Bug#901798: cantata: source contains insecure mount.cifs wrapper, cantata-mounter
Simon McVittie
smcv at debian.org
Mon Jun 18 14:14:03 BST 2018
Source: cantata
Version: 2.3.0.ds1-1
Severity: important
Tags: security
cantata contains a helper program cantata-mounter
which runs as root (via D-Bus activation) and allows
unprivileged users to do privileged mount operations via D-Bus
IPC. This turns out to have several security vulnerabilities
(<http://www.openwall.com/lists/oss-security/2018/06/18/1>) with the
worst-case impact being local root privilege escalation.
Mitigation: the Debian packaging doesn't seem to build cantata-mounter
(or at least https://packages.debian.org/unstable/cantata says it isn't
in the binary package for the architectures I tried). However, d/rules
doesn't *explicitly* disable it, so I think there's a risk that it might
become enabled by mistake in a future upload.
Please close this bug when either cantata-mounter is specifically
disabled, or the upstream source has been upgraded to a version that no
longer includes cantata-mounter.
Thanks,
smcv
More information about the pkg-multimedia-maintainers
mailing list