Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 562218

Summary: <sys-auth/libfprint-0.6.0-r2: installs broken udev rule (all dev nodes 0666)
Product: Gentoo Security Reporter: Steven Newbury <steve>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: jj, t.kaergel, xmw
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Remove spurious \n to fix udev rule generation none

Description Steven Newbury 2015-10-04 10:13:27 UTC 
Created attachment 413694 [details, diff]
Remove spurious \n to fix udev rule generation

libfprint generates 60-fprint-autosuspend.rules for all supported devices, however there's a spurious \n before the ', MODE="0666"' which results in it appearing on a new line after the match criteria.  At least on current systemd/udev this results in MODE="0666" being applied unconditionally to all device nodes.  This is an extremely serious security problem and effectively gives root access to all users simply by having the ebuild emerged.
Comment 1 Richard Yao (RETIRED) gentoo-dev 2015-12-14 14:08:25 UTC 
Steven, thank you for this report. I am adding the security team to CC and also the security keyword so that this gets the correct attention.

In the future, please add the PATCH and SECURITY keywords for bugs that contain patches and bugs that are security related respectively. This causes them to be prioritized by both the maintainer (because of the PATCH keyword) and security team (because of the SECURITY keyword).
Comment 2 cono 2015-12-25 10:38:07 UTC 
I have the same issue. And its definitely a Critical security issue.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 08:23:59 UTC 
This is an unstable / testing version. Setting whiteboard to ~1
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-02-16 20:59:39 UTC 
commit 7c64231d37ba906f77ddc02e8f67b6d784e69b1f
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Feb 16 21:57:56 2016

    sys-auth/libfprint: Security revbump fixing broken udev rule (bug #562218).

    Package-Manager: portage-2.2.27
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 5 Chí-Thanh Christopher Nguyễn gentoo-dev 2016-02-23 15:56:52 UTC 
*** Bug 573366 has been marked as a duplicate of this bug. ***
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 06:25:43 UTC 
Maintainer(s), Thank you for your work.
No stable versions, closing as noglsa.