Control: retitle -1 g810-led: Security risk: Leaves /dev/input/event* with read and write permissions for all users (CVE-2022-46338)
On Mon, Nov 28, 2022 at 03:45:16PM +0100, Xavi Drudis Ferran wrote: > Package: g810-led > Version: 0.4.2-2.1 > Severity: critical > Tags: patch upstream security > Justification: root security hole > X-Debbugs-Cc: xdru...@tinet.cat, Debian Security Team > <t...@security.debian.org> > > Dear Maintainer, > > I hesitate to file as critical, but I came across a bug report in > upstream that looked serious enough since it would allow all local > processes to eavesdrop on keyboard input, including passwords, etc. I > haven't tried an exploit, but it seemed better to just restrict > /dev/input/event* permissions to those of other event dev files. > > Without this patch, I can read /dev/input/event2 and /dev/input/event3 as a > normal user. I see bytes in /dev/input/event2 when typing as a normal > user and also typing in another terminal (Konsole) typing as > root. event3 only shows the characters typed by the normal user. > > With the patch I can't read /dev/input/event* as a normal user. > > And the bug is publically reported upstream (some 10 days ago). > > * What led up to the situation? > > Reviewing upstream bugs, found https://github.com/MatMoul/g810-led/issues/293 > > * What exactly did you do (or not do) that was effective (or > ineffective)? > > Nothing really. I wrote the patch, rebuilt, and observed the > permissions were fixed. My keyboard seems to work both with and > without the patch (needs a kernel with CONFIG_HIDRAW), when calling > g810-led as root. As normal user it doesn't work (both with or without > patch), due to no permission for /dev/hidraw2. > > It should really be fixed upstream, but maybe it's worth fixing meanwhile > or removing the package temporarily ? The issue got CVE-2022-46338 assigned by MITRE. Stephen, the issue is marked no-dsa for bullseye, but a fix might go still trough the upcoming point release (scheduled for 17th december). Regards, Salvatore