Bug#987671: gnome-disk-utility: User could possibly erase/format the hard disk without giving any password
pascal.martine at gmx.fr
Tue Apr 27 15:10:14 BST 2021
Severity: normal to critical
X-Debbugs-Cc: pascal.martine at gmx.fr
Problem: Very DANGEROUS BUG in gnome-disk-utility : USER COULD POSSIBLY
DELETE THE HARD DISK BY MISTAKE WITHOUT GIVING ANY PASSWORD.
I have discovered a very dangerous bug in gnome-disk-utility.
I am now on debian 11 bullseye testing and that bug was already present on
debian 10 buster stable and probably before too.
Usage process :
- We use gnome-disk-utility (graphical interface) and we want to copy an
ISO image on a USB stick.
- We insert our USB stick, we click on USB on the left of the gnome-disk-
- We then choose the "Restore Disk Image..." (translation of the french
"Restaurer l'image disque...".
- When we have chosen the ISO file to put on the USB stick, the software
comes with a window that says "Begin restoration..." (translation of the french
"Demarrer la restauration...".
- We click on "Demarrer la restauration" and then another window says
"Cancel/Restore" (french : "Annuler/Restaurer").
- We click on "Restore" (french "Restaurer") and the software asks us for
necessary authentification (password) (french "Authentification necessaire").
At that point, EVEN IF WE CLICK "CANCEL" (french "ANNULER"), THE USB STICK
IS ERASED, it is formatted anyway.
And a big concern is : What would have happened if, by mistake we had
clicked on the hard disk (HDD) instead of the USB stick as a destination for
our ISO image ?? It would certainly have been erased too, without even having
given any password !! A child or inattentive, tired person could erase the hard
disk that way.
I tested that several times with a USB stic), but having just one computer,
I couldn't test that bug with the Hard Disk. And I don't know if there is a
protection for preventing the user to select the Hard Disk instead of a USB
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-disk-utility depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.38.0-2
ii libatk1.0-0 2.36.0-2
ii libc6 2.31-11
ii libcairo2 1.16.0-5
ii libcanberra-gtk3-0 0.30-7
ii libdvdread8 6.1.1-2
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libglib2.0-0 2.66.8-1
ii libgtk-3-0 3.24.24-3
ii liblzma5 5.2.5-2
ii libnotify4 0.7.9-3
ii libpango-1.0-0 1.46.2-3
ii libpangocairo-1.0-0 1.46.2-3
ii libpwquality1 1.4.4-1
ii libsecret-1-0 0.20.4-2
ii libsystemd0 247.3-3
ii libudisks2-0 2.9.2-1
ii udisks2 2.9.2-1
gnome-disk-utility recommends no packages.
gnome-disk-utility suggests no packages.
More information about the pkg-gnome-maintainers