Hi, On Mon, 28 Nov 2022 15:45:16 +0100, Xavi Drudis Ferran <xdru...@tinet.cat> wrote: > I hesitate to file as critical, but I came across a bug report in > upstream that looked serious enough since it would allow all local > processes to eavesdrop on keyboard input, including passwords, etc. I > haven't tried an exploit, but it seemed better to just restrict > /dev/input/event* permissions to those of other event dev files. > > Without this patch, I can read /dev/input/event2 and /dev/input/event3 as a > normal user. I see bytes in /dev/input/event2 when typing as a normal > user and also typing in another terminal (Konsole) typing as > root. event3 only shows the characters typed by the normal user. > > With the patch I can't read /dev/input/event* as a normal user.
Thanks for bringing this up! I’d rather use uaccess, see https://github.com/MatMoul/g810-led/pull/297 I’ll upload a fixed package shortly and see about a security update for stable. Regards, Stephen
pgpAyQZyWANAs.pgp
Description: OpenPGP digital signature
