| Name | CVE-2024-38394 |
| Description | Mismatches in interpreting USB authorization policy between GNOME Settings Daemon (GSD) through 46.0 and the Linux kernel's underlying device matching logic allow a physically proximate attacker to access some unintended Linux kernel USB functionality, such as USB device-specific kernel modules and filesystem implementations. NOTE: the GSD supplier indicates that consideration of a mitigation for this within GSD would be in the context of "a new feature, not a CVE." |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| gnome-settings-daemon (PTS) | buster | 3.30.2-3 | vulnerable |
| bullseye | 3.38.2-1 | vulnerable |
| bookworm | 43.0-4 | vulnerable |
| sid, trixie | 46.0-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| gnome-settings-daemon | source | (unstable) | (unfixed) | unimportant | | |
Notes
https://pulsesecurity.co.nz/advisories/usbguard-bypass
https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/issues/780
https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/issues/780#note_2047914
As per Gnome upstream, consideration of a mitigation for the issue within
gnome-settings-daemon would rather be a new feature but not a vulnerability
fixing. The CVE assignment is disputed upstream with this context.