A vulnerability has been discovered in usbview where certain users can trigger a privilege escalation.
|Package||app-admin/usbview on all architectures|
|Affected versions||< 2.2|
|Unaffected versions||>= 2.2|
USBView is a tool to display the topology of devices on the USB bus.
A vulnerability has been discovered in usbview. Please review the CVE identifier referenced below for details.
USBView allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option.
There is no known workaround at this time.
All USBView users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/usbview-2.2"
October 26, 2023
October 26, 2023: 1