Your message dated Tue, 07 Apr 2026 09:04:16 +0000
with message-id <[email protected]>
and subject line Bug#1132550: fixed in libinput 1.31.1-1
has caused the Debian Bug report #1132550,
regarding libinput: CVE-2026-35093 CVE-2026-35094
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132550: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132550
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libinput
Version: 1.31.0-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for libinput.
I make the severity grave to make sure fix go in before forky (I would
expect that anyway), but feel free to downgrade if you do not agree.
CVE-2026-35093[0]:
| A flaw was found in libinput. A local attacker who can place a
| specially crafted Lua bytecode file in certain system or user
| configuration directories can bypass security restrictions. This
| allows the attacker to run unauthorized code with the same
| permissions as the program using libinput, such as a graphical
| compositor. This could lead to the attacker monitoring keyboard
| input and sending that information to an external location.
CVE-2026-35094[1]:
| A flaw was found in libinput. An attacker capable of deploying a Lua
| plugin file in specific system directories can exploit a dangling
| pointer vulnerability. This occurs when a garbage collection cleanup
| function is called, leaving a pointer that can then be printed to
| system logs. This could potentially expose sensitive data if the
| memory location is re-used, leading to information disclosure. For
| this exploit to work, Lua plugins must be enabled in libinput and
| loaded by the compositor.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-35093
https://www.cve.org/CVERecord?id=CVE-2026-35093
[1] https://security-tracker.debian.org/tracker/CVE-2026-35094
https://www.cve.org/CVERecord?id=CVE-2026-35094
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libinput
Source-Version: 1.31.1-1
Done: Timo Aaltonen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libinput, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <[email protected]> (supplier of updated libinput package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Apr 2026 22:24:51 +0300
Source: libinput
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 1.31.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <[email protected]>
Changed-By: Timo Aaltonen <[email protected]>
Closes: 1132550
Launchpad-Bugs-Fixed: 2146518
Changes:
libinput (1.31.1-1) unstable; urgency=medium
.
* New upstream release. (Closes: #1132550)
- CVE-2026-35093
- CVE-2026-35094
* Add quirks support for Goodix touchpad 27C6:0F96 and 27C6:0F90 (LP:
#2146518)
d/p/0001-Add-Goodix-haptic-touchpad-27C6-0F90-support.patch
d/p/0002-quirks-add-support-for-Goodix-touchpad-27C6-0F96.patch
Checksums-Sha1:
47cf9aa1f2f3ca513d3dc10bdef40c290128ac03 2491 libinput_1.31.1-1.dsc
a94945b1a056e1c9b7e9ea54966cbe46a6c266f1 1175300 libinput_1.31.1.orig.tar.gz
f0fe39c2660ea8b82d6ecef89dd5aaaabfb94381 11772 libinput_1.31.1-1.debian.tar.xz
31b0a33f6ff433fa859e3aeb6de35fdb484e6a65 8777
libinput_1.31.1-1_source.buildinfo
Checksums-Sha256:
72a1839e5637462604ca18de749ee95a471ce076a0358f3f4c26ad9699ee3f39 2491
libinput_1.31.1-1.dsc
72c7d62a117f89a0e611d76b0a28ba8bf08fc24083d2678060aee8de88c87953 1175300
libinput_1.31.1.orig.tar.gz
6171ac15eb2872f3f0026caf5b382248a75be44ad8c50b27d1a16cb03176326b 11772
libinput_1.31.1-1.debian.tar.xz
8c9e909dadc467dd98eda985107f3e8ce5e6f217c013dfc54909c08de05dd80c 8777
libinput_1.31.1-1_source.buildinfo
Files:
0fe05dc173e56db8ca42a492ab4b2004 2491 libs optional libinput_1.31.1-1.dsc
b00837a654f8a318cd4b959a3172f8b1 1175300 libs optional
libinput_1.31.1.orig.tar.gz
278e78ff847f3a55fa2e7ac83696287f 11772 libs optional
libinput_1.31.1-1.debian.tar.xz
551cc111b06aea3ec9142ff0be0ee161 8777 libs optional
libinput_1.31.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmnOwpIACgkQy3AxZaiJ
hNyY9A//aMMeoFoRn6DqyKD2PLbxceZwT+Xs0ym1jn9cLKhvMf4xTPV4RmC9cLzd
wWTE4NSRqDBy5XWeKM1xN2rjIp/LrYy3Jjh88z2U2etCXpVZfWBRdTTGE0DTgEiw
No0mRpIa8hmhYSdmJdq6nmUvRaVBlOejYK1SHlYtEzNZMNmjw7d8RVsS0PCCxrza
9eIC8ZxmTX1BG30npohH3+MQt91haLHuXP6dlaNZKcvCFOyuMLz6WAasITbesal4
JcmMw2FFCsqaLbjR7DfEoIyW+kixkbVISW3PXCZD148luQpRqCzwVre0apREKeut
DcrfkO3vj4zInNdpftL7/txzpvp0MO+OGDgfxvZaQkK57WU5upjy1Bekm3YgI2VY
oviMQ4X6W3vI32bHS7QP6yiM5TC2J4SVH5DMLIirhJZmbxxmy4P54oerzSBv2HTp
3xcF6kMTU7wfjCiT8kbmmThnG2AZjLHELehvImhcPNd3LfNDMedeGAuTmFNcWgid
mLYrRbhVaxYCCGOwKsFFRXcbGekCbKUoG/OKN+nEvGmu/m5Z+hDG59OdoSHMxWdt
inWAs2b+5gF+bWBq6TsHmqO343acGZozIvZOfbCggAC8z4DiCEZcBkLbfODX4ksy
ydrclElW3EepQwhBRDoQsPIdj28aIK/FzS+AapQORdidJTchHxA=
=8qdy
-----END PGP SIGNATURE-----
pgpy3gYZMvE3c.pgp
Description: PGP signature
--- End Message ---
