Headline
CVE-2022-23220: org.freedesktop.pkexec.usbview.policy: fix a local root privilege esc… · gregkh/usbview@bf374fa
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.
Skip to content
Sign up
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
Explore
* All features
* Documentation
* GitHub Skills
* Blog
For
- Enterprise
- Teams
- Startups
- Education
By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
Resources
- Learning Pathways
- White papers, Ebooks, Webinars
- Customer Stories
- Partners
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Repositories
* Topics
* Trending
* Collections
- Pricing
Search code, repositories, users, issues, pull requests…
Provide feedback
We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Saved searches****Use saved searches to filter your results more quickly
Sign in
Sign up
gregkh / usbview Public
- Notifications
- Fork 57
- Star 204
- Code
- Issues
- Pull requests
- Actions
- Projects
- Wiki
- Security
- Insights
More
Commit
Permalink
Browse files
Browse the repository at this point in the history
org.freedesktop.pkexec.usbview.policy: fix a local root privilege esc…
…alation issue via pkexec (CVE-2022-23220).
The polkit policy allowed unprivileged users to run usbview as root with arbitrary command line arguments, allowing a local root exploit.
Signed-off-by: Greg Kroah-Hartman [email protected]
- Loading branch information
gregkh committed
Jan 21, 2022
1 parent 4a5de69 commit bf374fa
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions org.freedesktop.pkexec.usbview.policy
Show comments View file
Expand Up
@@ -8,8 +8,8 @@
<message>Authentication is required to view USB bus</message>
<icon_name>usbview_icon</icon_name>
<defaults>
<allow_any>yes</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/usbview</annotate>
Expand Down
0 comments on commit bf374fa
Please sign in to comment.
Related news
Gentoo Linux Security Advisory 202310-15 - A vulnerability has been discovered in usbview where certain users can trigger a privilege escalation. Versions greater than or equal to 2.2 are affected.