CVE-2022-46338

NameCVE-2022-46338
Descriptiong810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3217-1
Debian Bugs1024998

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
g810-led (PTS)buster0.3.3-2vulnerable
buster (security)0.3.3-2+deb10u1fixed
bullseye0.4.2-1+deb11u1fixed
bookworm0.4.3-1fixed
sid, trixie0.4.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
g810-ledsourcebuster0.3.3-2+deb10u1DLA-3217-1
g810-ledsourcebullseye0.4.2-1+deb11u1
g810-ledsource(unstable)0.4.2-31024998

Notes

https://github.com/MatMoul/g810-led/pull/297
Fixed by: https://github.com/MatMoul/g810-led/commit/e2b486fd1bc21e0b784e1b4c959770772dfced24 (v0.4.3)

Search for package or bug name: Reporting problems