FS#69382 - [dfu-util] insecure udev rule installed
Attached to Project:
Community Packages
Opened by Thomas Weißschuh (t-8ch) - Wednesday, 20 January 2021, 13:26 GMT
Last edited by Toolybird (Toolybird) - Sunday, 07 May 2023, 05:08 GMT
Opened by Thomas Weißschuh (t-8ch) - Wednesday, 20 January 2021, 13:26 GMT
Last edited by Toolybird (Toolybird) - Sunday, 07 May 2023, 05:08 GMT
|
Details
Description:
The package dfu-util version 0.10-1 installs an udev rule that allows world-writable access to certain USB devices. This udev rule is *not* part of upstream and only added by that Arch package. It seems the file is a left-over from the packages existence as an AUR package. The following problems exist: * As this is a DFU device the rule allows any user to actually reprogram the device. * The udev rule is inconsistent as only this one device is handled, all other devices supported by dfu-util are not handled. I propose to remove the rule completely. A more secure variant would be to add a "uaccess" tag but that still leaves the special handling for only this specific device. Additional info: * Package version 0.10-1 Steps to reproduce: * Install package dfu-util 0.10-1 * Look at /usr/lib/udev/rules.d/48-stm32dfu.rules |
This task depends upon
The rule covers all STM32 bootloaders (they all show up as 0483:df11 in DFU mode), that's a fair number of devices, and a popular target for this package. Naturally, trying to fill the rule file with all possible supported devices would be a lot of work.
For the discussion of security, note that most devices need physical access (headers etc) to switch into DFU mode, or corresponding authorization in the Run-time mode application (which would present a different USB ID). In most cases it is a desktop user that plugs the device in for updating firmware, like any other USB dongle.
The security issues should be handled by the usage of the "uaccess" tag.