The Mobian Team have recently released a security update fixing a local vulnerability caused by a bug in our Bookworm images.
User Action Required
Mobian users must install the following package in order to address the issues described in this post.
A normal upgrade which can be done using
sudo apt update && sudo apt upgrade or via Gnome Software
will take care of this.
- For Bookworm users:
mobian-tweaks-common, version 0.5.6+deb12u1
- For Trixie and Staging users:
mobian-tweaks-common, version 0.5.9
These packages include an install script which fixes the permissions on the effected files. They are currently
bookworm-updates repositories and will migrate to
in the coming week.
The Bookworm images released earlier this year had a small number of files with global
write permissions. As two of these files manage the configuration of the
manager, they provide an attacker with a useful privilege escalation method.
This issue seems to only affect the released Bookworm images, though a full audit of weekly images has not been undertaken. Users who installed on Trixie were likely never effected.
These files could allow a local user to gain root access to the device by modifying them and waiting for the user to install an attacker provided update. This attack would require access to an unlocked or otherwise already compromised device as a standard user.
There is no way to carry this attack out remotely or on a locked device.
Indicators of Compromise
Users can verify the current configuration of their system by checking the relevant files. Changes to these files to not immediately mean the device has been compromised, but may warrant further investigation.
/etc/apt/sources.list.d/mobian.list should contain (potentially with a different distribution):
deb http://repo.mobian.org/ <distribution> main non-free-firmware
/etc/apt/trusted.gpg.d/mobian.gpg can be verified using the command
shasum -c checksum.txt aganist the following checksum file:
Our thanks go to @Ove for discovering and reporting the issue.