Bug 175818

Summary: udev Permissions Vulnerability (CVE-2005-3631)
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: udevAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: donjr, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: LEGACY, 2, 3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-28 00:53:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Eisenstein 2005-12-15 13:00:46 UTC
Description of problem:

Josh Bressers wrote:
"Richard Cunningham reported to Red Hat that udev (at least versions 038 and
039, but not some later ones) sets the permissions in /dev/input to 644.
This could allow any logged in user to read from /dev/input/event0, which
will contain things such as keyboard input.  I'm attaching the patch from
our maintainer."

This appears to affect FC2.

Comment 1 David Eisenstein 2005-12-21 02:39:06 UTC
Removing embargo.

Today Red Hat issued security advisory:
   [RHSA-2005:864-01] Important: udev security update
for RHEL 4.

"This update has been rated as having important security impact by the Red
Hat Security Response Team." ...

"The udev package contains an implementation of devfs in userspace using
sysfs and /sbin/hotplug.

"Richard Cunningham discovered a flaw in the way udev sets permissions on
various files in /dev/input. It may be possible for an authenticated
attacker to gather sensitive data entered by a user at the console, such as
passwords. The Common Vulnerabilities and Exposures project has assigned
the name CVE-2005-3631 to this issue.

"All users of udev should upgrade to these updated packages, which contain a
backported patch and are not vulnerable to this issue."

More info available at:
<http://www.redhat.com/archives/enterprise-watch-list/2005-December/msg00004.html>.

This should affect the FC2 distro only from the 4 distro's currently main-
tained by Fedora Legacy.

Comment 2 Marc Deslauriers 2006-02-19 23:55:34 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updates udev packages to QA:

a6403028a41b52e8fce109840189ebbce4479229  2/udev-024-6.1.legacy.src.rpm
e8f24236e1b08ffa9235af897a6b0f08c80799d8  3/udev-039-10.FC3.9.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/2/udev-024-6.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/udev-039-10.FC3.9.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD+QcmLMAs/0C4zNoRAp67AKCqAv6nnmkTKao1ftReeCCrkfz50gCfdUTa
W1JsQegDU2b4Ps0b1W6t8yc=
=IIAG
-----END PGP SIGNATURE-----


Comment 3 Pekka Savola 2006-02-20 06:31:25 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - permissions changes look sane.
 
NOTE: RHEL4 changed the permissions of 'kbd' and 'js' to 0600 as well.
However, as FC4 and upstream udev still seem to have these at 0644, this is
probably not an issue.
 
+PUBLISH FC2, FC3
 
a6403028a41b52e8fce109840189ebbce4479229  udev-024-6.1.legacy.src.rpm
e8f24236e1b08ffa9235af897a6b0f08c80799d8  udev-039-10.FC3.9.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD+WNhGHbTkzxSL7QRAi5IAJ9jxooCYcpQFYt5bO+Ii0s+BpOJdgCgtCRH
RHFGbBj7nnFA6tZhDNjVqEc=
=ec7u
-----END PGP SIGNATURE-----


Comment 4 Marc Deslauriers 2006-02-26 16:06:09 UTC
Packages were released to updates-testing

Comment 5 Donald Maner 2006-02-27 03:06:35 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

fc2:
d2b2850b4066a595a4d3c162e151dc27c5b43198  udev-024-6.2.legacy.i386.rpm

fc3:
a2682a89f6fe03c2f2c2401caa511c299c1ae1cc  udev-039-10.FC3.9.legacy.i386.rpm

Packages installed successfully.  /dev/input/* permissions were correct; they
were no longer group and world readable.

+VERIFY fc2,fc3.i386,fc3.x86_64

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEAm29pxMPKJzn2lIRAsPgAJ9VMvOTHRDjJN8sIQ8GlZyyxtlfdQCfRwq7
2sC1fHVz95/EsQRJvyJPIr4=
=glt3
-----END PGP SIGNATURE-----

Comment 6 Pekka Savola 2006-02-27 06:31:51 UTC
Thanks!

Comment 7 Marc Deslauriers 2006-02-28 00:53:32 UTC
Packages were released.