[Secure-testing-team] Bug#766520: Allow unlimited access to the device to any user

Vincent Bernat bernat at debian.org
Thu Oct 23 18:45:03 UTC 2014 

Package: garmin-plugin
Version: 0.3.23-1+b1
Severity: normal
File: /lib/udev/rules.d/60-garmin-plugin.rules
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi!

The package installs an udev rule granting access to the device to any
user. Any user with an account on the machine can then do whatever
they want with the device.

I suggest to use this udev rule instead:

ATTRS{idVendor}=="091e", ATTRS{idProduct}=="0003", MODE="0660", GROUP="plugdev", TAG+="uaccess"

Only users in the plugdev group or users located physically in front
of the machine will be able to access the device.

There is a similar udev rule in the garmin-frontrunner-tools package
(but it doesn't do anything).

- -- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages garmin-plugin depends on:
ii  garmin-forerunner-tools  0.10repacked-5
ii  iceweasel                31.2.0esr-2
ii  libc6                    2.19-12
ii  libgcc1                  1:4.9.1-18
ii  libgcrypt20              1.6.2-4
ii  libstdc++6               4.9.1-18
ii  libtinyxml2.6.2          2.6.2-2
ii  libusb-0.1-4             2:0.1.12-25
ii  zlib1g                   1:1.2.8.dfsg-2

garmin-plugin recommends no packages.

garmin-plugin suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUSUyoAAoJEJWkL+g1NSX5cEUP/i2HeJOzmf7Xo2CkKnhPpHl1
FAqBsKHwCg7Lap34rMMQCzkOfdOemmQxPDzfJvdyhxcydPpNOT8+/wZ73TA5fDPI
uSy1CtQKAIA7oeznqVC14wMaMT+VeFPo44TVc3/EbSoR9nfiCpNZuEPmj1uuI+eJ
uCz97b1ivNp3qL9bA9XlcSFHx5HJOV01eyha+/O3gzHRl7U+GuMhJOMUbXXFtWWG
sjnSnEFZk+0xEb7BTvyHQBX5QHHEm/07t8Wqp0LtAefCwV+1ALiFkgpZwIpw1fJp
YVLsvnhDab5lW2MpAeLV+xkUSejlKaFbcWGRpIl9yQXejiWiXSXE+PYiTb4UdqTt
qVe24GHzjb2nBbrLBOXvuNVAnxFkZV+veR/cr1Bk+NaF4GV2zN6if0d36+oKbgaz
TaQ+0vRmOKnEAVJBGy+vYy1J2/CGnMaFLHu17JXP8chtrA14XHM8nqLnCpjanzqX
vklJ59sM57aWSy/11T+Im3NirMT3RbVChXzLrbPh9w33hFOmOWgzumexMUsuGGRo
xRZDtPQmxnI7ovOiOyA8T75UMR7zLZnT9gS2d7vHhjvLDTblYFgICHYYl039k2LU
qZYSacy6NbitNCxiHw0NAbhrKwbD7bU7i7hduOJE1LoA5UaeaqDowjqIyn40mIma
kxo395pmU75CEmipW5CG
=t+XP
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list