Version in base suite: 2.0-21-g6fe2f4f-2 Base version: usbview_2.0-21-g6fe2f4f-2 Target version: usbview_2.0-21-g6fe2f4f-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/u/usbview/usbview_2.0-21-g6fe2f4f-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/u/usbview/usbview_2.0-21-g6fe2f4f-2+deb11u1.dsc changelog | 8 +++++++ patches/CVE-2022-23220-usbview.policy.patch | 27 +++++++++++++++++++++++ patches/pkexec-hardening.patch | 32 ++++++++++++++++++++++++++++ patches/series | 2 + 4 files changed, 69 insertions(+) diff -Nru usbview-2.0-21-g6fe2f4f/debian/changelog usbview-2.0-21-g6fe2f4f/debian/changelog --- usbview-2.0-21-g6fe2f4f/debian/changelog 2018-06-04 09:52:41.000000000 +0000 +++ usbview-2.0-21-g6fe2f4f/debian/changelog 2022-01-15 16:00:59.000000000 +0000 @@ -1,3 +1,11 @@ +usbview (2.0-21-g6fe2f4f-2+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix authorization for inactive or arbitrary other users (CVE-2022-23220) + * Pass on the command line parameters to GTK only if not invoked via pkexec + + -- Salvatore Bonaccorso Sat, 15 Jan 2022 17:00:59 +0100 + usbview (2.0-21-g6fe2f4f-2) unstable; urgency=low * Add build dependency on librsvg2-bin since the imagemagick diff -Nru usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch --- usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch 1970-01-01 00:00:00.000000000 +0000 +++ usbview-2.0-21-g6fe2f4f/debian/patches/CVE-2022-23220-usbview.policy.patch 2022-01-15 16:00:59.000000000 +0000 @@ -0,0 +1,27 @@ +Description: Fix authorization for inactive or arbitrary other users (CVE-2022-23220) + The original settings effectively mean that only a user in a local and + active (graphical) session needs to enter a root password to run + usbview as root. Users in inactive (e.g. locked) sessions or arbitrary + other users (e.g. logged in via SSH) can run usbview as root without + providing any authentication at all. +Origin: vendor +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-23220 +Author: Matthias Gerstner +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2022-01-15 + +diff --git a/org.freedesktop.pkexec.usbview.policy b/org.freedesktop.pkexec.usbview.policy +index 0f0bb34..d2c477d 100644 +--- a/org.freedesktop.pkexec.usbview.policy ++++ b/org.freedesktop.pkexec.usbview.policy +@@ -8,8 +8,8 @@ + Authentication is required to view USB bus + usbview_icon + +- yes +- yes ++ no ++ no + auth_admin_keep + + /usr/bin/usbview diff -Nru usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch --- usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch 1970-01-01 00:00:00.000000000 +0000 +++ usbview-2.0-21-g6fe2f4f/debian/patches/pkexec-hardening.patch 2022-01-15 16:00:59.000000000 +0000 @@ -0,0 +1,32 @@ +Description: Pass on the command line parameters to GTK only if not invoked via pkexec +Origin: vendor +Author: Matthias Gerstner +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2022-01-15 + +diff --git a/main.c b/main.c +index e0cb7c1..5f7a1e7 100644 +--- a/main.c ++++ b/main.c +@@ -7,6 +7,8 @@ + #include + #endif + ++#include ++ + #include + + #include "usbtree.h" +@@ -14,8 +16,11 @@ + int main (int argc, char *argv[]) + { + GtkWidget *window1; ++ gboolean is_pkexec = getenv("PKEXEC_UID") != NULL; + +- gtk_init (&argc, &argv); ++ // only evalute command line parameters if not running in pkexec ++ // privilege escalation context to avoid potential attack vectors ++ gtk_init (is_pkexec ? NULL : &argc, is_pkexec ? NULL : &argv); + + initialize_stuff(); + diff -Nru usbview-2.0-21-g6fe2f4f/debian/patches/series usbview-2.0-21-g6fe2f4f/debian/patches/series --- usbview-2.0-21-g6fe2f4f/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ usbview-2.0-21-g6fe2f4f/debian/patches/series 2022-01-15 16:00:59.000000000 +0000 @@ -0,0 +1,2 @@ +CVE-2022-23220-usbview.policy.patch +pkexec-hardening.patch