[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freedesktop-xorg
Subject:    X.Org Security Advisory: CVE-2022-1215: libinput format string vulnerability
From:       Peter Hutterer <peter.hutterer () who-t ! net>
Date:       2022-04-20 6:03:47
Message-ID: Yl+iQ+3/6ijohQqh () quokka
[Download RAW message or body]


Title: Format string vulnerability in libinput
Component: libinput, affecting all Wayland compositors and X.Org when using=
 xf86-input-libinput
Report URL: https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
Reporter: Albin Eldst=E5l-Ahrens and Lukas Lamster
CVSS: 7.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

When a device is detected by libinput, libinput logs several messages throu=
gh
log handlers set up by the callers. These log handlers usually eventually
result in a printf call. Logging happens with the privileges of the caller,=
 in
the case of Xorg this may be root.

The device name ends up as part of the format string and a kernel device wi=
th
printf-style format string placeholders in the device name can enable an
attacker to run malicious code. An exploit is possible through any device
where the attacker controls the device name, e.g. /dev/uinput or Bluetooth
devices.

All versions of libinput since 1.10 (released Feb 2018) are affected.

The upstream patch is available as commit a423d7d3269dc
https://gitlab.freedesktop.org/libinput/libinput/-/commit/a423d7d3269dc32a8=
7384f79e29bb5ac021c83d1

libinput releases that include these patches are:
- 1.20.1
- 1.19.4
- 1.18.2
Releases of versions 1.17.x and earlier are not planned at this stage.

Many thanks to Albin Eldst=E5l-Ahrens and Benjamin Svensson from Assured AB=
 for
their discovery and responsible reporting of this issue.

This issue was independently discovered by Lukas Lamster. Many thanks for
their discovery and responsible reporting.

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]