Package: libgphoto2-2 Version: 2.2.1-12 Severity: grave Tags: security In /etc/udev/libgphoto2_generic_ptp_support.rules, there is the following rule:
ACTION=="add", SUBSYSTEM=="usb_device", ENV{INTERFACE}="6/1/1", \
PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev}; printf bus/usb/%%03i/%%03i
$${K%%%%.*} $${K#*.}'", \
NAME="%c", MODE="0660", GROUP="plugdev"
The single = sign after ENV{INTERFACE} means that the INTERFACE environment
variable is set, not queried. The result is that all USB devices, and not
only the PTP ones, are set to the plugdev group, thus giving some users
access to devices they should not have access to.
Suggested fix: put two equals signs
Regards,
--
Nicolas George
Irrelevant system information:
ii adduser 3.100
ii libc6 2.3.6.ds1-8
ii libexif12 0.6.13-5
ii libgphoto2-port0 2.2.1-12
ii libjpeg62 6b-13
ii libltdl3 1.5.22-4
ii udev 0.103-1
Linux hellroy 2.6.18-3-686 #1 SMP Mon Dec 4 16:41:14 UTC 2006 i686 GNU/Linux
signature.asc
Description: Digital signature
