oss-sec mailing list archives
Re: CVE request: kernel information leak via userspace USB interface
From: Marcus Meissner <meissner () suse de>
Date: Thu, 18 Feb 2010 17:41:19 +0100
On Thu, Feb 18, 2010 at 09:09:15AM +0800, Eugene Teo wrote:
Hi Marcus, On 02/17/2010 06:29 PM, Marcus Meissner wrote:While programming a USB device using libusb I found that a usb read from the device returned data it should not.[...]Access to USB userspace devices either requires root access or desktop user access via udev/hal ACLs on non-mass-storage Digital Cameras or Media Players. (So the desktop user needs to plugin such a ACL getting device before being able to read the memory).To abuse this, you will need physical access to plug in a USB device, so I do not think this should be regarded as a security issue.
Hmm. Or you exploit the desktop user and then wait until he plugs in such a device (ok, kind of a theoretical scenario, lets ignore). Are we considering "giving desktop local users unintended rights" a security issue or not? (Hmm, init=/bin/sh booting and pressing reset might come into play here too. Then we would not consider that.) Ciao, Marcus
Current thread:
- CVE request: kernel information leak via userspace USB interface Marcus Meissner (Feb 17)
- Re: CVE request: kernel information leak via userspace USB interface Eugene Teo (Feb 17)
- Re: CVE request: kernel information leak via userspace USB interface Marcus Meissner (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Steven M. Christey (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Eugene Teo (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Marcus Meissner (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Bernhard R. Link (Feb 18)
- Re: CVE request: kernel information leak via userspace USB interface Eugene Teo (Feb 17)