Date: Mon, 22 Aug 2016 16:55:42 -0400 From: Greg KH <greg@...ah.com> To: oss-security@...ts.openwall.com Cc: meissner@...e.de, cve-assign@...re.org Subject: Re: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices On Mon, Aug 22, 2016 at 02:37:17PM -0400, cve-assign@...re.org wrote: > There has been a related CVE for five years (CVE-2011-0640), although > selecting udev as the responsible component was probably not the right > approach, and maybe that CVE should be updated or rejected. We think > the current understanding, very roughly, is: Yes, udev isn't the correct place for it, but I really don't know what would be. What "tool" was assigned this CVE for other operating systems that do the same thing (all BSDs, OS-X, Windows, etc.)? > > - the Linux kernel does not require a configuration in which a newly > connected USB device is recognized in any way I don't understand this statement, can you clarify? The Linux kernel has a configuration that does not allow any USB devices to work, unless explicitly granted permission to do so by a userspace tool. The device will be enumerated, but that is all, it is up to userspace to then tell the kernel to actually "use" the device. This feature has been present at the USB "device" level for quite some time, and at the USB "interface" level now for I think over a year (can dig it out if people really care, the work was done by someone from SuSE.) Also, all Wireless USB devices operate in this manner "by default" for as long as Linux has supported Wireless USB devices (thankfully these devices are really rare.) > - a Linux distribution may ship with a default configuration in > which a newly connected USB device can operate as a keyboard and > inject text into an application Yes, but I don't understand, perhaps what you really mean to say is: A Linux distribution may ship with a default configuration of trusting all new devices that are plugged in without any form of userspace authentication before they begin to operate. > - some Linux distributions want to have this behavior, and their > maintainers have concluded that there is no comprehensive method > for "asking a user" about a new USB device in a way that is > compatible with all use cases Huh? There is such a method, Linux has supported this for a very long time (see above.) It's up to the distro to decide to use it or not, that's their choice (hint, I don't blame them for making this choice, it's what almost all users expect and want as well...) > - if anyone (whether a Linux distribution or other type of product) > is announcing a required security update, in which software or > configuration is being changed to address malicious keyboard > attacks, then we can assign a CVE ID to associate with the update > announcement Why would a CVE be needed for a "my distro decides to not trust USB devices as much as your distro does" type decision? This is just a matter of how a distribution configures their kernel, combined with their decision of how to deal with new USB devices. Perhaps you could argue that some of those decisions might be "more secure" than others, but I don't see a "bug" that is resolved by deciding about this one way or the other, do you? thanks, greg k-h
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.