Bug 175818 - udev Permissions Vulnerability (CVE-2005-3631)
udev Permissions Vulnerability (CVE-2005-3631)
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: udev (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 2, 3
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-15 08:00 EST by David Eisenstein
Modified: 2007-04-18 13:35 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-27 19:53:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Eisenstein 2005-12-15 08:00:46 EST
Description of problem:

Josh Bressers wrote:
"Richard Cunningham reported to Red Hat that udev (at least versions 038 and
039, but not some later ones) sets the permissions in /dev/input to 644.
This could allow any logged in user to read from /dev/input/event0, which
will contain things such as keyboard input.  I'm attaching the patch from
our maintainer."

This appears to affect FC2.
Comment 1 David Eisenstein 2005-12-20 21:39:06 EST
Removing embargo.

Today Red Hat issued security advisory:
   [RHSA-2005:864-01] Important: udev security update
for RHEL 4.

"This update has been rated as having important security impact by the Red
Hat Security Response Team." ...

"The udev package contains an implementation of devfs in userspace using
sysfs and /sbin/hotplug.

"Richard Cunningham discovered a flaw in the way udev sets permissions on
various files in /dev/input. It may be possible for an authenticated
attacker to gather sensitive data entered by a user at the console, such as
passwords. The Common Vulnerabilities and Exposures project has assigned
the name CVE-2005-3631 to this issue.

"All users of udev should upgrade to these updated packages, which contain a
backported patch and are not vulnerable to this issue."

More info available at:
<http://www.redhat.com/archives/enterprise-watch-list/2005-December/msg00004.html>.

This should affect the FC2 distro only from the 4 distro's currently main-
tained by Fedora Legacy.
Comment 2 Marc Deslauriers 2006-02-19 18:55:34 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updates udev packages to QA:

a6403028a41b52e8fce109840189ebbce4479229  2/udev-024-6.1.legacy.src.rpm
e8f24236e1b08ffa9235af897a6b0f08c80799d8  3/udev-039-10.FC3.9.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/2/udev-024-6.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/udev-039-10.FC3.9.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD+QcmLMAs/0C4zNoRAp67AKCqAv6nnmkTKao1ftReeCCrkfz50gCfdUTa
W1JsQegDU2b4Ps0b1W6t8yc=
=IIAG
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2006-02-20 01:31:25 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - permissions changes look sane.
 
NOTE: RHEL4 changed the permissions of 'kbd' and 'js' to 0600 as well.
However, as FC4 and upstream udev still seem to have these at 0644, this is
probably not an issue.
 
+PUBLISH FC2, FC3
 
a6403028a41b52e8fce109840189ebbce4479229  udev-024-6.1.legacy.src.rpm
e8f24236e1b08ffa9235af897a6b0f08c80799d8  udev-039-10.FC3.9.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD+WNhGHbTkzxSL7QRAi5IAJ9jxooCYcpQFYt5bO+Ii0s+BpOJdgCgtCRH
RHFGbBj7nnFA6tZhDNjVqEc=
=ec7u
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2006-02-26 11:06:09 EST
Packages were released to updates-testing
Comment 5 Donald Maner 2006-02-26 22:06:35 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

fc2:
d2b2850b4066a595a4d3c162e151dc27c5b43198  udev-024-6.2.legacy.i386.rpm

fc3:
a2682a89f6fe03c2f2c2401caa511c299c1ae1cc  udev-039-10.FC3.9.legacy.i386.rpm

Packages installed successfully.  /dev/input/* permissions were correct; they
were no longer group and world readable.

+VERIFY fc2,fc3.i386,fc3.x86_64

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEAm29pxMPKJzn2lIRAsPgAJ9VMvOTHRDjJN8sIQ8GlZyyxtlfdQCfRwq7
2sC1fHVz95/EsQRJvyJPIr4=
=glt3
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2006-02-27 01:31:51 EST
Thanks!
Comment 7 Marc Deslauriers 2006-02-27 19:53:32 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.