Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 727034

Summary: sys-apps/hw-probe uploads user data by default
Product: Gentoo Security Reporter: Justin W <gentoo.org>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: conikost
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/linuxhw/hw-probe/commit/07ff9f20b5ebc23db596691037d04e0eef460f3b
Whiteboard:
Package list:
Runtime testing required: ---

Description Justin W 2020-06-04 00:43:05 UTC 
The app sys-apps/hw-probe in gentoo has this description:

"A tool to probe for hardware, check it's operability and find drivers"

Grammatical error aside, that doesn't tell you that YOUR DATA WILL BE UPLOADED IN THE DEFAULT CONFIGURATION.

This is decidedly NOT ok.  Fortunately I was paying attention when I ran it to see this:

# hw-probe
Executing hw-probe -all -upload

I smashed CTRL-C and then re-ran it without upload permission to find the report it created (and presumably uploads) has service tags and serial #s in it!

This is a grave error and should absolutely NOT be the default without the user explicitly opting in.
Comment 1 Conrad Kostecki gentoo-dev 2020-06-04 12:56:31 UTC 
When you emerge that package for the first time, you are getting a note, that by default all data is being uploaded?

https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-apps/hw-probe/files/README.gentoo

Wasn't that the case for you?

(In reply to Justin W from comment #0)
> I has service tags and serial #s in it!

I would also recommend to report that to upstream.
Comment 2 Justin W 2020-06-04 18:07:58 UTC 
Yes, the warning is there; however, that's not good enough.  Someone who's installing this amongst a bunch of other packages, or is just going based off of description and misses it shouldn't be expected to find a single line in the emerge output.

This looks too much like the direction so many other companies are going this day disregarding users' privacy.  There is no excuse whatsoever to have an application upload a user's information without them explicitly opting in.
Comment 3 Larry the Git Cow gentoo-dev 2020-09-23 21:54:13 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=faa876cc70a5314333bf8b1df056a865e752ffb3

commit faa876cc70a5314333bf8b1df056a865e752ffb3
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2020-09-23 20:46:10 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2020-09-23 21:53:52 +0000

    sys-apps/hw-probe: disable automatic data upload
    
    Closes: https://bugs.gentoo.org/727034
    Package-Manager: Portage-3.0.6, Repoman-3.0.1
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 .../hw-probe-1.5-disable-automatic-upload.patch    | 36 +++++++++++
 sys-apps/hw-probe/hw-probe-1.5-r1.ebuild           | 64 ++++++++++++++++++++
 sys-apps/hw-probe/hw-probe-1.6_beta2-r1.ebuild     | 70 ++++++++++++++++++++++
 3 files changed, 170 insertions(+)
Comment 4 Conrad Kostecki gentoo-dev 2020-09-25 08:30:08 UTC 
For future reference, upstream merged my patch and running hw-probe shell will now only print help and do nothing.