Bug#1025137: bullseye-pu: package g810-led/0.4.2-1

To: Stephen Kitt <skitt@debian.org>, 1025137@bugs.debian.org
Subject: Bug#1025137: bullseye-pu: package g810-led/0.4.2-1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Wed, 07 Dec 2022 20:30:22 +0000
Message-id: <[🔎] a2e687ceafd0f943aef26fce944462378e94694b.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1025137@bugs.debian.org
In-reply-to: <166979353683.984217.13310598324084335108.reportbug@heffalump.sk2.org>
References: <166979353683.984217.13310598324084335108.reportbug@heffalump.sk2.org> <166979353683.984217.13310598324084335108.reportbug@heffalump.sk2.org>

Control: tags -1 + confirmed

On Wed, 2022-11-30 at 08:32 +0100, Stephen Kitt wrote:
> g810-led has a security issue in stable; it leaves /dev/input/eventXX
> device nodes world-readable and writable (CVE-2022-46338). The issue
> is marked no-dsa, but I would like to provide a fix in the next
> point-release. The fix is already in unstable (0.4.2-3).
> 
> The attached debdiff fixes the issue by patching the udev rules file:
> the affected device nodes have their mode set to 660 instead of 666,
> and uaccess is used to provide access to the user at the console. I
> own relevant hardware and have verified the fix myself on a multi-
> user
> system.
> 

Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Bug#1025083: bullseye-pu: package omnievents/1:2.6.2-5.1+deb11u1
Next by Date: Processed: Re: Bug#1025137: bullseye-pu: package g810-led/0.4.2-1
Previous by thread: Processed: Re: Bug#1025083: bullseye-pu: package omnievents/1:2.6.2-5.1+deb11u1
Next by thread: Processed: Re: Bug#1025137: bullseye-pu: package g810-led/0.4.2-1
Index(es):
- Date
- Thread