Hi Frederic, On Fri, Jan 12, 2007 at 04:30:21PM +0100, Frederic Peters wrote: > > Package: libgphoto2-2 > > Version: 2.2.1-12 > > Severity: grave > > Tags: security
> > In /etc/udev/libgphoto2_generic_ptp_support.rules, there is the following > > rule: > > ACTION=="add", SUBSYSTEM=="usb_device", ENV{INTERFACE}="6/1/1", \ > > PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev}; printf bus/usb/%%03i/%%03i > > $${K%%%%.*} $${K#*.}'", \ > > NAME="%c", MODE="0660", GROUP="plugdev" > > The single = sign after ENV{INTERFACE} means that the INTERFACE environment > > variable is set, not queried. The result is that all USB devices, and not > > only the PTP ones, are set to the plugdev group, thus giving some users > > access to devices they should not have access to. > > Suggested fix: put two equals signs > Sorry I could not handle this earlier. Unfortunately putting two > equal signs doesn't work. > Unfortunately while I thought I finally managed to get a udev rule > working for generic PTP cameras, it appears it is broken and I can > only suggest I remove it. This will be a regression with regards > to Sarge where hotplug was used but I can't see any other mean. > vorlon: would such an upload have chances to get into etch ? I'm actually fairly disinclined to accept this change for etch since as you mention it is a regression, and moreover I haven't heard anything back from the bug submitter about what actually gets broken on his system with this bug since it works for me. Now, the package you've uploaded to unstable seems to offer an alternative fix, but I have some trouble understanding it so I'm still hesitant to accept it into etch. How does print-camera-list.c interface with udev to trigger calling check_ptp_camera? Anyway, without an explanation of what devices will actually be affected by this bug in practice, I'm inclined to downgrade the bug; that doesn't mean your bugfix won't be accepted in etch, but of course it would make doing so a lower priority, and weight the risk of regressions more heavily. BTW, I'm pretty sure $(< file) isn't POSIX sh, so check_ptp_camera shouldn't have /bin/sh listed as the interpreter. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]