Using calibre safely?

Wed Nov 30 22:23:29 UTC 2011

On Wed, Nov 30, 2011 at 10:07 AM, sktsee <sktseer at gmail.com> wrote:
> On 11/30/2011 11:22 AM, Kevin O'Gorman wrote:
>>
>> On Wed, Nov 30, 2011 at 5:26 AM, sktsee<sktseer at gmail.com>  wrote:
>>>
>>> On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
>>>>
>>>>
>>>> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<shaun at oneil.me.uk>
>>>>  wrote:
>>>>>
>>>>>
>>>>> Hi Kevin,
>>>>>
>>>>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>>>>
>>>>>> For a few months now I've been using calibre to access the 100-or-so
>>>>>> ebooks that I have (mostly DRM-free PDFs).
>>>>>> I just became aware of a vulnerability built in to calibre.
>>>>>> I am not enormously worried because this is a one-user system, and the
>>>>>> vulnerability seems to involve privilege
>>>>>> escalation by authorized users.
>>>>>
>>>>>
>>>>>
>>>>> The escalation that made the rounds lately does *not* affect Ubuntu
>>>>> (since 10.10), or most other distros.  The 'helper' was replaced by the
>>>>> packager by something which better integrated with the methods Ubuntu
>>>>> uses
>>>>> for mounting disks - see
>>>>> https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>>>>
>>>>
>>>>
>>>> I'm not using the Ubuntu version, but instead I use the calibre python
>>>> installer.  I much prefer the modern version, and 10.04 LTS is just so
>>>> out of date.  So I'm going to have to roll my own security.  I'll have
>>>> a look at that launchpad bug.
>>>>
>>>
>>>
>>> http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210
>>>
>>> title: "Remove the suid mount helper used on linux and bsd, as it proved
>>> impossible to make it secure."
>>>
>>> This entry was under the version 0.8.25 section of calibre's changelog
>>> and
>>> took effect 2011-11-06. The current version is 0.8.28 so that particular
>>> issue has been remedied.
>>>
>>
>> Not really.  Natty shows version 0.7.44 in the repositories.  The
>> current version from
>> the source is 0.8.28, and it still has the offending mount helper at
>> /opt/calibre/bin/calibre-mount-helper.
>>
>> I guess I'll just delete it each time I upgrade.
>>
>
> Actually it's been remedied in Ubuntu packages since Maverick.
>
> http://changelogs.ubuntu.com/changelogs/pool/universe/c/calibre/calibre_0.7.44+dfsg-1build1/changelog
>
> calibre (0.7.2+dfsg-1) unstable; urgency=low
>
>  * New major upstream version. See http://calibre-ebook.com/new-in/seven for
>    details.
>  * Refresh patches to apply cleanly.
>  * debian/control: Bump python-cssutils to >= 0.9.7~ to ensure the existence
>    of the CSSRuleList.rulesOfType attribute. This makes epub conversion work
>    again. (Closes: #584756)
>  * Add debian/local/calibre-mount-helper: Simple and safe replacement for
> upstream's calibre-mount-helper, using udisks --mount and eject.
>    (Closes: #584915, LP: #561958)
>
> And with respect to Lucid's version, I don't think it ever was a problem
> since, AFAICT, that version didn't have calibre-mount-helper included. It's
> certainly not in the package's filelist.
>
> http://packages.ubuntu.com/lucid/all/calibre/filelist

Dunno about Lucid, but it's definitely there (and using udisks) in
Natty's 0.7.44,
as /usr/bin/calibre-mount-helper.

OTOH, the current calibre from its author has a binary mount helper
instead of the
script that was there before, but it's still SUID+SGID which seems an
overreach for a non-administrative package.  I have removed the admin
bits, and will see if the package still works for me.  I have no idea
why the mount helper is even needed -- maybe for remote libraries?

>
> As Hakan mentioned in his reply, what calibre-mount-helper does now is
> simply call udisks to mount/unmount devices. This process no longer requires
> setuid privileges for calibre-mount-helper, which is what the entire
> brouhaha centered around.
>
>
> --
> sktsee
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

-- 
Kevin O'Gorman, PhD