Security fixes for DDRescue-GUI and WxFixBoot have been released

Hello everyone.

When I said I’d have some more posts coming over Christmas, this is not the kind of thing I was envisioning. Also, it’s not Christmas any more XD.

I’m going to start this post with what I said in the announcements on the project pages:

Firstly, I want to apologise. These kinds of problems are exactly the kind I’ve tried very hard to avoid, and I’m sorry that this mistake made it into a release. As annoyed as I am about this, I feel it is very important to be absolutely transparent about such matters, so the detail of the bug and the solution is below.

Now, onto the detail: If you were running DDRescue-GUI or WxFixBoot on Wayland, I had to make a workaround to allow it to run. This is because these application run a GUI as root, which Wayland doesn’t allow by default. I fully intent to rectify this issue in the next releases by only escalating privileges when required, and better isolating those bits of the program(s). As a temporary fix, the program would change this setting, and then change it back as soon as it was closed. However, due to an oversight on my part, the workaround was not disabled on closing the program.

A reboot would fix the issue, as the setting is reset on power up, but nevertheless I consider this to be an important problem. I noticed the issue yesterday evening, and I’m currently fixing it for both programs, and I will write a blog post with more details shortly.

In the mean time, please reboot any system you were running either DDRescue-GUI or WxFixBoot on, and please immediately update the programs to the newest versions. Note that if you are running on Xorg, or DDRescue-GUI versions prior to v1.7.1, or WxFixBoot versions prior to v2.0.2, you are not affected.

A short summary of the issue

To summarise, *if* you are using Wayland, *and* you don’t reboot your system even after data recovery or fixing a bootloader, *and* you used the previously patched versions of my program, you are affected by this problem. In and of itself, it isn’t a huge issue, but it becomes an issue if you have software of questionable origin installed on your machine that normally wouldn’t be able to run a GUI as root, but would temporarily be able to do as a result of all this. While I admit that this is an unlikely scenario, especially on top of all of the ifs and ands above, I take security matters very seriously, and I’m sorry if you have been affected by this bug.

Remedial action

For the user:

If you were using either program that was previously patched with this fix, please update immediately to the new versions that I released this morning and early afternoon to fix the issues.

You can get these new releases from:
DDRescue-GUI: https://launchpad.net/ddrescue-gui/1.x/1.7.1, and
WxFixBoot: https://launchpad.net/wxfixboot/2.x/2.0.2update1.

For me:

Most of the remedial action has already been done. I have:

  • Taken the affected versions down.
  • Created an announcement on the project pages for DDRescue-GUI and WxFixBoot.
  • Fixed the issue.
  • Verified that it is fixed on all supported platforms.
  • Verified that it doesn’t cause any further problems.
  • Released the updates files on my website and on launchpad.net.

I obviously don’t want a repeat of anything like this again so I will also take preventative measures. Now I have somewhere online to host release information – my website – I will:

  • Provide an update notifier in the GUI, which will alert you on startup if you aren’t using the newest version of any of my programs.
  • If there have been any security fixes for your release, I will consider whether the programs should either refuse to continue until updated, or auto-apply the security fixes.
  • You will still be able to use the programs without an internet connection, but the programs won’t be able to check for update information in that situation.

The final solution may not end up being exactly like the above, but it’s a good starting point, and whatever it ends up being, it will cover all the important bases to help mitigate against this kind of thing happening again in the future.

Summary of the summary

I apologise if you are affected by this issue. You may think this to be making a mountain out of a molehill, given the recent issues surrounding Intel’s CPUs, macOS High Sierra, and the like. I think I’ll be making a habit of making security-related posts more often. Hopefully next time it won’t be because I’ve messed up 🙂

On to more cheery topics, the posts I’ve been delaying due to my laptop will now be written and published, as said laptop is soon to be no more – it’s a pain, faulty, and I’m better off finding a replacement that spending more time trying to fix it, so I’ll be doing the posts using my normal hardware instead.

See you soon, with better news on the way, and lots of it 🙂

Tagged , , , , , , . Bookmark the permalink.

About Hamish McIntyre-Bhatty

I'm currently studying for a Computing and IT degree with the Open University, and am a software developer as well. I enjoy coding in Python, C++ (still learning), and Java. Having written 4 open-source programs (hosted on launchpad.net), set up my own website, and started volunteering at Wimborne Model Town to work on their river control system, I still find the time to enjoy cycling, acting, photography, and playing bass guitar. I go climbing every now and then as well. As you may have guessed, I also enjoy blogging :)

Leave a Reply

Your email address will not be published. Required fields are marked *