Using calibre safely?
Kevin O'Gorman
ebooks that I have (mostly DRM-free PDFs).
I just became aware of a vulnerability built in to calibre.
I am not enormously worried because this is a one-user system, and the
vulnerability seems to involve privilege
escalation by authorized users.
On the other hand, it appears that my calibre is listening on a TCP
port. It's on a laptop behind a NAT router at
the moment, so I'm still safe, but because I'd like to migrate to
another system that is exposed to the net, I'd like
it to stop network access because I'm not networking any of these
books. Not intentionally, anyway.
I'm open to advice and suggestions, including replacing calibre with
something else, but I have to end up with access to
my library and reasonable security.
--
Kevin O'Gorman, PhD
--
ubuntu-users mailing list
ubuntu...@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Rashkae
> On the other hand, it appears that my calibre is listening on a TCP
> port. It's on a laptop behind a NAT router at
> the moment, so I'm still safe, but because I'd like to migrate to
> another system that is exposed to the net, I'd l
If you have a Internet facing system, then turn on the firewall. This
should *always* be done. No matter how secure a default install is, it
is way too easy to unknowingly install a package that listens for
incoming network connections.
By default, Ubuntu installs UFW. Basic firewall protection is as simple
as editing your /etc/ufw.conf file and changing Enabled to yes.
Shaun ONeil
On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
> For a few months now I've been using calibre to access the 100-or-so
> ebooks that I have (mostly DRM-free PDFs).
> I just became aware of a vulnerability built in to calibre.
> I am not enormously worried because this is a one-user system, and the
> vulnerability seems to involve privilege
> escalation by authorized users.
The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
> On the other hand, it appears that my calibre is listening on a TCP
> port. It's on a laptop behind a NAT router at
> the moment, so I'm still safe, but because I'd like to migrate to
> another system that is exposed to the net, I'd like
> it to stop network access because I'm not networking any of these
> books. Not intentionally, anyway.
That one I wasn't expecting. Do you have Sharing enabled? (Preferences -> Sharing -> 'Sharing over the net') I believe that's the only place mine's listening.
> I'm open to advice and suggestions, including replacing calibre with
> something else, but I have to end up with access to
> my library and reasonable security.
>
> --
> Kevin O'Gorman, PhD
Regards,
Shaun ONeil
Ernest Doub
I have it installed on my tablet as well as my desktop. Don't use it very often as I am satisfied with the Aldiko reader for my tablet and usually are working with Open Office or PDF docs on the desktop.
--
“If I had a dollar for every time that capitalism was blamed for the problems caused by government, I’d be a fat filmmaker with a baseball cap.” - from a Facebook viral video
Kevin O'Gorman
> Hi Kevin,
>
> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>
>> For a few months now I've been using calibre to access the 100-or-so
>> ebooks that I have (mostly DRM-free PDFs).
>> I just became aware of a vulnerability built in to calibre.
>> I am not enormously worried because this is a one-user system, and the
>> vulnerability seems to involve privilege
>> escalation by authorized users.
>
> The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
I'm not using the Ubuntu version, but instead I use the calibre python
installer. I much prefer the modern version, and 10.04 LTS is just so
out of date. So I'm going to have to roll my own security. I'll have
a look at that launchpad bug.
--
Kevin O'Gorman, PhD
--
sktsee
> On Tue, Nov 29, 2011 at 11:46 AM, Shaun ONeil<sh...@oneil.me.uk> wrote:
>> Hi Kevin,
>>
>> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>>
>>> For a few months now I've been using calibre to access the 100-or-so
>>> ebooks that I have (mostly DRM-free PDFs).
>>> I just became aware of a vulnerability built in to calibre.
>>> I am not enormously worried because this is a one-user system, and the
>>> vulnerability seems to involve privilege
>>> escalation by authorized users.
>>
>> The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>
> I'm not using the Ubuntu version, but instead I use the calibre python
> installer. I much prefer the modern version, and 10.04 LTS is just so
> out of date. So I'm going to have to roll my own security. I'll have
> a look at that launchpad bug.
>
http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/Changelog.yaml#L210
title: "Remove the suid mount helper used on linux and bsd, as it proved
impossible to make it secure."
This entry was under the version 0.8.25 section of calibre's changelog
and took effect 2011-11-06. The current version is 0.8.28 so that
particular issue has been remedied.
--
sktsee
Kevin O'Gorman
Not really. Natty shows version 0.7.44 in the repositories. The
current version from
the source is 0.8.28, and it still has the offending mount helper at
/opt/calibre/bin/calibre-mount-helper.
I guess I'll just delete it each time I upgrade.
--
Kevin O'Gorman, PhD
--
Hakan Koseoglu
On 30/11/11 17:22, Kevin O'Gorman wrote:
> Not really. Natty shows version 0.7.44 in the repositories. The
> current version from
> the source is 0.8.28, and it still has the offending mount helper at
> /opt/calibre/bin/calibre-mount-helper.
>
> I guess I'll just delete it each time I upgrade.
Stick to the version coming from ubuntu. If you check the contents of
/usr/bin/calibre-mount-helper you will see that author's stupid code has
been replaced with udisks & eject by Debian lot.
--
Hakan (m1fcj) - http://www.hititgunesi.org
"What part of 'ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn'
don't you understand?"
sktsee
Actually it's been remedied in Ubuntu packages since Maverick.
calibre (0.7.2+dfsg-1) unstable; urgency=low
* New major upstream version. See
http://calibre-ebook.com/new-in/seven for
details.
* Refresh patches to apply cleanly.
* debian/control: Bump python-cssutils to >= 0.9.7~ to ensure the
existence
of the CSSRuleList.rulesOfType attribute. This makes epub
conversion work
again. (Closes: #584756)
* Add debian/local/calibre-mount-helper: Simple and safe replacement
for upstream's calibre-mount-helper, using udisks --mount and eject.
(Closes: #584915, LP: #561958)
And with respect to Lucid's version, I don't think it ever was a problem
since, AFAICT, that version didn't have calibre-mount-helper included.
It's certainly not in the package's filelist.
http://packages.ubuntu.com/lucid/all/calibre/filelist
As Hakan mentioned in his reply, what calibre-mount-helper does now is
simply call udisks to mount/unmount devices. This process no longer
requires setuid privileges for calibre-mount-helper, which is what the
entire brouhaha centered around.
--
sktsee
Kevin O'Gorman
Dunno about Lucid, but it's definitely there (and using udisks) in
Natty's 0.7.44,
as /usr/bin/calibre-mount-helper.
OTOH, the current calibre from its author has a binary mount helper
instead of the
script that was there before, but it's still SUID+SGID which seems an
overreach for a non-administrative package. I have removed the admin
bits, and will see if the package still works for me. I have no idea
why the mount helper is even needed -- maybe for remote libraries?
>
> As Hakan mentioned in his reply, what calibre-mount-helper does now is
> simply call udisks to mount/unmount devices. This process no longer requires
> setuid privileges for calibre-mount-helper, which is what the entire
> brouhaha centered around.
>
>
> --
> sktsee
>
>
> --
> ubuntu-users mailing list
> ubuntu...@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
--
Kevin O'Gorman, PhD
--
Kevin O'Gorman
>
> On 29 Nov 2011, at 18:09, Kevin O'Gorman wrote:
>
>> For a few months now I've been using calibre to access the 100-or-so
>> ebooks that I have (mostly DRM-free PDFs).
>> I just became aware of a vulnerability built in to calibre.
>> I am not enormously worried because this is a one-user system, and the
>> vulnerability seems to involve privilege
>> escalation by authorized users.
>
> The escalation that made the rounds lately does *not* affect Ubuntu (since 10.10), or most other distros. The 'helper' was replaced by the packager by something which better integrated with the methods Ubuntu uses for mounting disks - see https://bugs.launchpad.net/calibre/+bug/885027/comments/30
>
>> On the other hand, it appears that my calibre is listening on a TCP
>> port. It's on a laptop behind a NAT router at
>> the moment, so I'm still safe, but because I'd like to migrate to
>> another system that is exposed to the net, I'd like
>> it to stop network access because I'm not networking any of these
>> books. Not intentionally, anyway.
>
> That one I wasn't expecting. Do you have Sharing enabled? (Preferences -> Sharing -> 'Sharing over the net') I believe that's the only place mine's listening.
AFAICT I'm not sharing. I've not activated it either through 'Sharing
over the net' nor the separate 'Connect/share' selections.
--
Kevin O'Gorman, PhD
--
sktsee
[snip]
>
> Dunno about Lucid, but it's definitely there (and using udisks) in
> Natty's 0.7.44,
> as /usr/bin/calibre-mount-helper.
>
> OTOH, the current calibre from its author has a binary mount helper
> instead of the
> script that was there before, but it's still SUID+SGID which seems an
> overreach for a non-administrative package. I have removed the admin
> bits, and will see if the package still works for me. I have no idea
> why the mount helper is even needed -- maybe for remote libraries?
>
>
That's a bit odd that it still installs calibre-mount-helper as SUID+SGID,
since it doesn't actually do anything.
$ strace -q -eprocess /opt/calibre/bin/calibre-mount-helper
execve("/opt/calibre/bin/calibre-mount-helper", ["/opt/calibre/bin/
calibre-mount-h"...], [/* 43 vars */]) = 0
exit_group(1)
If you examine the source code, apparently this is exactly what it is
supposed to do:
http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/src/calibre/
devices/linux_mount_helper.c
I was under the impression that the developer had modified calibre-mount-
helper to simply call udisks to handle removable media, but he actually
has calibre-mount-helper do nothing but exit with an error. Calibre now
calls a separate helper program (called udisks.py appropriately enough)
to invoke udisks.
From what I can tell just perusing some of the changed files in that
particular revision, it doesn't appear that the mount helper is called by
anything. In fact, if you were to install Calibre in your home directory
as non-root, the mount helper doesn't get installed at all. I guess there
could be some 3rd party plugins that depend on the mount helper being
present, but other than that scenario, I'm at loss to explain why it's
still included with the main program.
Removing the suid+sgid bits sounds like a good idea though, even if the
program does nothing more than immediately exit when run.
Kevin O'Gorman
> On Wed, 30 Nov 2011 14:23:29 -0800, Kevin O'Gorman wrote:
[snip]
> If you examine the source code, apparently this is exactly what it is
> supposed to do:
> http://bazaar.launchpad.net/~kovid/calibre/trunk/view/head:/src/calibre/
> devices/linux_mount_helper.c
>
Surprised, I verified this with the debugger. On my x86, the entire program is:
(gdb) disass
Dump of assembler code for function main:
0x080483b4 <+0>: push %ebp
0x080483b5 <+1>: mov %esp,%ebp
0x080483b7 <+3>: mov $0x1,%eax
0x080483bc <+8>: pop %ebp
0x080483bd <+9>: ret
End of assembler dump.
(gdb)
Pretty much identical to false(1). Not much danger there.
--
Kevin O'Gorman, PhD
--
Kevin O'Gorman
> On 11/29/2011 01:09 PM, Kevin O'Gorman wrote:
>
>
> If you have a Internet facing system, then turn on the firewall. This
> should *always* be done. No matter how secure a default install is, it is
> way too easy to unknowingly install a package that listens for incoming
> network connections.
>
> By default, Ubuntu installs UFW. Basic firewall protection is as simple as
> editing your /etc/ufw.conf file and changing Enabled to yes.
>
I tried it: edited the config file /etc/ufw/ufw.conf, and rebooted.
My apache2 web server was blocked, in spite of the entry in
/etc/ufw/applications.d.
So I disabled it again. I'll have to spend more time reading the
documentation. I find the mixture of configuration lines and commands
to be confusing. I don't want to have to enter commands every time I
reboot. The bloody thing creates 31 separate tables, and there's a lot
of structure but not much guidance. Besides that, the stuff in
applications.d has some pretty confusing stuff, which may not even be
used judging by the blocking of apache.
--
Kevin O'Gorman, PhD
--