lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Fri, 21 Jan 2022 14:53:00 +0100
From:   Greg KH <greg@...ah.com>
To:     linux-usb@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org, Matthias Gerstner <mgerstner@...e.de>
Subject: usbview 2.2 release

There's a new version of usbview that is now released.  If you are
building/running from source, this isn't that big of a change, but if
you are a distro packager, this is a big deal as it fixes an issue with
pollkit that could cause bad issues due to some root privileges being
needed for the program to run well.  This fixes CVE-2022-23220 and many
thanks to Matthias Gerstner of the SUSE security team for finding and
fixing these issues.

The package can be downloaded at:
	http://www.kroah.com/linux/usb/usbview-2.2.tar.gz
and the git tree can be found at:
	http://github.com/gregkh/usbview

Note, the requirement of root access for this tool is a story of how
systems evolve over time.  When this tool was first written, back in
1999, 'devices' file in usbdevfs (now usbfs), which was readable by
anyone.  Then that file moved out of usbdevfs and into debugfs, which
was mounted at /sys/kernel/debug/ and still readable by anyone.

Then, distros started to lock down debugfs and would only allow programs
that had root access to read from it, which required usbview to also
require such access.  This really is silly given that the same
information, if not more, is available to anyone who uses 'lsusb' or
libusb as usb device information is not restricted.  But usbview was
never touched, and so it still required such access, which was noticed
by SUSE and hence the security audit.

I have a hacked up rewrite of the tool in a branch in the git tree that
does not require root access, and will be polishing this up and should
do a new release with that change in a few days.  But for now, the above
security fix should be sufficient for distros that currently ship the
package and use the polkit configuration file.

thanks,

greg k-h

-------
version 2.2
        - security issue fixed with polkit (CVE-2022-23220).
        - copyright year fixups and updates
        - tooltip added to explain red devices have no attached drivers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ