diff -Nru usb-creator-0.2.38.1/.bzr-builddeb/default.conf usb-creator-0.2.38.3/.bzr-builddeb/default.conf --- usb-creator-0.2.38.1/.bzr-builddeb/default.conf 1970-01-01 00:00:00.000000000 +0000 +++ usb-creator-0.2.38.3/.bzr-builddeb/default.conf 2013-12-16 23:41:32.000000000 +0000 @@ -0,0 +1,2 @@ +[BUILDDEB] +native = True diff -Nru usb-creator-0.2.38.1/bin/usb-creator-helper usb-creator-0.2.38.3/bin/usb-creator-helper --- usb-creator-0.2.38.1/bin/usb-creator-helper 2012-07-26 15:38:15.000000000 +0000 +++ usb-creator-0.2.38.3/bin/usb-creator-helper 2013-12-16 23:41:32.000000000 +0000 @@ -207,29 +207,18 @@ '/org/freedesktop/UDisks') device = udisks.FindDeviceByDeviceFile(device, dbus_interface=DISKS_IFACE) dev = bus.get_object(DISKS_IFACE, device) - - # TODO LOCK - unmount_all(device) - # Do NOT use the disk if asked to format a partition. - # We still need to obtain the disk device name to zero out the MBR + # Use the disk if asked to format a partition. if dev.Get(device, 'device-is-partition', dbus_interface=PROPS_IFACE): - # Create the partition - dev.PartitionModify('0x0c', '', ['boot'], dbus_interface=DEVICE_IFACE) - dev.FilesystemCreate('vfat', [], dbus_interface=DEVICE_IFACE) - - # Get the master device device = dev.Get(device, 'partition-slave', dbus_interface=PROPS_IFACE) dev = bus.get_object(DISKS_IFACE, device) - else: - # Create a new partition table and a FAT partition. - size = dev.Get(device, 'device-size', dbus_interface=PROPS_IFACE) - dev.PartitionTableCreate('mbr', [], dbus_interface=DEVICE_IFACE, - timeout=600) - dev.PartitionCreate(0, size, '0x0c', '', ['boot'], [], 'vfat', [], - dbus_interface=DEVICE_IFACE) - - # Zero out the MBR. Will require fancy privileges. dev_file = dev.Get(device, 'device-file', dbus_interface=PROPS_IFACE) + # TODO LOCK + unmount_all(device) + size = dev.Get(device, 'device-size', dbus_interface=PROPS_IFACE) + dev.PartitionTableCreate('mbr', [], dbus_interface=DEVICE_IFACE, timeout=600) + dev.PartitionCreate(0, size, '0x0c', '', ['boot'], [], 'vfat', [], + dbus_interface=DEVICE_IFACE) + # Zero out the MBR. Will require fancy privileges. popen(['dd', 'if=/dev/zero', 'of=%s' % dev_file, 'bs=446', 'count=1']) # TODO UNLOCK @@ -297,9 +286,8 @@ # we don't need is_challenge return here, since we call with # AllowUserInteraction (is_auth, _, details) = self.polkit.CheckAuthorization( - ('unix-process', {'pid': dbus.UInt32(pid, - variant_level=1), 'start-time': - dbus.UInt64(0, variant_level=1)}), priv, {'': ''}, + ('system-bus-name', {'name': dbus.String(sender, + variant_level = 1)}), priv, {'': ''}, dbus.UInt32(1), '', timeout=600) except dbus.DBusException as e: if e._dbus_error_name == 'org.freedesktop.DBus.Error.ServiceUnknown': diff -Nru usb-creator-0.2.38.1/debian/changelog usb-creator-0.2.38.3/debian/changelog --- usb-creator-0.2.38.1/debian/changelog 2012-07-26 15:46:09.000000000 +0000 +++ usb-creator-0.2.38.3/debian/changelog 2013-12-17 00:08:33.000000000 +0000 @@ -1,11 +1,22 @@ -usb-creator (0.2.38.1) precise-proposed; urgency=low +usb-creator (0.2.38.3) precise-proposed; urgency=low - * Only clear the selected partition on the disk, not the entire disk - (LP: #484252). Thanks to Dmitrijs Ledkovs! - * KDE: don't duplicate entries by improper removal of entries on update - (LP: #992061). Thanks to Harald Sitter! + [ Chris Wulff ] + * Initialise threads, before starting background task thread. (LP: + #915626) - -- Stéphane Graber Thu, 26 Jul 2012 11:46:04 -0400 + -- Brian Murray Mon, 16 Dec 2013 16:08:05 -0800 + +usb-creator (0.2.38.2) precise-security; urgency=low + + * SECURITY UPDATE: possible privilege escalation via policykit UID lookup + race. + - bin/usb-creator-helper: pass system-bus-name as a subject instead of + pid so policykit can get the information from the system bus. + - CVE-2013-1063 + * This update does _not_ include the changes from 0.2.38.1 that was + in precise-proposed. + + -- Marc Deslauriers Wed, 18 Sep 2013 11:34:06 -0400 usb-creator (0.2.38) precise; urgency=low diff -Nru usb-creator-0.2.38.1/usbcreator/backends/udisks/backend.py usb-creator-0.2.38.3/usbcreator/backends/udisks/backend.py --- usb-creator-0.2.38.1/usbcreator/backends/udisks/backend.py 2012-07-26 15:38:11.000000000 +0000 +++ usb-creator-0.2.38.3/usbcreator/backends/udisks/backend.py 2013-12-17 00:07:52.000000000 +0000 @@ -1,6 +1,6 @@ import dbus import logging -from dbus.mainloop.glib import DBusGMainLoop +from dbus.mainloop.glib import DBusGMainLoop, threads_init from usbcreator.backends.base import Backend from usbcreator.misc import * @@ -19,6 +19,7 @@ self.allow_system_internal = allow_system_internal logging.debug('UDisksBackend') DBusGMainLoop(set_as_default=True) + threads_init() if bus: self.bus = bus else: @@ -284,6 +285,10 @@ try: dk = self.bus.get_object(DISKS_IFACE, device) dev = dk.Get(device, 'device-file', dbus_interface=PROPS_IFACE) + if dk.Get(dev, 'device-is-partition', dbus_interface=PROPS_IFACE): + dev = dk.Get(dev, 'partition-slave', dbus_interface=PROPS_IFACE) + dk = self.bus.get_object(DISKS_IFACE, dev) + dev = dk.Get(device, 'device-file', dbus_interface=PROPS_IFACE) p = self.targets[device]['parent'] if p and p in self.targets: self.formatting.append(p) diff -Nru usb-creator-0.2.38.1/usbcreator/frontends/kde/frontend.py usb-creator-0.2.38.3/usbcreator/frontends/kde/frontend.py --- usb-creator-0.2.38.1/usbcreator/frontends/kde/frontend.py 2012-07-26 15:45:14.000000000 +0000 +++ usb-creator-0.2.38.3/usbcreator/frontends/kde/frontend.py 2013-12-16 23:41:32.000000000 +0000 @@ -263,7 +263,7 @@ for i in range(0,self.__mainWindow.ui_dest_list.topLevelItemCount()): item = self.__mainWindow.ui_dest_list.topLevelItem(i) if item.data(0,Qt.UserRole).toPyObject() == target: - self.__mainWindow.ui_dest_list.takeTopLevelItem(i) + self.__mainWindow.ui_dest_list.removeItemWidget(item,0) break if not self.__mainWindow.ui_dest_list.currentItem():