Description of problem: Josh Bressers wrote: "Richard Cunningham reported to Red Hat that udev (at least versions 038 and 039, but not some later ones) sets the permissions in /dev/input to 644. This could allow any logged in user to read from /dev/input/event0, which will contain things such as keyboard input. I'm attaching the patch from our maintainer." This appears to affect FC2.
Removing embargo. Today Red Hat issued security advisory: [RHSA-2005:864-01] Important: udev security update for RHEL 4. "This update has been rated as having important security impact by the Red Hat Security Response Team." ... "The udev package contains an implementation of devfs in userspace using sysfs and /sbin/hotplug. "Richard Cunningham discovered a flaw in the way udev sets permissions on various files in /dev/input. It may be possible for an authenticated attacker to gather sensitive data entered by a user at the console, such as passwords. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3631 to this issue. "All users of udev should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue." More info available at: <http://www.redhat.com/archives/enterprise-watch-list/2005-December/msg00004.html>. This should affect the FC2 distro only from the 4 distro's currently main- tained by Fedora Legacy.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updates udev packages to QA: a6403028a41b52e8fce109840189ebbce4479229 2/udev-024-6.1.legacy.src.rpm e8f24236e1b08ffa9235af897a6b0f08c80799d8 3/udev-039-10.FC3.9.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/udev-024-6.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/udev-039-10.FC3.9.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFD+QcmLMAs/0C4zNoRAp67AKCqAv6nnmkTKao1ftReeCCrkfz50gCfdUTa W1JsQegDU2b4Ps0b1W6t8yc= =IIAG -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - permissions changes look sane. NOTE: RHEL4 changed the permissions of 'kbd' and 'js' to 0600 as well. However, as FC4 and upstream udev still seem to have these at 0644, this is probably not an issue. +PUBLISH FC2, FC3 a6403028a41b52e8fce109840189ebbce4479229 udev-024-6.1.legacy.src.rpm e8f24236e1b08ffa9235af897a6b0f08c80799d8 udev-039-10.FC3.9.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD+WNhGHbTkzxSL7QRAi5IAJ9jxooCYcpQFYt5bO+Ii0s+BpOJdgCgtCRH RHFGbBj7nnFA6tZhDNjVqEc= =ec7u -----END PGP SIGNATURE-----
Packages were released to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the following packages: fc2: d2b2850b4066a595a4d3c162e151dc27c5b43198 udev-024-6.2.legacy.i386.rpm fc3: a2682a89f6fe03c2f2c2401caa511c299c1ae1cc udev-039-10.FC3.9.legacy.i386.rpm Packages installed successfully. /dev/input/* permissions were correct; they were no longer group and world readable. +VERIFY fc2,fc3.i386,fc3.x86_64 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFEAm29pxMPKJzn2lIRAsPgAJ9VMvOTHRDjJN8sIQ8GlZyyxtlfdQCfRwq7 2sC1fHVz95/EsQRJvyJPIr4= =glt3 -----END PGP SIGNATURE-----
Thanks!
Packages were released.