Bug#987671: gnome-disk-utility: User could possibly erase/format the hard disk without giving any password

Pascal pascal.martine at gmx.fr
Tue Apr 27 15:10:14 BST 2021 

Package: gnome-disk-utility
Version: 3.38.2-1
Severity: normal to critical
Tags: newcomer
X-Debbugs-Cc: pascal.martine at gmx.fr

Dear Maintainer,

    Problem: Very DANGEROUS BUG in gnome-disk-utility : USER COULD POSSIBLY
DELETE THE HARD DISK BY MISTAKE WITHOUT GIVING ANY PASSWORD.

    Hi,

    I have discovered a very dangerous bug in gnome-disk-utility.
    I am now on debian 11 bullseye testing and that bug was already present on
debian 10 buster stable and probably before too.

    Usage process :
    - We use gnome-disk-utility (graphical interface) and we want to copy an
ISO image on a USB stick.
    - We insert our USB stick, we click on USB on the left of the gnome-disk-
utility window.
    - We then choose the "Restore Disk Image..." (translation of the french
"Restaurer l'image disque...".
    - When we have chosen the ISO file to put on the USB stick, the software
comes with a window that says "Begin restoration..." (translation of the french
"Demarrer la restauration...".
    - We click on "Demarrer la restauration" and then another window says
"Cancel/Restore" (french : "Annuler/Restaurer").
    - We click on "Restore" (french "Restaurer") and the software asks us for
necessary authentification (password) (french "Authentification necessaire").

    BUG :
    At that point, EVEN IF WE CLICK "CANCEL" (french "ANNULER"), THE USB STICK
IS ERASED, it is formatted anyway.
    And a big concern is : What would have happened if, by mistake we had
clicked on the hard disk (HDD) instead of the USB stick as a destination for
our ISO image ?? It would certainly have been erased too, without even having
given any password !! A child or inattentive, tired person could erase the hard
disk that way.
    I tested that several times with a USB stic), but having just one computer,
I couldn't test that bug with the Hard Disk. And I don't know if there is a
protection for preventing the user to select the Hard Disk instead of a USB
stick.

    Cordially,
    Pascal.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not
set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-disk-utility depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.38.0-2
ii  libatk1.0-0                                  2.36.0-2
ii  libc6                                        2.31-11
ii  libcairo2                                    1.16.0-5
ii  libcanberra-gtk3-0                           0.30-7
ii  libdvdread8                                  6.1.1-2
ii  libgdk-pixbuf-2.0-0                          2.42.2+dfsg-1
ii  libglib2.0-0                                 2.66.8-1
ii  libgtk-3-0                                   3.24.24-3
ii  liblzma5                                     5.2.5-2
ii  libnotify4                                   0.7.9-3
ii  libpango-1.0-0                               1.46.2-3
ii  libpangocairo-1.0-0                          1.46.2-3
ii  libpwquality1                                1.4.4-1
ii  libsecret-1-0                                0.20.4-2
ii  libsystemd0                                  247.3-3
ii  libudisks2-0                                 2.9.2-1
ii  udisks2                                      2.9.2-1

gnome-disk-utility recommends no packages.

gnome-disk-utility suggests no packages.

More information about the pkg-gnome-maintainers mailing list