Bug#987671: gnome-disk-utility: User could possibly erase/format the hard disk without giving any password
Pascal
pascal.martine at gmx.fr
Tue Apr 27 15:10:14 BST 2021
Package: gnome-disk-utility
Version: 3.38.2-1
Severity: normal to critical
Tags: newcomer
X-Debbugs-Cc: pascal.martine at gmx.fr
Dear Maintainer,
Problem: Very DANGEROUS BUG in gnome-disk-utility : USER COULD POSSIBLY
DELETE THE HARD DISK BY MISTAKE WITHOUT GIVING ANY PASSWORD.
Hi,
I have discovered a very dangerous bug in gnome-disk-utility.
I am now on debian 11 bullseye testing and that bug was already present on
debian 10 buster stable and probably before too.
Usage process :
- We use gnome-disk-utility (graphical interface) and we want to copy an
ISO image on a USB stick.
- We insert our USB stick, we click on USB on the left of the gnome-disk-
utility window.
- We then choose the "Restore Disk Image..." (translation of the french
"Restaurer l'image disque...".
- When we have chosen the ISO file to put on the USB stick, the software
comes with a window that says "Begin restoration..." (translation of the french
"Demarrer la restauration...".
- We click on "Demarrer la restauration" and then another window says
"Cancel/Restore" (french : "Annuler/Restaurer").
- We click on "Restore" (french "Restaurer") and the software asks us for
necessary authentification (password) (french "Authentification necessaire").
BUG :
At that point, EVEN IF WE CLICK "CANCEL" (french "ANNULER"), THE USB STICK
IS ERASED, it is formatted anyway.
And a big concern is : What would have happened if, by mistake we had
clicked on the hard disk (HDD) instead of the USB stick as a destination for
our ISO image ?? It would certainly have been erased too, without even having
given any password !! A child or inattentive, tired person could erase the hard
disk that way.
I tested that several times with a USB stic), but having just one computer,
I couldn't test that bug with the Hard Disk. And I don't know if there is a
protection for preventing the user to select the Hard Disk instead of a USB
stick.
Cordially,
Pascal.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-disk-utility depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.38.0-2
ii libatk1.0-0 2.36.0-2
ii libc6 2.31-11
ii libcairo2 1.16.0-5
ii libcanberra-gtk3-0 0.30-7
ii libdvdread8 6.1.1-2
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libglib2.0-0 2.66.8-1
ii libgtk-3-0 3.24.24-3
ii liblzma5 5.2.5-2
ii libnotify4 0.7.9-3
ii libpango-1.0-0 1.46.2-3
ii libpangocairo-1.0-0 1.46.2-3
ii libpwquality1 1.4.4-1
ii libsecret-1-0 0.20.4-2
ii libsystemd0 247.3-3
ii libudisks2-0 2.9.2-1
ii udisks2 2.9.2-1
gnome-disk-utility recommends no packages.
gnome-disk-utility suggests no packages.
More information about the pkg-gnome-maintainers
mailing list