Ubuntu
coherence package

Security problems (unacceptable behaviour) in sharing content via FSStore backend

Bug #725556 reported by PhobosK
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Coherence
Fix Released
Unknown
coherence (Ubuntu)
Won't Fix
Low
Unassigned

Bug Description

I have reported this bug upstream also -http://coherence.beebits.net/ticket/338 . It concerns coherence version 0.6.6.2 and to be more exact its "MediaServer Backend FileSystem".
Here are the actual problems:

There are a couple of security problems when using the FSStore backend in Coherence 0.6.6.2. They consist in an unacceptable behaviour like sharing inappropriate content without users to be aware of... Namely:

   1. When the plugin is used without any content option (i.e. content is None) it by default shares the Music, Videos and Pictures folders (using the xdg.py return values). This can be tested by starting applet-coherence for example. It uses

      "coherence --plugin=backend:FSStore,name:USER@HOST"

      as a command line and thus exporting the above mentioned folders (this is when there is no ~/.coherence config file which is the default state of the package).

    * Problem: The problem is that the user is not aware of this behaviour and these folders could contain sensitive materials that the user does not want to share.
    * Solution: It is much better to use as default share folder the XDG_PUBLICSHARE_DIR. At least the user knows it is shared and he does not keep sensitive materials there.

   2. When an empty content is passed to update_config() in FSStore backend (for example when all content is removed by the export widget in av_widgets.py), the os.path.abspath("") expands to the user's home folder thus exporting all his folders and files there. This is totally unacceptable. This case can be tested using the Nautilus coherence extensions with a "Sharing as a Media Server" option.

I have created a patch to fix these problems.
The sources debdiff file is between coherence_0.6.6.2-5.dsc coherence_0.6.6.2-6.dsc considering the 0.6.6.2-6 version will go to maverick-security.

I know that adding new features to a package in maverick-security is unacceptable, but i put a very small fix to the applet-coherence too fixing upstream bug i have reported for the applet too - http://coherence.beebits.net/ticket/339
It doesn't change the functionality so much so i hope it will remain.

The tests i have run on my maverick with this package are ok and no bugs found till now...
I put this as a security vulnerability because sharing users' content without their explicit notice is unacceptable.
Anyway it is up to you how you will react.

I have the package in my PPA too - https://launchpad.net/~phobosk/+archive/phobosk-ppa/

And ... I will add another bug for the small fixes of applet-coherence too.

Tags: patch
Revision history for this message
PhobosK (phobosk) wrote :
Revision history for this message
PhobosK (phobosk) wrote :
Bug Watch Updater (bug-watch-updater)
Changed in coherence:
status: Unknown → New
PhobosK (phobosk)
tags: added: patch
PhobosK (phobosk)
visibility: private → public
Jamie Strandboge (jdstrand)
Changed in coherence (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Bug Watch Updater (bug-watch-updater)
Changed in coherence:
status: New → Fix Released
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Coherence is not part of the ESM supported packages list:
https://wiki.ubuntu.com/SecurityTeam/ESM/14.04#A14.04_Infrastructure_ESM_Packages

So marking it Won't Fix

Changed in coherence (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.