Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat,  4 Apr 2015 05:36:41 -0400 (EDT)
From: cve-assign@...re.org
To: mike.gabriel@...-netzwerkteam.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugs.debian.org/781608#15

> This deserves a CVE ID

Is upstream planning to announce this as a vulnerability fix? It
appears that this increases security in some environments but
decreases security in others. For example:

  - MATE is used by an organization that requires each person to lock
    their screen if they will be away from the screen, even for a
    moment.

  - The USB device contains sensitive information. The person is
    required to maintain physical control of the USB device at all
    times.

  - The relevant screen is not located in the same room as the
    relevant USB socket. The person is not allowed to change hardware
    locations.

  - The person requires automounting. Workarounds such as a script to
    sleep for a minute and then explicitly do a mount are, for some
    reason, unacceptable.

  - There may be other constraints that aren't directly specified
    here. The bottom line is that, in this environment, the person has
    no way to have the USB device remain inserted at a time when that
    person's screen is unlocked.

This might occur only rarely, and one might argue that the person
isn't allowed to "require" automounting.

In any case, if the situation is roughly like "Upstream doesn't want
automounting when the screen is locked. The previous behavior of
automounting when the screen is locked was an oversight." then there
can be a CVE ID. If the situation isn't like that, and instead is
roughly like "Here's a usually useful security improvement or
defense-in-depth measure," then there can't be a CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVH7A0AAoJEKllVAevmvmsvGgH/0L8IUBF7w4JiFe9BFqh6+z6
N+9LqjvXEZHcZcSvWo66LwSLeZJVhyG6wRDWddSIKlPyTDDRWxbyRvHuYUX0bFV1
A2aGGB39K0oQ+Mh/m65UE7KbzqZlbJVpIG5vcSUMXZ+O+UonQRnj9AyUK2vqvD6M
YRacpzqjCV6Q3nYXRF+nxIbTyd+bL4RVgscfDFFJqM5pfGxbFG2EUhbJ091p9KWP
4oaf5xIF1Pkv0sy9WVcaMQx8fU2t91VI16o05IdlHu52fv/xR5zYyGFsQb9n32KX
3wCsEWfuKwO89x+pEZkZs2jv91Bd9AKYccsgK2VuMmXga1uQJ7HVKAYkfwR7CHA=
=bo3+
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.