[ GLSA 202310-14 ] libinput: format string vulnerability when using xf86-input-libinput
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: libinput: format string vulnerability when using xf86-input-libinput
Date: October 26, 2023
Bugs: #839729
ID: 202310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in libinput where an attacker may
run malicous code by exploiting a format string vulnerability.
Background
==========
A library to handle input devices in Wayland and, via xf86-input-
libinput, in X.org.
Affected packages
=================
Package Vulnerable Unaffected
----------------- ------------ ------------
dev-libs/libinput < 1.20.1 >= 1.20.1
Description
===========
An attacker may be able to run malicious code by exploiting a format
string vulnerability. Please review the CVE identifier referenced below
for details.
Impact
======
When a device is detected by libinput, libinput logs several messages
through log handlers set up by the callers. These log handlers usually
eventually result in a printf call. Logging happens with the privileges
of the caller, in the case of Xorg this may be root.
The device name ends up as part of the format string and a kernel device
with printf-style format string placeholders in the device name can
enable an attacker to run malicious code. An exploit is possible through
any device where the attacker controls the device name, e.g. /dev/uinput
or Bluetooth devices.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libinput users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libinput-1.20.1"
References
==========
[ 1 ] CVE-2022-1215
https://nvd.nist.gov/vuln/detail/CVE-2022-1215
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202310-14
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
A libinput security update has been released for Gentoo Linux.