Processed: Re: Bug#1025137: bullseye-pu: package g810-led/0.4.2-1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #1025137 [release.debian.org] bullseye-pu: package g810-led/0.4.2-1
Added tag(s) confirmed.

-- 
1025137: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025137
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1025137: bullseye-pu: package g810-led/0.4.2-1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2022-11-30 at 08:32 +0100, Stephen Kitt wrote:
> g810-led has a security issue in stable; it leaves /dev/input/eventXX
> device nodes world-readable and writable (CVE-2022-46338). The issue
> is marked no-dsa, but I would like to provide a fix in the next
> point-release. The fix is already in unstable (0.4.2-3).
> 
> The attached debdiff fixes the issue by patching the udev rules file:
> the affected device nodes have their mode set to 660 instead of 666,
> and uaccess is used to provide access to the user at the console. I
> own relevant hardware and have verified the fix myself on a multi-
> user
> system.
> 

Please go ahead.

Regards,

Adam

Bug#1025137: bullseye-pu: package g810-led/0.4.2-1

[Stephen Kitt]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

g810-led has a security issue in stable; it leaves /dev/input/eventXX
device nodes world-readable and writable (CVE-2022-46338). The issue
is marked no-dsa, but I would like to provide a fix in the next
point-release. The fix is already in unstable (0.4.2-3).

The attached debdiff fixes the issue by patching the udev rules file:
the affected device nodes have their mode set to 660 instead of 666,
and uaccess is used to provide access to the user at the console. I
own relevant hardware and have verified the fix myself on a multi-user
system.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Stephen
diff -Nru g810-led-0.4.2/debian/changelog g810-led-0.4.2/debian/changelog
--- g810-led-0.4.2/debian/changelog 2020-05-23 20:33:29.0 +0200
+++ g810-led-0.4.2/debian/changelog 2022-11-30 08:24:25.0 +0100
@@ -1,3 +1,11 @@
+g810-led (0.4.2-1+deb11u1) bullseye; urgency=medium
+
+  * Control device access with uaccess instead of making everything
+world-writable. Thanks to Xavi Drudis Ferran for the report!
+Closes:#1024998. (CVE-2022-46338.)
+
+ -- Stephen Kitt   Wed, 30 Nov 2022 08:24:25 +0100
+
 g810-led (0.4.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru g810-led-0.4.2/debian/patches/device-permissions.patch 
g810-led-0.4.2/debian/patches/device-permissions.patch
--- g810-led-0.4.2/debian/patches/device-permissions.patch  1970-01-01 
01:00:00.0 +0100
+++ g810-led-0.4.2/debian/patches/device-permissions.patch  2022-11-30 
08:23:44.0 +0100
@@ -0,0 +1,74 @@
+commit e2b486fd1bc21e0b784e1b4c959770772dfced24
+Author: Stephen Kitt 
+Date:   Mon Nov 28 21:05:05 2022 +0100
+
+Rely on uaccess to control device access
+
+The udev rules currently make supported device nodes world-readable
+and writable, which means that any process on the system can read
+traffic from keyboards including passwords etc. To avoid this, while
+still allowing the "controlling" user to run g810-led without being
+root, this patch adds a uaccess tag; this ensures that the user at the
+console has write access to the devices. The mode is also changed to
+660 to ensure that existing device nodes are fixed on upgrade.
+
+Thanks to Xavi Drudis Ferran for bringing this to my attention.
+
+Fixes: #293
+Signed-off-by: Stephen Kitt 
+
+diff --git a/udev/g810-led.rules b/udev/g810-led.rules
+index 90b743b..ea05726 100644
+--- a/udev/g810-led.rules
 b/udev/g810-led.rules
+@@ -1,25 +1,25 @@
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c330", MODE="666" RUN+="/usr/bin/g410-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c33a", MODE="666" RUN+="/usr/bin/g413-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c342", MODE="666" RUN+="/usr/bin/g512-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c33c", MODE="666" RUN+="/usr/bin/g513-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c333", MODE="666" RUN+="/usr/bin/g610-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c338", MODE="666" RUN+="/usr/bin/g610-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c331", MODE="666" RUN+="/usr/bin/g810-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c337", MODE="666" RUN+="/usr/bin/g810-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c33f", MODE="666" RUN+="/usr/bin/g815-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c32b", MODE="666" RUN+="/usr/bin/g910-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c335", MODE="666" RUN+="/usr/bin/g910-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c339", MODE="666" RUN+="/usr/bin/gpro-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d", 
ATTRS{idProduct}=="c336", MODE="666" RUN+="/usr/bin/g213-led -p 
/etc/g810-led/profile"
+-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="046d",