USBView: root privilege escalation via insecure polkit settings

Background

USBView is a tool to display the topology of devices on the USB bus.

Description

A vulnerability has been discovered in usbview. Please review the CVE identifier referenced below for details.

Impact

USBView allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option.

Workaround

There is no known workaround at this time.

Resolution

All USBView users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/usbview-2.2"