USBView: root privilege escalation via insecure polkit settings — GLSA 202310-15

A vulnerability has been discovered in usbview where certain users can trigger a privilege escalation.

Affected packages

Package	app-admin/usbview on all architectures
Affected versions	< 2.2
Unaffected versions	>= 2.2

Background

USBView is a tool to display the topology of devices on the USB bus.

Description

A vulnerability has been discovered in usbview. Please review the CVE identifier referenced below for details.

Impact

USBView allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option.

Workaround

There is no known workaround at this time.

Resolution

All USBView users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/usbview-2.2"

References

CVE-2022-23220

Release date
October 26, 2023

Latest revision
October 26, 2023: 1

Severity
high

Exploitable
local

Bugzilla entries

831756