screen is not located in the same room as the relevant USB socket. The person is not allowed to change hardware locations. - The person requires automounting. Workarounds such as a script to sleep for a minute and then explicitly do a mount are, for some reason, unacceptable. - There may be other constraints that aren't directly specified here. The bottom line is that, in this environment, the person has no way to have the USB device remain inserted at a time when that person's screen is unlocked. This might occur only rarely, and one might argue that the person isn't allowed to "require" automounting. In any case, if the situation is roughly like "Upstream doesn't want automounting when the screen is locked. The previous behavior of automounting when the screen is locked was an oversight." then there can be a CVE ID. If the situation isn't like that, and instead is roughly like "Here's a usually useful security improvement or defense-in-depth measure," then there can't be a CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVH7A0AAoJEKllVAevmvmsvGgH/0L8IUBF7w4JiFe9BFqh6+z6 N+9LqjvXEZHcZcSvWo66LwSLeZJVhyG6wRDWddSIKlPyTDDRWxbyRvHuYUX0bFV1 A2aGGB39K0oQ+Mh/m65UE7KbzqZlbJVpIG5vcSUMXZ+O+UonQRnj9AyUK2vqvD6M YRacpzqjCV6Q3nYXRF+nxIbTyd+bL4RVgscfDFFJqM5pfGxbFG2EUhbJ091p9KWP 4oaf5xIF1Pkv0sy9WVcaMQx8fU2t91VI16o05IdlHu52fv/xR5zYyGFsQb9n32KX 3wCsEWfuKwO89x+pEZkZs2jv91Bd9AKYccsgK2VuMmXga1uQJ7HVKAYkfwR7CHA= =bo3+ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ