Title: Format string vulnerability in libinput
Component: libinput, affecting all Wayland compositors and X.Org when using 
Report URL: https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
Reporter: Albin Eldstål-Ahrens and Lukas Lamster

When a device is detected by libinput, libinput logs several messages through
log handlers set up by the callers. These log handlers usually eventually
result in a printf call. Logging happens with the privileges of the caller, in
the case of Xorg this may be root.

The device name ends up as part of the format string and a kernel device with
printf-style format string placeholders in the device name can enable an
attacker to run malicious code. An exploit is possible through any device
where the attacker controls the device name, e.g. /dev/uinput or Bluetooth

All versions of libinput since 1.10 (released Feb 2018) are affected.

The upstream patch is available as commit a423d7d3269dc

libinput releases that include these patches are:
- 1.20.1
- 1.19.4
- 1.18.2
Releases of versions 1.17.x and earlier are not planned at this stage.

Many thanks to Albin Eldstål-Ahrens and Benjamin Svensson from Assured AB for
their discovery and responsible reporting of this issue.

This issue was independently discovered by Lukas Lamster. Many thanks for
their discovery and responsible reporting.

Attachment: signature.asc
Description: PGP signature

Reply via email to