[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1025137: marked as done (bullseye-pu: package g810-led/0.4.2-1)

Your message dated Sat, 17 Dec 2022 10:57:10 +0000
with message-id <03e9b90cf2f149b9e2835590c9ec0ccb048b744d.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.6
has caused the Debian Bug report #1025137,
regarding bullseye-pu: package g810-led/0.4.2-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1025137: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025137
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

g810-led has a security issue in stable; it leaves /dev/input/eventXX
device nodes world-readable and writable (CVE-2022-46338). The issue
is marked no-dsa, but I would like to provide a fix in the next
point-release. The fix is already in unstable (0.4.2-3).

The attached debdiff fixes the issue by patching the udev rules file:
the affected device nodes have their mode set to 660 instead of 666,
and uaccess is used to provide access to the user at the console. I
own relevant hardware and have verified the fix myself on a multi-user
system.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Stephen

diff -Nru g810-led-0.4.2/debian/changelog g810-led-0.4.2/debian/changelog
--- g810-led-0.4.2/debian/changelog	2020-05-23 20:33:29.000000000 +0200
+++ g810-led-0.4.2/debian/changelog	2022-11-30 08:24:25.000000000 +0100
@@ -1,3 +1,11 @@
+g810-led (0.4.2-1+deb11u1) bullseye; urgency=medium
+
+  * Control device access with uaccess instead of making everything
+    world-writable. Thanks to Xavi Drudis Ferran for the report!
+    Closes:#1024998. (CVE-2022-46338.)
+
+ -- Stephen Kitt <skitt@debian.org>  Wed, 30 Nov 2022 08:24:25 +0100
+
 g810-led (0.4.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru g810-led-0.4.2/debian/patches/device-permissions.patch g810-led-0.4.2/debian/patches/device-permissions.patch
--- g810-led-0.4.2/debian/patches/device-permissions.patch	1970-01-01 01:00:00.000000000 +0100
+++ g810-led-0.4.2/debian/patches/device-permissions.patch	2022-11-30 08:23:44.000000000 +0100
@@ -0,0 +1,74 @@
+commit e2b486fd1bc21e0b784e1b4c959770772dfced24
+Author: Stephen Kitt <steve@sk2.org>
+Date:   Mon Nov 28 21:05:05 2022 +0100
+
+    Rely on uaccess to control device access
+    
+    The udev rules currently make supported device nodes world-readable
+    and writable, which means that any process on the system can read
+    traffic from keyboards including passwords etc. To avoid this, while
+    still allowing the "controlling" user to run g810-led without being
+    root, this patch adds a uaccess tag; this ensures that the user at the
+    console has write access to the devices. The mode is also changed to
+    660 to ensure that existing device nodes are fixed on upgrade.
+    
+    Thanks to Xavi Drudis Ferran for bringing this to my attention.
+    
+    Fixes: #293
+    Signed-off-by: Stephen Kitt <steve@sk2.org>
+
+diff --git a/udev/g810-led.rules b/udev/g810-led.rules
+index 90b743b..ea05726 100644
+--- a/udev/g810-led.rules
++++ b/udev/g810-led.rules
+@@ -1,25 +1,25 @@
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="666" RUN+="/usr/bin/g410-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="666" RUN+="/usr/bin/g413-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c342", MODE="666" RUN+="/usr/bin/g512-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="666" RUN+="/usr/bin/g513-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33f", MODE="666" RUN+="/usr/bin/g815-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="666" RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="666" RUN+="/usr/bin/g410-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="666" RUN+="/usr/bin/g413-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c342", MODE="666" RUN+="/usr/bin/g512-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="666" RUN+="/usr/bin/g513-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="666" RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g213-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g410-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g413-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c342", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g512-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g513-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33f", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g815-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="660", TAG+="uaccess", RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g213-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g410-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g413-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c342", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g512-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g513-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g610-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g810-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g910-led -p /etc/g810-led/profile"
++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="660", TAG+="uaccess", RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile"
diff -Nru g810-led-0.4.2/debian/patches/series g810-led-0.4.2/debian/patches/series
--- g810-led-0.4.2/debian/patches/series	2020-05-23 19:42:28.000000000 +0200
+++ g810-led-0.4.2/debian/patches/series	2022-11-30 08:23:44.000000000 +0100
@@ -1 +1,2 @@
 build.patch
+device-permissions.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.6

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.6 point release.

Regards,

Adam

--- End Message ---
Reply to: