FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 11-29-2011, 06:46 PM
Shaun ONeil
 
Default Using calibre safely?

Hi Kevin,

On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:

> For a few months now I've been using calibre to access the 100-or-so
> ebooks that I have (mostly DRM-free PDFs).
> I just became aware of a vulnerability built in to calibre.
> I am not enormously worried because this is a one-user system, and the
> vulnerability seems to involve privilege
> escalation by authorized users.

The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30

> On the other hand, it appears that my calibre is listening on a TCP
> port. It's on a laptop behind a NAT router at
> the moment, so I'm still safe, but because I'd like to migrate to
> another system that is exposed to the net, I'd like
> it to stop network access because I'm not networking any of these
> books. Not intentionally, anyway.

That one I wasn't expecting. Do you have Sharing enabled? (Preferences -> Sharing -> 'Sharing over the net') I believe that's the only place mine's listening.


> I'm open to advice and suggestions, including replacing calibre with
> something else, but I have to end up with access to
> my library and reasonable security.
>
> --
> Kevin O'Gorman, PhD

Regards,
Shaun ONeil
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-29-2011, 10:21 PM
Ernest Doub
 
Default Using calibre safely?

On Tue, Nov 29, 2011 at 10:09 AM, Kevin O'Gorman <kogorman@gmail.com> wrote:

For a few months now I've been using calibre to access the 100-or-so

ebooks that I have (mostly DRM-free PDFs).

I just became aware of a vulnerability built in to calibre.

I am not enormously worried because this is a one-user system, and the

vulnerability seems to involve privilege

escalation by authorized users.



On the other hand, it appears that my calibre is listening on a TCP

port. *It's on a laptop behind a NAT router at

the moment, so I'm still safe, but because I'd like to migrate to

another system that is exposed to the net, I'd like

it to stop network access because I'm not networking any of these

books. *Not intentionally, anyway.



I'm open to advice and suggestions, including replacing calibre with

something else, but I have to end up with access to

my library and reasonable security.



--

Kevin O'Gorman, PhD



--

ubuntu-users mailing list

ubuntu-users@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users


You might look at FBReader, available through the Ubuntu Software Center.
I have it installed on my tablet as well as my desktop.* Don't use it very often as I am satisfied with the Aldiko reader for my tablet and usually are working with Open Office or PDF docs on the desktop.

--

“If I had a dollar for every time that capitalism was blamed for the
problems caused by government, I’d be a fat filmmaker with a baseball
cap.”* - from a Facebook viral video
*

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-30-2011, 06:43 AM
"Kevin O'Gorman"
 
Default Using calibre safely?

On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil <shaun@oneil.me.uk> wrote:
> Hi Kevin,
>
> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>
>> For a few months now I've been using calibre to access the 100-or-so
>> ebooks that I have (mostly DRM-free PDFs).
>> I just became aware of a vulnerability built in to calibre.
>> I am not enormously worried because this is a one-user system, and the
>> vulnerability seems to involve privilege
>> escalation by authorized users.
>
> The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. *The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30

I'm not using the Ubuntu version, but instead I use the calibre python
installer. I much prefer the modern version, and 10.04 LTS is just so
out of date. So I'm going to have to roll my own security. I'll have
a look at that launchpad bug.

--
Kevin O'Gorman, PhD

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-30-2011, 12:26 PM
sktsee
 
Default Using calibre safely?

On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:

On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<shaun@oneil.me.uk> wrote:

Hi Kevin,

On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:


For a few months now I've been using calibre to access the 100-or-so
ebooks that I have (mostly DRM-free PDFs).
I just became aware of a vulnerability built in to calibre.
I am not enormously worried because this is a one-user system, and the
vulnerability seems to involve privilege
escalation by authorized users.


The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30


I'm not using the Ubuntu version, but instead I use the calibre python
installer. I much prefer the modern version, and 10.04 LTS is just so
out of date. So I'm going to have to roll my own security. I'll have
a look at that launchpad bug.



http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210

title: "Remove the suid mount helper used on linux and bsd, as it proved
impossible to make it secure."


This entry was under the version 0.8.25 section of calibre's changelog
and took effect 2011-11-06. The current version is 0.8.28 so that
particular issue has been remedied.


--
sktsee


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-30-2011, 04:22 PM
"Kevin O'Gorman"
 
Default Using calibre safely?

On Wed, Nov 30, 2011 at 5:26 AM, sktsee <sktseer@gmail.com> wrote:
> On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
>>
>> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<shaun@oneil.me.uk> *wrote:
>>>
>>> Hi Kevin,
>>>
>>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>>
>>>> For a few months now I've been using calibre to access the 100-or-so
>>>> ebooks that I have (mostly DRM-free PDFs).
>>>> I just became aware of a vulnerability built in to calibre.
>>>> I am not enormously worried because this is a one-user system, and the
>>>> vulnerability seems to involve privilege
>>>> escalation by authorized users.
>>>
>>>
>>> The escalation that made the rounds lately does *not* affect Ubuntu
>>> (since 10.10), or most other distros. *The 'helper' was replaced by the
>>> packager by something which better integrated with the methods Ubuntu uses
>>> for mounting disks - see
>>> https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>>
>>
>> I'm not using the Ubuntu version, but instead I use the calibre python
>> installer. *I much prefer the modern version, and 10.04 LTS is just so
>> out of date. *So I'm going to have to roll my own security. *I'll have
>> a look at that launchpad bug.
>>
>
> http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210
>
> title: "Remove the suid mount helper used on linux and bsd, as it proved
> impossible to make it secure."
>
> This entry was under the version 0.8.25 section of calibre's changelog and
> took effect 2011-11-06. The current version is 0.8.28 so that particular
> issue has been remedied.
>

Not really. Natty shows version 0.7.44 in the repositories. The
current version from
the source is 0.8.28, and it still has the offending mount helper at
/opt/calibre/bin/calibre-mount-helper.

I guess I'll just delete it each time I upgrade.

--
Kevin O'Gorman, PhD

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-30-2011, 04:30 PM
Hakan Koseoglu
 
Default Using calibre safely?

Kevin,
On 30/11/11 17:22, Kevin O'Gorman wrote:

Not really. Natty shows version 0.7.44 in the repositories. The
current version from
the source is 0.8.28, and it still has the offending mount helper at
/opt/calibre/bin/calibre-mount-helper.

I guess I'll just delete it each time I upgrade.


Stick to the version coming from ubuntu. If you check the contents of
/usr/bin/calibre-mount-helper you will see that author's stupid code has
been replaced with udisks & eject by Debian lot.


--
Hakan (m1fcj) - http://www.hititgunesi.org
"What part of 'ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn'
don't you understand?"

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-30-2011, 05:07 PM
sktsee
 
Default Using calibre safely?

On 11/30/2011 11:22 AM, Kevin O'Gorman wrote:

On Wed, Nov 30, 2011 at 5:26 AM, sktsee<sktseer@gmail.com> wrote:

On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:


On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<shaun@oneil.me.uk> wrote:


Hi Kevin,

On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:


For a few months now I've been using calibre to access the 100-or-so
ebooks that I have (mostly DRM-free PDFs).
I just became aware of a vulnerability built in to calibre.
I am not enormously worried because this is a one-user system, and the
vulnerability seems to involve privilege
escalation by authorized users.



The escalation that made the rounds lately does *not* affect Ubuntu
(since 10.10), or most other distros. The 'helper' was replaced by the
packager by something which better integrated with the methods Ubuntu uses
for mounting disks - see
https://bugs.launchpad.net/calibre/+bug/885027/comments/30



I'm not using the Ubuntu version, but instead I use the calibre python
installer. I much prefer the modern version, and 10.04 LTS is just so
out of date. So I'm going to have to roll my own security. I'll have
a look at that launchpad bug.



http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210

title: "Remove the suid mount helper used on linux and bsd, as it proved
impossible to make it secure."

This entry was under the version 0.8.25 section of calibre's changelog and
took effect 2011-11-06. The current version is 0.8.28 so that particular
issue has been remedied.



Not really. Natty shows version 0.7.44 in the repositories. The
current version from
the source is 0.8.28, and it still has the offending mount helper at
/opt/calibre/bin/calibre-mount-helper.

I guess I'll just delete it each time I upgrade.



Actually it's been remedied in Ubuntu packages since Maverick.

http://changelogs.ubuntu.com/changelogs/pool/universe/c/calibre/calibre_0.7.44+dfsg-1build1/changelog

calibre (0.7.2+dfsg-1) unstable; urgency=low

* New major upstream version. See
http://calibre-ebook.com/new-in/seven for

details.
* Refresh patches to apply cleanly.
* debian/control: Bump python-cssutils to >= 0.9.7~ to ensure the
existence
of the CSSRuleList.rulesOfType attribute. This makes epub
conversion work

again. (Closes: #584756)
* Add debian/local/calibre-mount-helper: Simple and safe replacement
for upstream's calibre-mount-helper, using udisks --mount and eject.

(Closes: #584915, LP: #561958)

And with respect to Lucid's version, I don't think it ever was a problem
since, AFAICT, that version didn't have calibre-mount-helper included.
It's certainly not in the package's filelist.


http://packages.ubuntu.com/lucid/all/calibre/filelist

As Hakan mentioned in his reply, what calibre-mount-helper does now is
simply call udisks to mount/unmount devices. This process no longer
requires setuid privileges for calibre-mount-helper, which is what the
entire brouhaha centered around.


--
sktsee


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-30-2011, 09:23 PM
"Kevin O'Gorman"
 
Default Using calibre safely?

On Wed, Nov 30, 2011 at 10:07 AM, sktsee <sktseer@gmail.com> wrote:
> On 11/30/2011 11:22 AM, Kevin O'Gorman wrote:
>>
>> On Wed, Nov 30, 2011 at 5:26 AM, sktsee<sktseer@gmail.com> *wrote:
>>>
>>> On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
>>>>
>>>>
>>>> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<shaun@oneil.me.uk>
>>>> *wrote:
>>>>>
>>>>>
>>>>> Hi Kevin,
>>>>>
>>>>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>>>>
>>>>>> For a few months now I've been using calibre to access the 100-or-so
>>>>>> ebooks that I have (mostly DRM-free PDFs).
>>>>>> I just became aware of a vulnerability built in to calibre.
>>>>>> I am not enormously worried because this is a one-user system, and the
>>>>>> vulnerability seems to involve privilege
>>>>>> escalation by authorized users.
>>>>>
>>>>>
>>>>>
>>>>> The escalation that made the rounds lately does *not* affect Ubuntu
>>>>> (since 10.10), or most other distros. *The 'helper' was replaced by the
>>>>> packager by something which better integrated with the methods Ubuntu
>>>>> uses
>>>>> for mounting disks - see
>>>>> https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>>>>
>>>>
>>>>
>>>> I'm not using the Ubuntu version, but instead I use the calibre python
>>>> installer. *I much prefer the modern version, and 10.04 LTS is just so
>>>> out of date. *So I'm going to have to roll my own security. *I'll have
>>>> a look at that launchpad bug.
>>>>
>>>
>>>
>>> http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210
>>>
>>> title: "Remove the suid mount helper used on linux and bsd, as it proved
>>> impossible to make it secure."
>>>
>>> This entry was under the version 0.8.25 section of calibre's changelog
>>> and
>>> took effect 2011-11-06. The current version is 0.8.28 so that particular
>>> issue has been remedied.
>>>
>>
>> Not really. *Natty shows version 0.7.44 in the repositories. *The
>> current version from
>> the source is 0.8.28, and it still has the offending mount helper at
>> /opt/calibre/bin/calibre-mount-helper.
>>
>> I guess I'll just delete it each time I upgrade.
>>
>
> Actually it's been remedied in Ubuntu packages since Maverick.
>
> http://changelogs.ubuntu.com/changelogs/pool/universe/c/calibre/calibre_0.7.44+dfsg-1build1/changelog
>
> calibre (0.7.2+dfsg-1) unstable; urgency=low
>
> ** New major upstream version. See http://calibre-ebook.com/new-in/seven for
> * *details.
> ** Refresh patches to apply cleanly.
> ** debian/control: Bump python-cssutils to >= 0.9.7~ to ensure the existence
> * *of the CSSRuleList.rulesOfType attribute. This makes epub conversion work
> * *again. (Closes: #584756)
> ** Add debian/local/calibre-mount-helper: Simple and safe replacement for
> upstream's calibre-mount-helper, using udisks --mount and eject.
> * *(Closes: #584915, LP: #561958)
>
> And with respect to Lucid's version, I don't think it ever was a problem
> since, AFAICT, that version didn't have calibre-mount-helper included. It's
> certainly not in the package's filelist.
>
> http://packages.ubuntu.com/lucid/all/calibre/filelist

Dunno about Lucid, but it's definitely there (and using udisks) in
Natty's 0.7.44,
as /usr/bin/calibre-mount-helper.

OTOH, the current calibre from its author has a binary mount helper
instead of the
script that was there before, but it's still SUID+SGID which seems an
overreach for a non-administrative package. I have removed the admin
bits, and will see if the package still works for me. I have no idea
why the mount helper is even needed -- maybe for remote libraries?

>
> As Hakan mentioned in his reply, what calibre-mount-helper does now is
> simply call udisks to mount/unmount devices. This process no longer requires
> setuid privileges for calibre-mount-helper, which is what the entire
> brouhaha centered around.
>
>
> --
> sktsee
>
>
> --
> ubuntu-users mailing list
> ubuntu-users@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



--
Kevin O'Gorman, PhD

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 11-30-2011, 09:39 PM
"Kevin O'Gorman"
 
Default Using calibre safely?

On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil <shaun@oneil.me.uk> wrote:
> Hi Kevin,
>
> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>
>> For a few months now I've been using calibre to access the 100-or-so
>> ebooks that I have (mostly DRM-free PDFs).
>> I just became aware of a vulnerability built in to calibre.
>> I am not enormously worried because this is a one-user system, and the
>> vulnerability seems to involve privilege
>> escalation by authorized users.
>
> The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. *The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>
>> On the other hand, it appears that my calibre is listening on a TCP
>> port. *It's on a laptop behind a NAT router at
>> the moment, so I'm still safe, but because I'd like to migrate to
>> another system that is exposed to the net, I'd like
>> it to stop network access because I'm not networking any of these
>> books. *Not intentionally, anyway.
>
> That one I wasn't expecting. *Do you have Sharing enabled? *(Preferences -> Sharing -> 'Sharing over the net') *I believe that's the only place mine's listening.

AFAICT I'm not sharing. I've not activated it either through 'Sharing
over the net' nor the separate 'Connect/share' selections.


--
Kevin O'Gorman, PhD

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-01-2011, 02:47 PM
sktsee
 
Default Using calibre safely?

On Wed, 30 Nov 2011 14:23:29 -0800, Kevin O'Gorman wrote:

[snip]
>
> Dunno about Lucid, but it's definitely there (and using udisks) in
> Natty's 0.7.44,
> as /usr/bin/calibre-mount-helper.
>
> OTOH, the current calibre from its author has a binary mount helper
> instead of the
> script that was there before, but it's still SUID+SGID which seems an
> overreach for a non-administrative package. I have removed the admin
> bits, and will see if the package still works for me. I have no idea
> why the mount helper is even needed -- maybe for remote libraries?
>
>
That's a bit odd that it still installs calibre-mount-helper as SUID+SGID,
since it doesn't actually do anything.

$ strace -q -eprocess /opt/calibre/bin/calibre-mount-helper
execve("/opt/calibre/bin/calibre-mount-helper", ["/opt/calibre/bin/
calibre-mount-h"...], [/* 43 vars */]) = 0
exit_group(1)

If you examine the source code, apparently this is exactly what it is
supposed to do:
http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/src/calibre/
devices/linux_mount_helper.c

I was under the impression that the developer had modified calibre-mount-
helper to simply call udisks to handle removable media, but he actually
has calibre-mount-helper do nothing but exit with an error. Calibre now
calls a separate helper program (called udisks.py appropriately enough)
to invoke udisks.

From what I can tell just perusing some of the changed files in that
particular revision, it doesn't appear that the mount helper is called by
anything. In fact, if you were to install Calibre in your home directory
as non-root, the mount helper doesn't get installed at all. I guess there
could be some 3rd party plugins that depend on the mount helper being
present, but other than that scenario, I'm at loss to explain why it's
still included with the main program.

Removing the suid+sgid bits sounds like a good idea though, even if the
program does nothing more than immediately exit when run.

--
sktsee


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 09:17 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org