Package: usbview Version: 2.0-21-g6fe2f4f-2 Severity: normal Tags: patch pending X-Debbugs-Cc: Mark Brown <broo...@debian.org>
Mi Mark I've prepared an NMU for usbview (versioned as 2.0-21-g6fe2f4f-2.1) and uploaded it actually right away into the archive for unstable along for respective updates via buster-security and bulleye-security. I hope this was okay for you. The reason is to fix CVE-2022-23220. Details are in the oss-security post at [1]. [1] https://www.openwall.com/lists/oss-security/2022/01/21/1 Regards, Salvatore
diff -Nru usbview-2.0-21-g6fe2f4f/debian/changelog usbview-2.0-21-g6fe2f4f/debian/changelog --- usbview-2.0-21-g6fe2f4f/debian/changelog 2018-06-04 11:52:41.000000000 +0200 +++ usbview-2.0-21-g6fe2f4f/debian/changelog 2022-01-15 13:42:37.000000000 +0100 @@ -1,3 +1,11 @@ +usbview (2.0-21-g6fe2f4f-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix authorization for inactive or arbitrary other users (CVE-2022-23220) + * Pass on the command line parameters to GTK only if not invoked via pkexec + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 15 Jan 2022 13:42:37 +0100 + usbview (2.0-21-g6fe2f4f-2) unstable; urgency=low * Add build dependency on librsvg2-bin since the imagemagick diff -Nru usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch --- usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch 1970-01-01 01:00:00.000000000 +0100 +++ usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch 2022-01-15 13:42:37.000000000 +0100 @@ -0,0 +1,27 @@ +Description: Fix authorization for inactive or arbitrary other users (CVE-2022-23220) + The original settings effectively mean that only a user in a local and + active (graphical) session needs to enter a root password to run + usbview as root. Users in inactive (e.g. locked) sessions or arbitrary + other users (e.g. logged in via SSH) can run usbview as root without + providing any authentication at all. +Origin: vendor +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-23220 +Author: Matthias Gerstner <mgerst...@suse.de> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2022-01-15 + +diff --git a/org.freedesktop.pkexec.usbview.policy b/org.freedesktop.pkexec.usbview.policy +index 0f0bb34..d2c477d 100644 +--- a/org.freedesktop.pkexec.usbview.policy ++++ b/org.freedesktop.pkexec.usbview.policy +@@ -8,8 +8,8 @@ + <message>Authentication is required to view USB bus</message> + <icon_name>usbview_icon</icon_name> + <defaults> +- <allow_any>yes</allow_any> +- <allow_inactive>yes</allow_inactive> ++ <allow_any>no</allow_any> ++ <allow_inactive>no</allow_inactive> + <allow_active>auth_admin_keep</allow_active> + </defaults> + <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/usbview</annotate> diff -Nru usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch --- usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch 1970-01-01 01:00:00.000000000 +0100 +++ usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch 2022-01-15 13:42:37.000000000 +0100 @@ -0,0 +1,32 @@ +Description: Pass on the command line parameters to GTK only if not invoked via pkexec +Origin: vendor +Author: Matthias Gerstner <mgerst...@suse.de> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2022-01-15 + +diff --git a/main.c b/main.c +index e0cb7c1..5f7a1e7 100644 +--- a/main.c ++++ b/main.c +@@ -7,6 +7,8 @@ + #include <config.h> + #endif + ++#include <stdlib.h> ++ + #include <gtk/gtk.h> + + #include "usbtree.h" +@@ -14,8 +16,11 @@ + int main (int argc, char *argv[]) + { + GtkWidget *window1; ++ gboolean is_pkexec = getenv("PKEXEC_UID") != NULL; + +- gtk_init (&argc, &argv); ++ // only evalute command line parameters if not running in pkexec ++ // privilege escalation context to avoid potential attack vectors ++ gtk_init (is_pkexec ? NULL : &argc, is_pkexec ? NULL : &argv); + + initialize_stuff(); + diff -Nru usbview-2.0-21-g6fe2f4f/debian/patches/series usbview-2.0-21-g6fe2f4f/debian/patches/series --- usbview-2.0-21-g6fe2f4f/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ usbview-2.0-21-g6fe2f4f/debian/patches/series 2022-01-15 13:42:37.000000000 +0100 @@ -0,0 +1,2 @@ +CVE-2022-23220-usbview.policy.patch +pkexec-hardening.patch