Created attachment 413694 [details, diff] Remove spurious \n to fix udev rule generation libfprint generates 60-fprint-autosuspend.rules for all supported devices, however there's a spurious \n before the ', MODE="0666"' which results in it appearing on a new line after the match criteria. At least on current systemd/udev this results in MODE="0666" being applied unconditionally to all device nodes. This is an extremely serious security problem and effectively gives root access to all users simply by having the ebuild emerged.
Steven, thank you for this report. I am adding the security team to CC and also the security keyword so that this gets the correct attention. In the future, please add the PATCH and SECURITY keywords for bugs that contain patches and bugs that are security related respectively. This causes them to be prioritized by both the maintainer (because of the PATCH keyword) and security team (because of the SECURITY keyword).
I have the same issue. And its definitely a Critical security issue.
This is an unstable / testing version. Setting whiteboard to ~1
commit 7c64231d37ba906f77ddc02e8f67b6d784e69b1f Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Feb 16 21:57:56 2016 sys-auth/libfprint: Security revbump fixing broken udev rule (bug #562218). Package-Manager: portage-2.2.27 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
*** Bug 573366 has been marked as a duplicate of this bug. ***
Maintainer(s), Thank you for your work. No stable versions, closing as noglsa.