X.Org Security Advisory: CVE-2022-1215: libinput format string vulnerability

Peter Hutterer peter.hutterer at who-t.net
Wed Apr 20 06:03:47 UTC 2022


Title: Format string vulnerability in libinput
Component: libinput, affecting all Wayland compositors and X.Org when using xf86-input-libinput
Report URL: https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
Reporter: Albin Eldstål-Ahrens and Lukas Lamster
CVSS: 7.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

When a device is detected by libinput, libinput logs several messages through
log handlers set up by the callers. These log handlers usually eventually
result in a printf call. Logging happens with the privileges of the caller, in
the case of Xorg this may be root.

The device name ends up as part of the format string and a kernel device with
printf-style format string placeholders in the device name can enable an
attacker to run malicious code. An exploit is possible through any device
where the attacker controls the device name, e.g. /dev/uinput or Bluetooth
devices.

All versions of libinput since 1.10 (released Feb 2018) are affected.

The upstream patch is available as commit a423d7d3269dc
https://gitlab.freedesktop.org/libinput/libinput/-/commit/a423d7d3269dc32a87384f79e29bb5ac021c83d1

libinput releases that include these patches are:
- 1.20.1
- 1.19.4
- 1.18.2
Releases of versions 1.17.x and earlier are not planned at this stage.

Many thanks to Albin Eldstål-Ahrens and Benjamin Svensson from Assured AB for
their discovery and responsible reporting of this issue.

This issue was independently discovered by Lukas Lamster. Many thanks for
their discovery and responsible reporting.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-announce/attachments/20220420/49eadd8b/attachment.sig>


More information about the xorg-announce mailing list