[Secure-testing-team] Bug#696552: mtpfs merges internal and external SD card directories

Vincent Lefevre vincent at vinc17.net
Sat Dec 22 18:16:18 UTC 2012 

Package: mtpfs
Version: 0.9-3+b1
Severity: grave
Tags: security
Justification: user security hole (and possible data loss)

mtpfs from testing (the one from unstable is OK) is highly broken
when an external SD card is installed, yielding possible security
problems and data loss.

With a SD card installed in my Galaxy Note II, I get:

# ls -l /media/mtp
total 0
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Alarms
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Android
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 DCIM
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Download
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Download
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 LOST.DIR
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Movies
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Music
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Music
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Notifications
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Pictures
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Playlists
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Playlists
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Podcasts
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Ringtones
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 S Note
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Samsung
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 cloudagent
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 samsungapps

See the duplicate directories. They actually come from both
the internal card (/storage/sdcard0/) and the external one
(/storage/extSdCard/). The external one seems to have the
precedence.

So, if the user stores a private file into e.g. /media/mtp/Music/ the
file will end up on the external SD card instead of the phone, which
is a problem if the user shares the SD card with other people. The
user may also want to remove files from /media/mtp/Music/ e.g. with

  rm /media/mtp/Music/*

expecting that the files from the phone will be removed, but this
will remove the files from the SD card!

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mtpfs depends on:
ii  fuse-utils    2.9.0-2
ii  libc6         2.13-37
ii  libfuse2      2.9.2-2
ii  libglib2.0-0  2.33.12+really2.32.4-3
ii  libid3tag0    0.15.1b-10
ii  libmad0       0.15.1b-7
ii  libmtp9       1.1.5-1

mtpfs recommends no packages.

mtpfs suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list