Bug#901798: cantata: source contains insecure mount.cifs wrapper, cantata-mounter

[Salvatore Bonaccorso]

Control: severity -1 grave

Hi Simon,

[not the maintainer here]

On Mon, Jun 18, 2018 at 02:14:03PM +0100, Simon McVittie wrote:
> Source: cantata
> Version: 2.3.0.ds1-1
> Severity: important
> Tags: security
> 
> cantata contains a helper program cantata-mounter
> which runs as root (via D-Bus activation) and allows
> unprivileged users to do privileged mount operations via D-Bus
> IPC. This turns out to have several security vulnerabilities
> (<http://www.openwall.com/lists/oss-security/2018/06/18/1>) with the
> worst-case impact being local root privilege escalation.
> 
> Mitigation: the Debian packaging doesn't seem to build cantata-mounter
> (or at least https://packages.debian.org/unstable/cantata says it isn't
> in the binary package for the architectures I tried). However, d/rules
> doesn't *explicitly* disable it, so I think there's a risk that it might
> become enabled by mistake in a future upload.
> 
> Please close this bug when either cantata-mounter is specifically
> disabled, or the upstream source has been upgraded to a version that no
> longer includes cantata-mounter.

I might be wrong, but according to the
http://www.openwall.com/lists/oss-security/2018/06/18/1 and this looks
true for unstable and testing, which have 2.3.0.ds1-1 "The daemon code
is part of cantata since version 2.0.0 and it is built by default in
versions 2.3.0 and 2.3.1. Before 2.3.0 it was only built if
`-DENABLE_REMOTE_DEVICES=ON` was passed to the cmake invocation."

Unstable binary package has both 

/usr/share/dbus-1/system-services/mpd.cantata.mounter.service

and

/usr/lib/cantata/cantata-mounter

Just not to be sorry afterwards, I'm raising the severity for this
bug. For stretch and older I think this is less of a problem, because
cantata-mounter is not build, and the service not installed.

Regards,
Salvatore