udev Insecure File Permissions in '/dev/input' May Let Local Users Obtain Sensitive Information
|
|
SecurityTracker Alert ID: 1015386 |
|
SecurityTracker URL: http://securitytracker.com/id/1015386
|
|
CVE Reference:
CVE-2005-3631
(Links to External Site)
|
Date: Dec 20 2005
|
Impact:
Disclosure of authentication information, Disclosure of user information
|
|
Version(s): possibly v078
|
Description:
A vulnerability was reported in udev. A local user may be able to obtain potentially sensitive user data.
The udev application does not properly set permissions on various files in /dev/input. A local user may be able to access the files to obtain potentially sensitive data entered by a user at the console, such as passwords.
Richard Cunningham discovered this vulnerability.
|
Impact:
A local user may be able to obtain potentially sensitive user data.
|
Solution:
No upstream solution was available at the time of this entry.
|
Vendor URL: www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 20 Dec 2005 14:12:35 -0500
Subject: udev vulnerability
|
Red Hat reported:
The udev package contains an implementation of devfs in userspace using
sysfs and /sbin/hotplug.
Richard Cunningham discovered a flaw in the way udev sets permissions on
various files in /dev/input. It may be possible for an authenticated
attacker to gather sensitive data entered by a user at the console, such as
passwords. The Common Vulnerabilities and Exposures project has assigned
the name CVE-2005-3631 to this issue.
|
|
