[Android-tools-devel] Bug#821923: android-tools-adb: udev rules allow raw access to unrelated devices
Vincent Pelletier
plr.vincent at gmail.com
Wed Apr 20 13:24:36 UTC 2016
Package: android-tools-adb
Version: 5.1.1.r29-2
Severity: important
Dear Maintainer,
I just found out that I could open a few USB devices on my system that I did
not expect to be able to:
- an Intel bluetooth dongle (actually, a mini-PCI-x card exposing bluetooth
function on USB and wifi on PCI-x)
VendorID: 0x8087
udev rule: ATTR{idVendor}=="8087", ENV{adb_user}="yes"
- a Huawei 3G modem USB dongle
VendorID: 0x12d1
udev rule: ATTR{idVendor}=="12d1", ENV{adb_user}="yes"
And, last but not least:
- my ThinkPad USB keyboard (actually an USB keyboard with the same layout as
on a ThinkPad laptop)
VendorID: 0x17ef
udev rule: ATTR{idVendor}=="17ef", ENV{adb_user}="yes"
As you can see, none of these is an android device.
I am not member of the adb group, but because of logind-handled udev device
tags, ACLs are granted to my user on these devices.
I am *not* comfortable with the idea of any process running in my session
being technically allowed to open any USB device, even less my keyboard, for
security reasons which should be blindingly obvious.
Please do not allow such broad udev rules to be installed !
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 4.5.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages android-tools-adb depends on:
ii libc6 2.22-6
ii libssl1.0.2 1.0.2g-1
ii zlib1g 1:1.2.8.dfsg-2+b1
android-tools-adb recommends no packages.
android-tools-adb suggests no packages.
-- no debconf information
More information about the Android-tools-devel
mailing list