Bug#923375: brltty breaks usb serial devices; sends potentially harmful data to unknown devices

[fluffywolf]

Package: brltty
Version: 5.4-7+deb9u1
Severity: critical

brltty's default behavior seems to to not just claim all usb serial devices,
but to send random data to them, potentially causing harm to the connected
device.  

Grabbing all usb serial devices breaks every single other package related to
serial communications, qualifying it as a critical bug.  Default behavior
that sends data to unknown devices that is capable of causing damage to the
user's hardware is also a critical bug.

In my specific example, the autoprobing behavior caused an 8kW inverter to 
hard shut down, interrupting power to multiple residences.  This only caused
minor harm, and the system was able to be restarted once the serial connection
was disconnected, but could easily have caused severe harm, especially if I
hadn't noticed the issue promptly.  Default behavior with the potential to 
cause costly real-world damage is absolutely unacceptable, and this is a 
critical issue that needs to be fixed.  Web searches also found people 
complaining about all sorts of other problems caused by this behavior, such as
the popular Arduino device malfunctioning, as well as problems for 3d 
printers, industrial systems, and other devices.  Unknown devices absolutely 
should not be sent random data as a default behavior.

As a less-harmful behavior, that's still highly annoying, brltty prevents
the functioning of all usb serial devices, by default, with the default 
configuration.  "Breaks everything" should not be the default behavior of any
package.

This annoying behavior has been mentioned in other bugs, but the potential
to cause damage to devices has not, so I am filing a new bug, and marking
it critical.

Some possible suggestions:
  1) Don't grab any device, or attempt to probe any device, that does not
  have an id that explicitly and unambiguously identifies it as a 
  compatible terminal.  Users of other devices would need to manually
  configure.

  2) During install, prompt for whether brltty should be started on boot.
  If the user does not opt to start brltty, the default behavior would be
  a non-issue.  A warning should also be shown that starting brltty will
  break any other usb serial devices until it is manually configured.
  This is also mentioned in bug #598906.

  3) During install, prompt the user for their device's port.  If nothing
  is specified, do not access any ports.

  4) Don't send data to any unknown device.  This would reduce the issue to
  the annoying process of figuring out why a usb serial device unexpectedly
  doesn't work, which is better than potentially causing harm.

Two other open bugs, #667616 and #721763, contain statements that none of
the above would be acceptable, and the actual bug is that it got installed
in the first place.  However, no progress seems to have been made on 
eliminating any dependencies on brltty.  Since brltty is still being installed
unexpectedly on some systems, the default behavior needs to not be harmful.

My suggestion would be that if brltty is not being used during the
installation, the user should be prompted whether to enable it on boot, with
a warning that it may interfere with other devices.  This would cause no 
issues at all for people known to need it, and would prevent it from being
an unexpected problem for any users.  If brltty is being used during the
installation, then it should be enabled without asking.  You could also
check to see whether brltty is marked as being manually installed, and if
so, not prompt and enable by default, so that anyone who explicitly apt-get
installs it is assumed to want it, along with any issues it may cause.

Even if the user intentionally installs it, the assumption probably shouldn't
be that every usb serial device the user may have attached is a compatible 
terminal, and even users with compatible terminals may wish to use other usb 
serial devices, and expect that potentially harmful data will not be sent to
them.

I will also be filing bug reports against the dependency that got it installed
on my system, which I agree is also a bug, but I think the default as-
installed behavior potentially causing harm, especially hardware or other
physical damage, is itself a critical bug that must be addressed.  Installing
a package by accident, with no further action, should not be harmful to other
software or to the user's hardware.

Thanks,
--Fluffy




-- System Information:
Debian Release: 9
Architecture: amd64
 (x86_64)

Kernel: Linux 4.14.0-0.bpo.3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages brltty depends on:
ii  init-system-helpers    1.48+devuan2.0
ii  libasound2             1.1.3-5
ii  libbluetooth3          5.43-2+deb9u1
ii  libbrlapi0.6           5.4-7+deb9u1
ii  libc6                  2.24-11+deb9u4
ii  libglib2.0-0           2.50.3-2
ii  libgpm2                1.20.4-6.2+b1
ii  libicu57               57.1-6+deb9u2
ii  libncursesw5           6.0+20161126-1+deb9u2
ii  libpolkit-gobject-1-0  0.105-18+devuan2.11
ii  libsystemd0            232-25+deb9u9
ii  libtinfo5              6.0+20161126-1+deb9u2
ii  lsb-base               4.1+devuan2
ii  policykit-1            0.105-18+devuan2.11

Versions of packages brltty recommends:
ii  python  2.7.13-2

Versions of packages brltty suggests:
pn  brltty-speechd   <none>
pn  brltty-x11       <none>
pn  console-braille  <none>

-- no debconf information