Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 04 May 2015 13:20:13 +0000
From: Mike Gabriel <mike.gabriel@...-netzwerkteam.de>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: Caja / MATE Desktop Environment: caja automounts
 USB flash drives and CD/DVD drives while session is locked

Hi,

sorry for the delay in the follow-up on this.

On  Sa 04 Apr 2015 11:36:41 CEST, cve-assign wrote:

>> https://bugs.debian.org/781608#15
>
>> This deserves a CVE ID
>
> Is upstream planning to announce this as a vulnerability fix? It
> appears that this increases security in some environments but
> decreases security in others. For example:
>
>   - MATE is used by an organization that requires each person to lock
>     their screen if they will be away from the screen, even for a
>     moment.
>
>   - The USB device contains sensitive information. The person is
>     required to maintain physical control of the USB device at all
>     times.
>
>   - The relevant screen is not located in the same room as the
>     relevant USB socket. The person is not allowed to change hardware
>     locations.
>
>   - The person requires automounting. Workarounds such as a script to
>     sleep for a minute and then explicitly do a mount are, for some
>     reason, unacceptable.
>
>   - There may be other constraints that aren't directly specified
>     here. The bottom line is that, in this environment, the person has
>     no way to have the USB device remain inserted at a time when that
>     person's screen is unlocked.
>
> This might occur only rarely, and one might argue that the person
> isn't allowed to "require" automounting.
>
> In any case, if the situation is roughly like "Upstream doesn't want
> automounting when the screen is locked. The previous behavior of
> automounting when the screen is locked was an oversight." then there
> can be a CVE ID. If the situation isn't like that, and instead is
> roughly like "Here's a usually useful security improvement or
> defense-in-depth measure," then there can't be a CVE ID.

There now is a pull request on Github [1] to get this issue fixed in  
Caja. I just (a minute ago) received notification from upstream that  
the PR will get merged ASAP.

So upstream plans to fix this with the next release of caja (probably  
1.10) and it is considered an issue (similar to how it was considered  
an issue in the nautilus browser where Caja has been forked from).

light+love,
Mike (from the Debian MATE Packaging Team)

[1] https://github.com/mate-desktop/caja/pull/400
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@...-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.