Bug#1004138: usbview: diff for NMU version 2.0-21-g6fe2f4f-2.1

[Salvatore Bonaccorso]

Package: usbview
Version: 2.0-21-g6fe2f4f-2
Severity: normal
Tags: patch  pending
X-Debbugs-Cc: Mark Brown <broo...@debian.org>

Mi Mark

I've prepared an NMU for usbview (versioned as 2.0-21-g6fe2f4f-2.1) and
uploaded it actually right away into the archive for unstable along
for respective updates via buster-security and bulleye-security. I
hope this was okay for you. The reason is to fix CVE-2022-23220.
Details are in the oss-security post at [1].

 [1] https://www.openwall.com/lists/oss-security/2022/01/21/1

Regards,
Salvatore

diff -Nru usbview-2.0-21-g6fe2f4f/debian/changelog usbview-2.0-21-g6fe2f4f/debian/changelog
--- usbview-2.0-21-g6fe2f4f/debian/changelog	2018-06-04 11:52:41.000000000 +0200
+++ usbview-2.0-21-g6fe2f4f/debian/changelog	2022-01-15 13:42:37.000000000 +0100
@@ -1,3 +1,11 @@
+usbview (2.0-21-g6fe2f4f-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix authorization for inactive or arbitrary other users (CVE-2022-23220)
+  * Pass on the command line parameters to GTK only if not invoked via pkexec
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 15 Jan 2022 13:42:37 +0100
+
 usbview (2.0-21-g6fe2f4f-2) unstable; urgency=low
 
    * Add build dependency on librsvg2-bin since the imagemagick
diff -Nru usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch
--- usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch	1970-01-01 01:00:00.000000000 +0100
+++ usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch	2022-01-15 13:42:37.000000000 +0100
@@ -0,0 +1,27 @@
+Description: Fix authorization for inactive or arbitrary other users (CVE-2022-23220)
+ The original settings effectively mean that only a user in a local and
+ active (graphical) session needs to enter a root password to run
+ usbview as root. Users in inactive (e.g. locked) sessions or arbitrary
+ other users (e.g. logged in via SSH) can run usbview as root without
+ providing any authentication at all.
+Origin: vendor
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-23220
+Author: Matthias Gerstner <mgerst...@suse.de>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2022-01-15
+
+diff --git a/org.freedesktop.pkexec.usbview.policy b/org.freedesktop.pkexec.usbview.policy
+index 0f0bb34..d2c477d 100644
+--- a/org.freedesktop.pkexec.usbview.policy
++++ b/org.freedesktop.pkexec.usbview.policy
+@@ -8,8 +8,8 @@
+     <message>Authentication is required to view USB bus</message>
+     <icon_name>usbview_icon</icon_name>
+     <defaults>
+-      <allow_any>yes</allow_any>
+-      <allow_inactive>yes</allow_inactive>
++      <allow_any>no</allow_any>
++      <allow_inactive>no</allow_inactive>
+       <allow_active>auth_admin_keep</allow_active>
+     </defaults>
+     <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/usbview</annotate>
diff -Nru usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch
--- usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch	1970-01-01 01:00:00.000000000 +0100
+++ usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch	2022-01-15 13:42:37.000000000 +0100
@@ -0,0 +1,32 @@
+Description: Pass on the command line parameters to GTK only if not invoked via pkexec
+Origin: vendor
+Author: Matthias Gerstner <mgerst...@suse.de>
+Reviewed-by: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2022-01-15
+
+diff --git a/main.c b/main.c
+index e0cb7c1..5f7a1e7 100644
+--- a/main.c
++++ b/main.c
+@@ -7,6 +7,8 @@
+ 	#include <config.h>
+ #endif
+ 
++#include <stdlib.h>
++
+ #include <gtk/gtk.h>
+ 
+ #include "usbtree.h"
+@@ -14,8 +16,11 @@
+ int main (int argc, char *argv[])
+ {
+ 	GtkWidget *window1;
++	gboolean is_pkexec = getenv("PKEXEC_UID") != NULL;
+ 
+-	gtk_init (&argc, &argv);
++	// only evalute command line parameters if not running in pkexec
++	// privilege escalation context to avoid potential attack vectors
++	gtk_init (is_pkexec ? NULL : &argc, is_pkexec ? NULL : &argv);
+ 
+ 	initialize_stuff();
+ 
diff -Nru usbview-2.0-21-g6fe2f4f/debian/patches/series usbview-2.0-21-g6fe2f4f/debian/patches/series
--- usbview-2.0-21-g6fe2f4f/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ usbview-2.0-21-g6fe2f4f/debian/patches/series	2022-01-15 13:42:37.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2022-23220-usbview.policy.patch
+pkexec-hardening.patch