Debian Bug report logs - #696552
mtpfs merges internal and external SD card directories

version graph

Package: mtpfs; Maintainer for mtpfs is Debian QA Group <packages@qa.debian.org>; Source for mtpfs is src:mtpfs.

Reported by: Vincent Lefevre <vincent@vinc17.net>

Date: Sat, 22 Dec 2012 18:18:01 UTC

Severity: grave

Tags: security

Found in version mtpfs/0.9-3

Fixed in version mtpfs/1.1-2

Done: Adam D. Barratt <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Chris Lamb <lamby@debian.org>:
Bug#696552; Package mtpfs. (Sat, 22 Dec 2012 18:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Chris Lamb <lamby@debian.org>. (Sat, 22 Dec 2012 18:18:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mtpfs merges internal and external SD card directories
Date: Sat, 22 Dec 2012 19:16:18 +0100
Package: mtpfs
Version: 0.9-3+b1
Severity: grave
Tags: security
Justification: user security hole (and possible data loss)

mtpfs from testing (the one from unstable is OK) is highly broken
when an external SD card is installed, yielding possible security
problems and data loss.

With a SD card installed in my Galaxy Note II, I get:

# ls -l /media/mtp
total 0
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Alarms
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Android
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 DCIM
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Download
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Download
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 LOST.DIR
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Movies
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Music
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Music
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Notifications
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Pictures
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Playlists
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Playlists
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Podcasts
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Ringtones
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 S Note
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 Samsung
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 cloudagent
drwxrwxrwx 2 root root 0 1970-01-01 01:00:00 samsungapps

See the duplicate directories. They actually come from both
the internal card (/storage/sdcard0/) and the external one
(/storage/extSdCard/). The external one seems to have the
precedence.

So, if the user stores a private file into e.g. /media/mtp/Music/ the
file will end up on the external SD card instead of the phone, which
is a problem if the user shares the SD card with other people. The
user may also want to remove files from /media/mtp/Music/ e.g. with

  rm /media/mtp/Music/*

expecting that the files from the phone will be removed, but this
will remove the files from the SD card!

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mtpfs depends on:
ii  fuse-utils    2.9.0-2
ii  libc6         2.13-37
ii  libfuse2      2.9.2-2
ii  libglib2.0-0  2.33.12+really2.32.4-3
ii  libid3tag0    0.15.1b-10
ii  libmad0       0.15.1b-7
ii  libmtp9       1.1.5-1

mtpfs recommends no packages.

mtpfs suggests no packages.

-- no debconf information



Marked as fixed in versions mtpfs/1.1-2. Request was from Ivo De Decker <ivo.dedecker@ugent.be> to control@bugs.debian.org. (Sun, 23 Dec 2012 10:54:14 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Tue, 01 Jan 2013 20:42:05 GMT) Full text and rfc822 format available.

Notification sent to Vincent Lefevre <vincent@vinc17.net>:
Bug acknowledged by developer. (Tue, 01 Jan 2013 20:42:06 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:49:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:07:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.