MidnightBSD

Advisories for udev_project

CVE-2009-1185 HIGH

udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-346,

Products Affected

Vendor Product Version
opensuse opensuse 11.0
suse linux_enterprise_desktop 11
canonical ubuntu_linux 6.06
suse linux_enterprise_desktop 10
canonical ubuntu_linux 8.04
juniper ctpview 7.1
canonical ubuntu_linux 7.10
udev_project udev *
juniper ctpview *
suse linux_enterprise_debuginfo 10
debian debian_linux 5.0
suse linux_enterprise_server 10
juniper ctpview 7.2
canonical ubuntu_linux 8.10
opensuse opensuse 10.3
fedoraproject fedora 9
opensuse opensuse 11.1
debian debian_linux 4.0
suse linux_enterprise_debuginfo 11
suse linux_enterprise_server 11
fedoraproject fedora 10
CVE-2009-1186 LOW

Buffer overflow in the util_path_encode function in udev/lib/libudev-util.c in udev before 1.4.1 allows local users to cause a denial of service (service outage) via vectors that trigger a call with crafted arguments.

CVSS 2.0

Severity: LOW

Problem Type: CWE-120,

Products Affected

Vendor Product Version
opensuse opensuse 11.0
suse linux_enterprise_desktop 11
canonical ubuntu_linux 6.06
suse linux_enterprise_desktop 10
canonical ubuntu_linux 8.04
canonical ubuntu_linux 7.10
udev_project udev *
suse linux_enterprise_debuginfo 10
debian debian_linux 5.0
suse linux_enterprise_server 10
canonical ubuntu_linux 8.10
opensuse opensuse 10.3
fedoraproject fedora 9
opensuse opensuse 11.1
debian debian_linux 4.0
suse linux_enterprise_debuginfo 11
suse linux_enterprise_server 11
fedoraproject fedora 10
CVE-2010-4176 MEDIUM

plymouth-pretrigger.sh in dracut and udev, when running on Fedora 13 and 14, sets weak permissions for the /dev/systty device file, which allows remote authenticated users to read terminal data from tty0 for local users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-276,

Products Affected

Vendor Product Version
dracut_project dracut -
udev_project udev -
CVE-2011-0640 MEDIUM

The default configuration of udev on Linux does not warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
udev_project udev -