Date: Wed, 20 Apr 2022 15:58:20 +1000 From: Peter Hutterer <peter.hutterer@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2022-1215 libinput format string vulnerability Title: Format string vulnerability in libinput Component: libinput, affecting all Wayland compositors and X.Org when using xf86-input-libinput Report URL: https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 Reporter: Albin Eldstål-Ahrens and Lukas Lamster CVSS: 7.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Disclosure date: Embargo cancelled due to an independent public bug filed When a device is detected by libinput, libinput logs several messages through log handlers set up by the callers. These log handlers usually eventually result in a printf call. Logging happens with the privileges of the caller, in the case of Xorg this may be root. The device name ends up as part of the format string and a kernel device with printf-style format string placeholders in the device name can enable an attacker to run malicious code. An exploit is possible through any device where the attacker controls the device name, e.g. /dev/uinput or Bluetooth devices. All versions of libinput since 1.10 (released Feb 2018) are affected. The upstream patch is available as commit 2a8b8fde90d63d48ce09ddae44142674bbca1c28 libinput releases that include these patches are: - 1.20.1 - 1.19.4 - 1.18.2 Releases of versions 1.17.x and earlier are not planned at this stage. Many thanks to Albin Eldstål-Ahrens and Benjamin Svensson from Assured AB for their discovery and responsible reporting of this issue. This issue was independently discovered by Lukas Lamster. Many thanks for their discovery and responsible reporting.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.