---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Calibre "calibre-mount-helper" Weaknesses and Security Issues SECUNIA ADVISORY ID: SA46620 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46620/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46620 RELEASE DATE: 2011-11-03 DISCUSS ADVISORY: http://secunia.com/advisories/46620/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46620/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46620 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Some weaknesses and a security issues have been reported in Calibre, which can be exploited by malicious, local users to manipulate certain data and gain escalated privileges. 1) An error within the "calibre-mount-helper" utility can be exploited to create arbitrary root-owned directories. 2) An error within the "calibre-mount-helper" utility can be exploited to delete arbitrary empty directories. 3) An error within the "calibre-mount-helper" utility can be exploited to create and delete the ".created_by_calibre_mount_helper" file in arbitrary directories. 4) The "calibre-mount-helper" utility does not use the full path when invoking other programs, which can be exploited to execute arbitrary applications as root by changing the "PATH" environment variable. 5) The "calibre-mount-helper" utility can be used to mount, unmount, and eject arbitrary directories and mountpoints. 6) Race conditions within the mount process can be exploited to e.g. mount arbitrary directories via symlink attacks. Note: Additionally, it's possible to inject arguments to the "mount" utility. SOLUTION: Restrict access to trusted users only or remove the suid bit from the "calibre-mount-helper" utility. PROVIDED AND/OR DISCOVERED BY: Jason A. Donenfeld. Additional information provided by Dan Rosenberg. ORIGINAL ADVISORY: https://bugs.launchpad.net/calibre/+bug/885027/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------