Package: libgphoto2-2 Version: 2.2.1-12 Severity: grave Tags: security In /etc/udev/libgphoto2_generic_ptp_support.rules, there is the following rule:
ACTION=="add", SUBSYSTEM=="usb_device", ENV{INTERFACE}="6/1/1", \ PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev}; printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", \ NAME="%c", MODE="0660", GROUP="plugdev" The single = sign after ENV{INTERFACE} means that the INTERFACE environment variable is set, not queried. The result is that all USB devices, and not only the PTP ones, are set to the plugdev group, thus giving some users access to devices they should not have access to. Suggested fix: put two equals signs Regards, -- Nicolas George Irrelevant system information: ii adduser 3.100 ii libc6 2.3.6.ds1-8 ii libexif12 0.6.13-5 ii libgphoto2-port0 2.2.1-12 ii libjpeg62 6b-13 ii libltdl3 1.5.22-4 ii udev 0.103-1 Linux hellroy 2.6.18-3-686 #1 SMP Mon Dec 4 16:41:14 UTC 2006 i686 GNU/Linux
signature.asc
Description: Digital signature