Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Dear release team, g810-led has a security issue in stable; it leaves /dev/input/eventXX device nodes world-readable and writable (CVE-2022-46338). The issue is marked no-dsa, but I would like to provide a fix in the next point-release. The fix is already in unstable (0.4.2-3). The attached debdiff fixes the issue by patching the udev rules file: the affected device nodes have their mode set to 660 instead of 666, and uaccess is used to provide access to the user at the console. I own relevant hardware and have verified the fix myself on a multi-user system. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Stephen
diff -Nru g810-led-0.4.2/debian/changelog g810-led-0.4.2/debian/changelog --- g810-led-0.4.2/debian/changelog 2020-05-23 20:33:29.000000000 +0200 +++ g810-led-0.4.2/debian/changelog 2022-11-30 08:24:25.000000000 +0100 @@ -1,3 +1,11 @@ +g810-led (0.4.2-1+deb11u1) bullseye; urgency=medium + + * Control device access with uaccess instead of making everything + world-writable. Thanks to Xavi Drudis Ferran for the report! + Closes:#1024998. (CVE-2022-46338.) + + -- Stephen Kitt <sk...@debian.org> Wed, 30 Nov 2022 08:24:25 +0100 + g810-led (0.4.2-1) unstable; urgency=medium * New upstream release. diff -Nru g810-led-0.4.2/debian/patches/device-permissions.patch g810-led-0.4.2/debian/patches/device-permissions.patch --- g810-led-0.4.2/debian/patches/device-permissions.patch 1970-01-01 01:00:00.000000000 +0100 +++ g810-led-0.4.2/debian/patches/device-permissions.patch 2022-11-30 08:23:44.000000000 +0100 @@ -0,0 +1,74 @@ +commit e2b486fd1bc21e0b784e1b4c959770772dfced24 +Author: Stephen Kitt <st...@sk2.org> +Date: Mon Nov 28 21:05:05 2022 +0100 + + Rely on uaccess to control device access + + The udev rules currently make supported device nodes world-readable + and writable, which means that any process on the system can read + traffic from keyboards including passwords etc. To avoid this, while + still allowing the "controlling" user to run g810-led without being + root, this patch adds a uaccess tag; this ensures that the user at the + console has write access to the devices. The mode is also changed to + 660 to ensure that existing device nodes are fixed on upgrade. + + Thanks to Xavi Drudis Ferran for bringing this to my attention. + + Fixes: #293 + Signed-off-by: Stephen Kitt <st...@sk2.org> + +diff --git a/udev/g810-led.rules b/udev/g810-led.rules +index 90b743b..ea05726 100644 +--- a/udev/g810-led.rules ++++ b/udev/g810-led.rules +@@ -1,25 +1,25 @@ +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="666" RUN+="/usr/bin/g410-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="666" RUN+="/usr/bin/g413-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c342", MODE="666" RUN+="/usr/bin/g512-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="666" RUN+="/usr/bin/g513-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33f", MODE="666" RUN+="/usr/bin/g815-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="666" RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="666" RUN+="/usr/bin/g410-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="666" RUN+="/usr/bin/g413-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c342", MODE="666" RUN+="/usr/bin/g512-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="666" RUN+="/usr/bin/g513-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="666" RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="666" RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="666" RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" +-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="666" RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g213-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g410-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g413-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c342", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g512-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g513-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33f", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g815-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="660", TAG+="uaccess", RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c336", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g213-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c330", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g410-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33a", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g413-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c342", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g512-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c33c", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g513-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c333", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c338", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g610-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c331", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c337", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g810-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c32b", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c335", MODE="660", TAG+="uaccess", RUN+="/usr/bin/g910-led -p /etc/g810-led/profile" ++ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", ATTRS{idProduct}=="c339", MODE="660", TAG+="uaccess", RUN+="/usr/bin/gpro-led -p /etc/g810-led/profile" diff -Nru g810-led-0.4.2/debian/patches/series g810-led-0.4.2/debian/patches/series --- g810-led-0.4.2/debian/patches/series 2020-05-23 19:42:28.000000000 +0200 +++ g810-led-0.4.2/debian/patches/series 2022-11-30 08:23:44.000000000 +0100 @@ -1 +1,2 @@ build.patch +device-permissions.patch