Your message dated Thu, 24 Apr 2025 12:50:07 +0000
with message-id <[email protected]>
and subject line Bug#1094998: fixed in steam-installer 1:1.0.0.82~ds-4
has caused the Debian Bug report #1094998,
regarding steam-devices: should document the security trade-offs implied by 
installing this package
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1094998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094998
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: steam-devices
Version: 1:1.0.0.82~ds-3
Severity: wishlist
Tags: help
X-Debbugs-Cc: [email protected], [email protected]
Control: block 1094936 by -1
Control: block 1078751 by -1

If packages outside the Valve/Steam ecosystem are going to install
steam-devices automatically (#1094936) or encourage it to be installed
(#1078751) then it should have documentation describing the trade-off
between functionality and security that it implies.

I am "too close" to this package to write that documentation: I don't know
where prospective users of this package would look for this information
(README.Debian? the Description? Appstream metadata, if added by #1078751?)
and I don't know how to condense the details of its security tradeoffs into
a short summary.

Below is an attempt at the long version, with the benefits and risks of
each thing that it enables. I would appreciate it if someone else could
condense this into a summary.

    smcv

/dev/uinput
===========

When I say "local user" or "locally logged-in user" in all of the below,
I mean a user who was, at the time, authenticated as physically present
at the system console.

steam-devices makes /dev/uinput available to locally logged-in users via
udev's uaccess mechanism. /dev/uinput allows user-space programs to
generate mock input devices such as keyboards, mice and game controllers,
which will control programs in the same way as real keyboards and mice.

The benefit is that this is used by two (or possibly more) features of
the proprietary Steam client. Steam Input takes gamepad actions as input,
and generates a mock keyboard, mouse and Xbox 360 controller, which can be
used to control games that do not normally support gamepads, or games that
support only Xbox-compatible gamepads but not Playstation or Nintendo.

Similarly, Steam Remote Play takes input actions from the same Steam
account's session on a mobile device app or another PC, and similarly
generates a mock local keyboard, mouse and game controller; this combines
with video and audio streaming in the opposite direction to form a
specialized gaming-oriented remote desktop protocol, so that players
can run a game on a powerful PC but interact with it on a smaller or
more convenient device.

The security risk is that a malicious local user can open the /dev/uinput
file descriptor, and then keep it open in a background process after they
have logged out or performed "fast user switching". After another local
user logs in, the attacker's emulated keyboard and mouse will provide
input to the victim's desktop session, which they could use to enter
malicious commands.

A mitigation to this security risk is that the victim can see this input
happening, and the attacker cannot see what they are doing (they must
control the victim's desktop "blindly" by predicting what effect their
input will have).

Gamepads in raw HID mode
========================

steam-devices makes /dev/hidraw* devices that correspond to an assortment
of known gamepads available to locally logged-in users. These include
popular gamepads from Microsoft (Xbox), Sony (Playstation), Nintendo
(Switch, etc.) and Valve (Steam Controller and the Steam Deck's built-in
gamepad), along with various third-party "clone" gamepads compatible
with those. /dev/hidraw* are equivalent to the level of access to these
gamepads that would be provided on Windows, and possibly also macOS.

The benefit is that raw HID access allows low-level access to controller
functionality that is not exposed by the higher-level evdev interface,
like Nintendo Switch controllers' motion controls, reconfiguring gamepads
for different modes or behaviours, and updating gamepad firmware.

The security risk is that a malicious local user can open the /dev/hidraw*
file descriptor, and then keep it open in a background process after
they have logged out or performed "fast user switching". After another
local user logs in, the attacker can read whatever input that user
performs via the game controller (like a strange sort of keylogger),
reconfigure it for different modes or behaviours, or potentially change
its behaviour by reprogramming its firmware.

A mitigation to this security risk is that it is uncommon to enter
secret input such as passwords with a gamepad, except for perhaps
via an on-screen virtual keyboard, which would require the attacker
to reconstruct the positions of the virtual keys that were pressed by
observing gamepad movements; so this is less powerful for the attacker
than a keylogger (its scope is more like a mouse logger).

Virtual reality and XR devices
==============================

steam-devices makes a few devices represending virtual reality and XR
peripherals available to locally logged-in users.

The benefit is that this access allows SteamVR to make use of these
devices, including updating their firmware in some cases.

Again, the security risk is that a malicious local user can open the
device file descriptor, and then keep it open in a background process
after they have logged out or performed "fast user switching". After
another local user logs in, the attacker can continue to read input from
the device and/or write configuration and potentially firmware to it.

-- 

--- End Message ---
--- Begin Message ---
Source: steam-installer
Source-Version: 1:1.0.0.82~ds-4
Done: Simon McVittie <[email protected]>

We believe that the bug you reported is fixed in the latest version of
steam-installer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated steam-installer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 24 Apr 2025 13:35:59 +0100
Source: steam-installer
Architecture: source
Version: 1:1.0.0.82~ds-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1094934 1094998 1102149
Changes:
 steam-installer (1:1.0.0.82~ds-4) unstable; urgency=medium
 .
   [ Simon McVittie ]
   * d/scripts/steam.in: Adjust URLs used for Desktop Actions in
     steam.desktop.
     In desktop environments like GNOME that support Desktop Actions,
     the Community and News actions were no longer functional due to
     changes in the proprietary Steam client. Resolve this by updating
     their associated URLs to the values used in beta 1.0.0.83 upstream.
   * d/control: Depend on a D-Bus session bus.
     This reflects a similar change in Valve's steam-launcher beta 1.0.0.83.
     Steam increasingly assumes that the session bus is present and can be
     relied on.
   * d/control, d/steam-devices.README.Debian:
     Clarify the security implications and benefit/risk tradeoff of
     installing the steam-devices package (Closes: #1094998)
   * d/control: Add a summary of the supported devices to the
     steam-devices package's description (Closes: #1094934)
   * Standards-Version: 4.7.2 (no changes required)
 .
   [ Remus-Gabriel Chelu ]
   * Add Romanian translation for debconf notes (Closes: #1102149)
Checksums-Sha1:
 624b575b34e0df8c8a3b9284ce2b01334a283ff2 2511 steam-installer_1.0.0.82~ds-4.dsc
 ba935e72a11ae8ff6037a0bd180b22f9faad3164 97052 
steam-installer_1.0.0.82~ds-4.debian.tar.xz
 7329b229a236c5d6daaa741af9067c6ab6d0e59c 5926 
steam-installer_1.0.0.82~ds-4_source.buildinfo
Checksums-Sha256:
 0044ed333ea878fc077d72c921b1cb5206dd964108e998a2d8f30256c7eec44c 2511 
steam-installer_1.0.0.82~ds-4.dsc
 5121143cfbf4a193e78b1d3d411d7a835c53637dfa3f49e476f0fe11731ef52e 97052 
steam-installer_1.0.0.82~ds-4.debian.tar.xz
 a9affd6417641df0fa83dc99c85551800ed785b630f1f7e42686f7726a143ff9 5926 
steam-installer_1.0.0.82~ds-4_source.buildinfo
Files:
 5b0b89bb9ebcc6661170da708080b41c 2511 games optional 
steam-installer_1.0.0.82~ds-4.dsc
 2180204b515baf0a5b631bf0e50c1b75 97052 games optional 
steam-installer_1.0.0.82~ds-4.debian.tar.xz
 454583f624ef580a8263ffba9284b6e1 5926 games optional 
steam-installer_1.0.0.82~ds-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmgKMZgACgkQI1wJnT6z
MHbqzhAAm2Rc3kboieqIWix+XnM6dDL6vJzPV8+kU1EieV/18zlGy+QVl+oZIk4V
KFT4RN7zALv7usD8+W3m3Y3kKvdZkQGYTe4KP86Jie/yIJhlQ42/6bELswxRBWFo
61FkGibjK3tK2YS6TrH6GI9yc3RnbRXfq7JhX0chqmMv7SQk8Z+aXc8NjzYpNM7/
QTP/TmyoA8xVaezW1stfOUpe2NWzrHTS48+g1LpAyLSPOgncWrAcmCorR5KjLJgc
Z55XprWKWUeiAwzTi7fCCvDoV5CY72RyfiO6XtV05XyPi/xWZgn5VzUfIlPE8Wq8
zfUJJfQ63/ij9vPnXPCDZB0TvZ2/0MbcI8d6ofSRvmpjgxzIUFCIljcgIndT+RGR
7xKBfB+zVmScqnGC2nXVWZEzm/lU5tSXUv+jrqKuQ/d16bDcqB+XZcQyq1dNI/FM
4rZ48cFSYsQhArtF/KZDhA0IQWurZZ63Gxm5XxOihIM9up+HBFbXjBg1cY5AzMSE
dWIwi4AgHftcme2SeqrQVQ1oHNBGkF16oFdkXLlan65Ojlq/tR9mju3X14jyjgAb
CHOYhH8NVfZgRojKa0FD54GENjASFl+7VTg+PCk43qSqm85H7Yl/qsV+qG04dAgm
DaFe0YxNuhPqGf8nLbmj1rjRcLIKq5gHSh3MXFxzQF92SlnddfA=
=IOoN
-----END PGP SIGNATURE-----

Attachment: pgp9w5rmifbQm.pgp
Description: PGP signature


--- End Message ---

Reply via email to