Date: Fri, 03 Apr 2015 19:29:04 +0000 From: Mike Gabriel <mike.gabriel@...-netzwerkteam.de> To: oss-security@...ts.openwall.com Subject: CVE request: Caja / MATE Desktop Environment: caja automounts USB flash drives and CD/DVD drives while session is locked Application: Caja (file browser of the MATE desktop environment) Upstream-Source: https://github.com/mate-desktop/caja Vulnerability type: auto-run drive-by attack  Description: caja automounts USB flash drives and CD/DVD drives while session is locked Abstract: To avoid auto-run drive-by attacks by a physically proximate attacker on the system from USB auto-mounting screen is locked, the desktop should delay automounting until the screen is unlocked (to not interfere with the case of sitting back down at your system, plugging in a device, and then unlocking your screen). Affected versions: all known versions Upstream bug report: https://github.com/mate-desktop/caja/issues/398 To my knowledge, no CVE has been requested, so far. The issue was first reported on Debian BTS: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781608#5 Mike  http://www.net-security.org/secworld.php?id=10544 -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@...-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.