For a few months now I've been using calibre to access the 100-or-so ebooks that I have (mostly DRM-free PDFs). I just became aware of a vulnerability built in to calibre. I am not enormously worried because this is a one-user system, and the vulnerability seems to involve privilege escalation by authorized users.
On the other hand, it appears that my calibre is listening on a TCP port. It's on a laptop behind a NAT router at the moment, so I'm still safe, but because I'd like to migrate to another system that is exposed to the net, I'd like it to stop network access because I'm not networking any of these books. Not intentionally, anyway.
I'm open to advice and suggestions, including replacing calibre with something else, but I have to end up with access to my library and reasonable security.
> On the other hand, it appears that my calibre is listening on a TCP > port. It's on a laptop behind a NAT router at > the moment, so I'm still safe, but because I'd like to migrate to > another system that is exposed to the net, I'd l
If you have a Internet facing system, then turn on the firewall. This should *always* be done. No matter how secure a default install is, it is way too easy to unknowingly install a package that listens for incoming network connections.
By default, Ubuntu installs UFW. Basic firewall protection is as simple as editing your /etc/ufw.conf file and changing Enabled to yes.
> For a few months now I've been using calibre to access the 100-or-so > ebooks that I have (mostly DRM-free PDFs). > I just became aware of a vulnerability built in to calibre. > I am not enormously worried because this is a one-user system, and the > vulnerability seems to involve privilege > escalation by authorized users.
The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
> On the other hand, it appears that my calibre is listening on a TCP > port. It's on a laptop behind a NAT router at > the moment, so I'm still safe, but because I'd like to migrate to > another system that is exposed to the net, I'd like > it to stop network access because I'm not networking any of these > books. Not intentionally, anyway.
That one I wasn't expecting. Do you have Sharing enabled? (Preferences -> Sharing -> 'Sharing over the net') I believe that's the only place mine's listening.
> I'm open to advice and suggestions, including replacing calibre with > something else, but I have to end up with access to > my library and reasonable security.
On Tue, Nov 29, 2011 at 10:09 AM, Kevin O'Gorman <kogor...@gmail.com> wrote: > For a few months now I've been using calibre to access the 100-or-so > ebooks that I have (mostly DRM-free PDFs). > I just became aware of a vulnerability built in to calibre. > I am not enormously worried because this is a one-user system, and the > vulnerability seems to involve privilege > escalation by authorized users.
> On the other hand, it appears that my calibre is listening on a TCP > port. It's on a laptop behind a NAT router at > the moment, so I'm still safe, but because I'd like to migrate to > another system that is exposed to the net, I'd like > it to stop network access because I'm not networking any of these > books. Not intentionally, anyway.
> I'm open to advice and suggestions, including replacing calibre with > something else, but I have to end up with access to > my library and reasonable security.
You might look at FBReader, available through the Ubuntu Software Center. I have it installed on my tablet as well as my desktop. Don't use it very often as I am satisfied with the Aldiko reader for my tablet and usually are working with Open Office or PDF docs on the desktop. --
“If I had a dollar for every time that capitalism was blamed for the problems caused by government, I’d be a fat filmmaker with a baseball cap.” - from a Facebook viral video <http://linuxcounter.net/cert/544489.png>
On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil <sh...@oneil.me.uk> wrote: > Hi Kevin,
> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>> For a few months now I've been using calibre to access the 100-or-so >> ebooks that I have (mostly DRM-free PDFs). >> I just became aware of a vulnerability built in to calibre. >> I am not enormously worried because this is a one-user system, and the >> vulnerability seems to involve privilege >> escalation by authorized users.
> The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
I'm not using the Ubuntu version, but instead I use the calibre python installer. I much prefer the modern version, and 10.04 LTS is just so out of date. So I'm going to have to roll my own security. I'll have a look at that launchpad bug.
> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<sh...@oneil.me.uk> wrote: >> Hi Kevin,
>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>> For a few months now I've been using calibre to access the 100-or-so >>> ebooks that I have (mostly DRM-free PDFs). >>> I just became aware of a vulnerability built in to calibre. >>> I am not enormously worried because this is a one-user system, and the >>> vulnerability seems to involve privilege >>> escalation by authorized users.
>> The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
> I'm not using the Ubuntu version, but instead I use the calibre python > installer. I much prefer the modern version, and 10.04 LTS is just so > out of date. So I'm going to have to roll my own security. I'll have > a look at that launchpad bug.
title: "Remove the suid mount helper used on linux and bsd, as it proved impossible to make it secure."
This entry was under the version 0.8.25 section of calibre's changelog and took effect 2011-11-06. The current version is 0.8.28 so that particular issue has been remedied.
On Wed, Nov 30, 2011 at 5:26 AM, sktsee <skts...@gmail.com> wrote: > On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
>> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<sh...@oneil.me.uk> wrote:
>>> Hi Kevin,
>>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>>> For a few months now I've been using calibre to access the 100-or-so >>>> ebooks that I have (mostly DRM-free PDFs). >>>> I just became aware of a vulnerability built in to calibre. >>>> I am not enormously worried because this is a one-user system, and the >>>> vulnerability seems to involve privilege >>>> escalation by authorized users.
>>> The escalation that made the rounds lately does *not* affect Ubuntu >>> (since 10.10), or most other distros. The 'helper' was replaced by the >>> packager by something which better integrated with the methods Ubuntu uses >>> for mounting disks - see >>> https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>> I'm not using the Ubuntu version, but instead I use the calibre python >> installer. I much prefer the modern version, and 10.04 LTS is just so >> out of date. So I'm going to have to roll my own security. I'll have >> a look at that launchpad bug.
> title: "Remove the suid mount helper used on linux and bsd, as it proved > impossible to make it secure."
> This entry was under the version 0.8.25 section of calibre's changelog and > took effect 2011-11-06. The current version is 0.8.28 so that particular > issue has been remedied.
Not really. Natty shows version 0.7.44 in the repositories. The current version from the source is 0.8.28, and it still has the offending mount helper at /opt/calibre/bin/calibre-mount-helper.
> Not really. Natty shows version 0.7.44 in the repositories. The > current version from > the source is 0.8.28, and it still has the offending mount helper at > /opt/calibre/bin/calibre-mount-helper.
> I guess I'll just delete it each time I upgrade.
Stick to the version coming from ubuntu. If you check the contents of /usr/bin/calibre-mount-helper you will see that author's stupid code has been replaced with udisks & eject by Debian lot.
-- Hakan (m1fcj) - http://www.hititgunesi.org "What part of 'ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn' don't you understand?"
> On Wed, Nov 30, 2011 at 5:26 AM, sktsee<skts...@gmail.com> wrote: >> On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
>>> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<sh...@oneil.me.uk> wrote:
>>>> Hi Kevin,
>>>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>>>> For a few months now I've been using calibre to access the 100-or-so >>>>> ebooks that I have (mostly DRM-free PDFs). >>>>> I just became aware of a vulnerability built in to calibre. >>>>> I am not enormously worried because this is a one-user system, and the >>>>> vulnerability seems to involve privilege >>>>> escalation by authorized users.
>>>> The escalation that made the rounds lately does *not* affect Ubuntu >>>> (since 10.10), or most other distros. The 'helper' was replaced by the >>>> packager by something which better integrated with the methods Ubuntu uses >>>> for mounting disks - see >>>> https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>>> I'm not using the Ubuntu version, but instead I use the calibre python >>> installer. I much prefer the modern version, and 10.04 LTS is just so >>> out of date. So I'm going to have to roll my own security. I'll have >>> a look at that launchpad bug.
>> title: "Remove the suid mount helper used on linux and bsd, as it proved >> impossible to make it secure."
>> This entry was under the version 0.8.25 section of calibre's changelog and >> took effect 2011-11-06. The current version is 0.8.28 so that particular >> issue has been remedied.
> Not really. Natty shows version 0.7.44 in the repositories. The > current version from > the source is 0.8.28, and it still has the offending mount helper at > /opt/calibre/bin/calibre-mount-helper.
> I guess I'll just delete it each time I upgrade.
Actually it's been remedied in Ubuntu packages since Maverick.
* New major upstream version. See http://calibre-ebook.com/new-in/seven for details. * Refresh patches to apply cleanly. * debian/control: Bump python-cssutils to >= 0.9.7~ to ensure the existence of the CSSRuleList.rulesOfType attribute. This makes epub conversion work again. (Closes: #584756) * Add debian/local/calibre-mount-helper: Simple and safe replacement for upstream's calibre-mount-helper, using udisks --mount and eject. (Closes: #584915, LP: #561958)
And with respect to Lucid's version, I don't think it ever was a problem since, AFAICT, that version didn't have calibre-mount-helper included. It's certainly not in the package's filelist.
As Hakan mentioned in his reply, what calibre-mount-helper does now is simply call udisks to mount/unmount devices. This process no longer requires setuid privileges for calibre-mount-helper, which is what the entire brouhaha centered around.
On Wed, Nov 30, 2011 at 10:07 AM, sktsee <skts...@gmail.com> wrote: > On 11/30/2011 11:22 AM, Kevin O'Gorman wrote:
>> On Wed, Nov 30, 2011 at 5:26 AM, sktsee<skts...@gmail.com> wrote:
>>> On 11/30/2011 01:43 AM, Kevin O'Gorman wrote:
>>>> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<sh...@oneil.me.uk> >>>> wrote:
>>>>> Hi Kevin,
>>>>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>>>>> For a few months now I've been using calibre to access the 100-or-so >>>>>> ebooks that I have (mostly DRM-free PDFs). >>>>>> I just became aware of a vulnerability built in to calibre. >>>>>> I am not enormously worried because this is a one-user system, and the >>>>>> vulnerability seems to involve privilege >>>>>> escalation by authorized users.
>>>>> The escalation that made the rounds lately does *not* affect Ubuntu >>>>> (since 10.10), or most other distros. The 'helper' was replaced by the >>>>> packager by something which better integrated with the methods Ubuntu >>>>> uses >>>>> for mounting disks - see >>>>> https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>>>> I'm not using the Ubuntu version, but instead I use the calibre python >>>> installer. I much prefer the modern version, and 10.04 LTS is just so >>>> out of date. So I'm going to have to roll my own security. I'll have >>>> a look at that launchpad bug.
>>> title: "Remove the suid mount helper used on linux and bsd, as it proved >>> impossible to make it secure."
>>> This entry was under the version 0.8.25 section of calibre's changelog >>> and >>> took effect 2011-11-06. The current version is 0.8.28 so that particular >>> issue has been remedied.
>> Not really. Natty shows version 0.7.44 in the repositories. The >> current version from >> the source is 0.8.28, and it still has the offending mount helper at >> /opt/calibre/bin/calibre-mount-helper.
>> I guess I'll just delete it each time I upgrade.
> Actually it's been remedied in Ubuntu packages since Maverick.
> * New major upstream version. See http://calibre-ebook.com/new-in/seven for > details. > * Refresh patches to apply cleanly. > * debian/control: Bump python-cssutils to >= 0.9.7~ to ensure the existence > of the CSSRuleList.rulesOfType attribute. This makes epub conversion work > again. (Closes: #584756) > * Add debian/local/calibre-mount-helper: Simple and safe replacement for > upstream's calibre-mount-helper, using udisks --mount and eject. > (Closes: #584915, LP: #561958)
> And with respect to Lucid's version, I don't think it ever was a problem > since, AFAICT, that version didn't have calibre-mount-helper included. It's > certainly not in the package's filelist.
Dunno about Lucid, but it's definitely there (and using udisks) in Natty's 0.7.44, as /usr/bin/calibre-mount-helper.
OTOH, the current calibre from its author has a binary mount helper instead of the script that was there before, but it's still SUID+SGID which seems an overreach for a non-administrative package. I have removed the admin bits, and will see if the package still works for me. I have no idea why the mount helper is even needed -- maybe for remote libraries?
> As Hakan mentioned in his reply, what calibre-mount-helper does now is > simply call udisks to mount/unmount devices. This process no longer requires > setuid privileges for calibre-mount-helper, which is what the entire > brouhaha centered around.
On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil <sh...@oneil.me.uk> wrote: > Hi Kevin,
> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>> For a few months now I've been using calibre to access the 100-or-so >> ebooks that I have (mostly DRM-free PDFs). >> I just became aware of a vulnerability built in to calibre. >> I am not enormously worried because this is a one-user system, and the >> vulnerability seems to involve privilege >> escalation by authorized users.
> The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>> On the other hand, it appears that my calibre is listening on a TCP >> port. It's on a laptop behind a NAT router at >> the moment, so I'm still safe, but because I'd like to migrate to >> another system that is exposed to the net, I'd like >> it to stop network access because I'm not networking any of these >> books. Not intentionally, anyway.
> That one I wasn't expecting. Do you have Sharing enabled? (Preferences -> Sharing -> 'Sharing over the net') I believe that's the only place mine's listening.
AFAICT I'm not sharing. I've not activated it either through 'Sharing over the net' nor the separate 'Connect/share' selections.
On Wed, 30 Nov 2011 14:23:29 -0800, Kevin O'Gorman wrote:
[snip]
> Dunno about Lucid, but it's definitely there (and using udisks) in > Natty's 0.7.44, > as /usr/bin/calibre-mount-helper.
> OTOH, the current calibre from its author has a binary mount helper > instead of the > script that was there before, but it's still SUID+SGID which seems an > overreach for a non-administrative package. I have removed the admin > bits, and will see if the package still works for me. I have no idea > why the mount helper is even needed -- maybe for remote libraries?
That's a bit odd that it still installs calibre-mount-helper as SUID+SGID, since it doesn't actually do anything.
I was under the impression that the developer had modified calibre-mount- helper to simply call udisks to handle removable media, but he actually has calibre-mount-helper do nothing but exit with an error. Calibre now calls a separate helper program (called udisks.py appropriately enough) to invoke udisks.
From what I can tell just perusing some of the changed files in that particular revision, it doesn't appear that the mount helper is called by anything. In fact, if you were to install Calibre in your home directory as non-root, the mount helper doesn't get installed at all. I guess there could be some 3rd party plugins that depend on the mount helper being present, but other than that scenario, I'm at loss to explain why it's still included with the main program.
Removing the suid+sgid bits sounds like a good idea though, even if the program does nothing more than immediately exit when run.
Surprised, I verified this with the debugger. On my x86, the entire program is:
(gdb) disass Dump of assembler code for function main: 0x080483b4 <+0>: push %ebp 0x080483b5 <+1>: mov %esp,%ebp 0x080483b7 <+3>: mov $0x1,%eax 0x080483bc <+8>: pop %ebp 0x080483bd <+9>: ret End of assembler dump. (gdb)
Pretty much identical to false(1). Not much danger there.
On Tue, Nov 29, 2011 at 11:18 AM, Rashkae <ubu...@tigershaunt.com> wrote: > On 11/29/2011 01:09 PM, Kevin O'Gorman wrote:
> If you have a Internet facing system, then turn on the firewall. This > should *always* be done. No matter how secure a default install is, it is > way too easy to unknowingly install a package that listens for incoming > network connections.
> By default, Ubuntu installs UFW. Basic firewall protection is as simple as > editing your /etc/ufw.conf file and changing Enabled to yes.
I tried it: edited the config file /etc/ufw/ufw.conf, and rebooted. My apache2 web server was blocked, in spite of the entry in /etc/ufw/applications.d.
So I disabled it again. I'll have to spend more time reading the documentation. I find the mixture of configuration lines and commands to be confusing. I don't want to have to enter commands every time I reboot. The bloody thing creates 31 separate tables, and there's a lot of structure but not much guidance. Besides that, the stuff in applications.d has some pretty confusing stuff, which may not even be used judging by the blocking of apache.
