libinput 1.20.1 is now available One single patch only, for a format string vulnerability, assigned CVE-2020-1215. See https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 for details
When a device is detected by libinput, libinput logs several messages through log handlers set up by the callers. These log handlers usually eventually result in a printf call. Logging happens with the privileges of the caller, in the case of Xorg this may be root. The device name ends up as part of the format string and a kernel device with printf-style format string placeholders in the device name can enable an attacker to run malicious code. An exploit is possible through any device where the attacker controls the device name, e.g. /dev/uinput or Bluetooth devices. Many thanks to Albin Eldstål-Ahrens and Benjamin Svensson from Assured AB for their discovery and responsible reporting of this issue. This issue was independently discovered by Lukas Lamster. Many thanks for their discovery and responsible reporting. The release is available via gitlab from https://gitlab.freedesktop.org/libinput/libinput/-/releases/1.20.1 -- Peter Hutterer (2): evdev: strip the device name of format directives libinput 1.20.1
signature.asc
Description: PGP signature