Date: Wed, 23 Feb 2011 10:41:35 -0700 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Physical access vulnerabilities and auto-mounting * [2011-02-23 08:33:48 +0100] Sebastian Krahmer wrote: >Unfortunally I think nobody would care. As nobody cared >that you actually do not need physical access. Via udisks DBUS >service you can load any LKM via > >dbus-send --system --print-reply --dest=org.freedesktop.UDisks \ > /org/freedesktop/UDisks/devices/sr0 \ > org.freedesktop.UDisks.Device.FilesystemMount \ > string:'LKM' array:string:'' > >I reported that several months ago to upstream but it was frozen to more >or less a non-issue. Indeed nobody agreed that this is an issue to fix. Please use CVE-2010-4661 for this udisks flaw. Some additional references: https://bugs.freedesktop.org/show_bug.cgi?id=32232 https://bugzilla.redhat.com/show_bug.cgi?id=664082 -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.