Ubuntu
udev package

udev: input device permissions

Bug #6913 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
udev (Debian)
Fix Released
Unknown
udev (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

Automatically imported from Debian bug report #257165 http://bugs.debian.org/257165

See original description

Related branches

lp:ubuntu/precise/tftp-hpa
Revision history for this message
In , Matt Zimmerman (mdz) wrote : Re: Bug#257165: udev: input device permissions

severity 257165 grave
thanks

On Thu, Jul 01, 2004 at 10:28:04AM -0700, Itay Ben-Yaacov wrote:
> Package: udev
> Version: 0.026-1
> Severity: normal
> Tags: security
>
>
> Permissions of /dev/input/* should be 600 or 640, but certainly not
> 644! Anybody logged on could read my password directly from the event#
> device associated with the keyboard.

Eek! This is severe.

--
 - mdz

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #257165 http://bugs.debian.org/257165

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 01 Jul 2004 10:28:04 -0700
From: Itay Ben-Yaacov <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: udev: input device permissions

Package: udev
Version: 0.026-1
Severity: normal
Tags: security

Permissions of /dev/input/* should be 600 or 640, but certainly not
644! Anybody logged on could read my password directly from the event#
device associated with the keyboard.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.6-2.3.4.3
Locale: LANG=en_GB, LC_CTYPE=en_GB

Versions of packages udev depends on:
ii debconf [debconf-2.0] 1.4.29 Debian configuration management sy
ii hotplug 0.0.20040329-11 Linux Hotplug Scripts
ii initscripts 2.85-22 Standard scripts needed for bootin
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libnewt0.51 0.51.6-6 Not Erik's Windowing Toolkit - tex
ii makedev 2.3.1-70 Creates device files in /dev

-- debconf information:
  udev/devfs-warning:
  udev/reboot-warning:

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 1 Jul 2004 10:46:43 -0700
From: Matt Zimmerman <email address hidden>
To: Itay Ben-Yaacov <email address hidden>, <email address hidden>
Subject: Re: Bug#257165: udev: input device permissions

severity 257165 grave
thanks

On Thu, Jul 01, 2004 at 10:28:04AM -0700, Itay Ben-Yaacov wrote:
> Package: udev
> Version: 0.026-1
> Severity: normal
> Tags: security
>
>
> Permissions of /dev/input/* should be 600 or 640, but certainly not
> 644! Anybody logged on could read my password directly from the event#
> device associated with the keyboard.

Eek! This is severe.

--
 - mdz

Revision history for this message
In , Itay Ben-Yaacov (nib-maps) wrote :

Actually, re-reading the definitions in reportbug, this seems to be *critical*. Why doesn't
anyone DO anything about this? NMU? Something???

> On Thu, Jul 01, 2004 at 10:28:04AM -0700, Itay Ben-Yaacov wrote:
> > Package: udev
> > Version: 0.026-1
> > Severity: normal
> > Tags: security
> >
> >
> > Permissions of /dev/input/* should be 600 or 640, but certainly not
> > 644! Anybody logged on could read my password directly from the event#
> > device associated with the keyboard.
>
> Eek! This is severe.
>
> --
> - mdz
>

___________________________________________________________ALL-NEW Yahoo! Messenger - sooooo many all-new ways to express yourself http://uk.messenger.yahoo.com

Revision history for this message
In , Matt Zimmerman (mdz) wrote :

On Mon, Jul 05, 2004 at 08:24:56PM +0100, Itay Ben-Yaacov wrote:

> Actually, re-reading the definitions in reportbug, this seems to be
> *critical*. Why doesn't anyone DO anything about this? NMU? Something???

Dear Debian User,

You have opted to use an unstable, pre-release version of Debian. We
appreciate your willingness to provide testing and feedback for this
unstable, pre-release distribution. However, the volunteers you know and
love do not provide timely security support for unstable, pre-release
versions of Debian.

Debian encourages community involvement in package maintainership, and
welcomes third-party contributions from energetic users like yourself! By
sending a patch to the bug tracking system to fix this problem, you, too,
can participate in the development process.

Happy Hacking,

--
 - mdz

Revision history for this message
In , Marco d'Itri (md) wrote : tagging 257165

# Automatically generated email from bts, devscripts version 2.7.95.1
tags 257165 pending

Revision history for this message
In , Marco d'Itri (md) wrote : Re: Bug#257165: udev: input device permissions

On Jul 05, Itay Ben-Yaacov <email address hidden> wrote:

>
> Actually, re-reading the definitions in reportbug, this seems to be *critical*. Why doesn't
> anyone DO anything about this? NMU? Something???
It has been broken for weeks and somebody only noticed a couple of days
ago, if you can't update the config file by yourself I'm sure you can
wait for a few days while I work on other issues.

--
ciao, |
Marco | [7021 sf0P1wJog0uAc]

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 5 Jul 2004 20:24:56 +0100 (BST)
From: =?iso-8859-1?q?Itay=20Ben-Yaacov?= <email address hidden>
To: Matt Zimmerman <email address hidden>, <email address hidden>,
  <email address hidden>
Subject: Re: Bug#257165: udev: input device permissions

Actually, re-reading the definitions in reportbug, this seems to be *critical*. Why doesn't
anyone DO anything about this? NMU? Something???

> On Thu, Jul 01, 2004 at 10:28:04AM -0700, Itay Ben-Yaacov wrote:
> > Package: udev
> > Version: 0.026-1
> > Severity: normal
> > Tags: security
> >
> >
> > Permissions of /dev/input/* should be 600 or 640, but certainly not
> > 644! Anybody logged on could read my password directly from the event#
> > device associated with the keyboard.
>
> Eek! This is severe.
>
> --
> - mdz
>

___________________________________________________________ALL-NEW Yahoo! Messenger - sooooo many all-new ways to express yourself http://uk.messenger.yahoo.com

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 5 Jul 2004 13:44:26 -0700
From: Matt Zimmerman <email address hidden>
To: Itay Ben-Yaacov <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#257165: udev: input device permissions

On Mon, Jul 05, 2004 at 08:24:56PM +0100, Itay Ben-Yaacov wrote:

> Actually, re-reading the definitions in reportbug, this seems to be
> *critical*. Why doesn't anyone DO anything about this? NMU? Something???

Dear Debian User,

You have opted to use an unstable, pre-release version of Debian. We
appreciate your willingness to provide testing and feedback for this
unstable, pre-release distribution. However, the volunteers you know and
love do not provide timely security support for unstable, pre-release
versions of Debian.

Debian encourages community involvement in package maintainership, and
welcomes third-party contributions from energetic users like yourself! By
sending a patch to the bug tracking system to fix this problem, you, too,
can participate in the development process.

Happy Hacking,

--
 - mdz

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 5 Jul 2004 22:25:43 +0200
From: Marco d'Itri <email address hidden>
To: Itay Ben-Yaacov <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#257165: udev: input device permissions

On Jul 05, Itay Ben-Yaacov <email address hidden> wrote:

>
> Actually, re-reading the definitions in reportbug, this seems to be *critical*. Why doesn't
> anyone DO anything about this? NMU? Something???
It has been broken for weeks and somebody only noticed a couple of days
ago, if you can't update the config file by yourself I'm sure you can
wait for a few days while I work on other issues.

--
ciao, |
Marco | [7021 sf0P1wJog0uAc]

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Mon, 5 Jul 2004 22:25:51 +0200
From: Marco d'Itri <email address hidden>
To: <email address hidden>
Subject: tagging 257165

# Automatically generated email from bts, devscripts version 2.7.95.1
tags 257165 pending

Revision history for this message
Matt Zimmerman (mdz) wrote :

Fixed with upload of 0.026-1ubuntu1 to Warty

Revision history for this message
In , Itay Ben-Yaacov (nib-maps) wrote :

> It has been broken for weeks and somebody only noticed a couple of days
> ago, if you can't update the config file by yourself I'm sure you can
> wait for a few days while I work on other issues.

It was repaired on my box before I reported it, of course. Given that it's a single user machine,
it is not that important to me anyways. I have no idea for how long it has been broken, but it's
definitely been around long enough to make its way into sarge. So there are more machines out
there which are potentially affected.
Now, people using sid accept the potential consequences, but the consequences for sarge should be
somewhat lesser, and in any case I innocently thought such a security hole could be repaired more
hastily. Then again, it no longer concerns me.

Cheers,
Itay

___________________________________________________________ALL-NEW Yahoo! Messenger - sooooo many all-new ways to express yourself http://uk.messenger.yahoo.com

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 6 Jul 2004 01:35:39 +0100 (BST)
From: =?iso-8859-1?q?Itay=20Ben-Yaacov?= <email address hidden>
To: Marco d'Itri <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#257165: udev: input device permissions

> It has been broken for weeks and somebody only noticed a couple of days
> ago, if you can't update the config file by yourself I'm sure you can
> wait for a few days while I work on other issues.

It was repaired on my box before I reported it, of course. Given that it's a single user machine,
it is not that important to me anyways. I have no idea for how long it has been broken, but it's
definitely been around long enough to make its way into sarge. So there are more machines out
there which are potentially affected.
Now, people using sid accept the potential consequences, but the consequences for sarge should be
somewhat lesser, and in any case I innocently thought such a security hole could be repaired more
hastily. Then again, it no longer concerns me.

Cheers,
Itay

___________________________________________________________ALL-NEW Yahoo! Messenger - sooooo many all-new ways to express yourself http://uk.messenger.yahoo.com

Revision history for this message
In , Marco d'Itri (md) wrote : Bug#257165: fixed in udev 0.030-1

Source: udev
Source-Version: 0.030-1

We believe that the bug you reported is fixed in the latest version of
udev, which is due to be installed in the Debian FTP archive:

udev_0.030-1.diff.gz
  to pool/main/u/udev/udev_0.030-1.diff.gz
udev_0.030-1.dsc
  to pool/main/u/udev/udev_0.030-1.dsc
udev_0.030-1_i386.deb
  to pool/main/u/udev/udev_0.030-1_i386.deb
udev_0.030.orig.tar.gz
  to pool/main/u/udev/udev_0.030.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marco d'Itri <email address hidden> (supplier of updated udev package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 11 Jul 2004 16:59:49 +0200
Source: udev
Binary: udev
Architecture: source i386
Version: 0.030-1
Distribution: unstable
Urgency: medium
Maintainer: Marco d'Itri <email address hidden>
Changed-By: Marco d'Itri <email address hidden>
Description:
 udev - /dev/ management daemon
Closes: 254545 257165
Changes:
 udev (0.030-1) unstable; urgency=medium
 .
   * New upstream release.
   * New debconf translation: de. (Closes: #254545)
   * rtc: 660 => 664
   * input/*: 644 => 600 (Closes: #257165)
Files:
 f32cb03466ab3449539ac8ebefc87652 575 admin extra udev_0.030-1.dsc
 d5dc4f4c29f8c16421dcb56bba20550e 275445 admin extra udev_0.030.orig.tar.gz
 f84d597f045f87cc6d2c55b762d307de 19423 admin extra udev_0.030-1.diff.gz
 9bcd31a465a76ba3b10b3a9ef8dea1da 258184 admin extra udev_0.030-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA8YYWFGfw2OHuP7ERAjjpAJ45tVOHMDRFfutMETDKW+svPpJB6gCdGiwx
lmS+jmc9oU8fqwakJQ/zSgo=
=oGdm
-----END PGP SIGNATURE-----

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sun, 11 Jul 2004 14:47:16 -0400
From: Marco d'Itri <email address hidden>
To: <email address hidden>
Subject: Bug#257165: fixed in udev 0.030-1

Source: udev
Source-Version: 0.030-1

We believe that the bug you reported is fixed in the latest version of
udev, which is due to be installed in the Debian FTP archive:

udev_0.030-1.diff.gz
  to pool/main/u/udev/udev_0.030-1.diff.gz
udev_0.030-1.dsc
  to pool/main/u/udev/udev_0.030-1.dsc
udev_0.030-1_i386.deb
  to pool/main/u/udev/udev_0.030-1_i386.deb
udev_0.030.orig.tar.gz
  to pool/main/u/udev/udev_0.030.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marco d'Itri <email address hidden> (supplier of updated udev package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 11 Jul 2004 16:59:49 +0200
Source: udev
Binary: udev
Architecture: source i386
Version: 0.030-1
Distribution: unstable
Urgency: medium
Maintainer: Marco d'Itri <email address hidden>
Changed-By: Marco d'Itri <email address hidden>
Description:
 udev - /dev/ management daemon
Closes: 254545 257165
Changes:
 udev (0.030-1) unstable; urgency=medium
 .
   * New upstream release.
   * New debconf translation: de. (Closes: #254545)
   * rtc: 660 => 664
   * input/*: 644 => 600 (Closes: #257165)
Files:
 f32cb03466ab3449539ac8ebefc87652 575 admin extra udev_0.030-1.dsc
 d5dc4f4c29f8c16421dcb56bba20550e 275445 admin extra udev_0.030.orig.tar.gz
 f84d597f045f87cc6d2c55b762d307de 19423 admin extra udev_0.030-1.diff.gz
 9bcd31a465a76ba3b10b3a9ef8dea1da 258184 admin extra udev_0.030-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA8YYWFGfw2OHuP7ERAjjpAJ45tVOHMDRFfutMETDKW+svPpJB6gCdGiwx
lmS+jmc9oU8fqwakJQ/zSgo=
=oGdm
-----END PGP SIGNATURE-----

Bug Watch Updater (bug-watch-updater)
Changed in udev:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.