Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <86c70de9-3adb-a18c-23aa-0110d83dbdc2@redhat.com>
Date: Wed, 20 Apr 2022 15:58:20 +1000
From: Peter Hutterer <peter.hutterer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1215 libinput format string vulnerability

Title: Format string vulnerability in libinput
Component: libinput, affecting all Wayland compositors and X.Org when 
using xf86-input-libinput
Report URL: https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
Reporter: Albin Eldstål-Ahrens and Lukas Lamster
CVSS: 7.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Disclosure date: Embargo cancelled due to an independent public bug filed

When a device is detected by libinput, libinput logs several messages 
through log handlers set up by the callers. These log handlers usually 
eventually result in a printf call. Logging happens with the privileges 
of the caller, in the case of Xorg this may be root.

The device name ends up as part of the format string and a kernel device 
with printf-style format string placeholders in the device name can 
enable an attacker to run malicious code. An exploit is possible through 
any device where the attacker controls the device name, e.g. /dev/uinput 
or Bluetooth devices.

All versions of libinput since 1.10 (released Feb 2018) are affected.

The upstream patch is available as commit
   2a8b8fde90d63d48ce09ddae44142674bbca1c28

libinput releases that include these patches are:
- 1.20.1
- 1.19.4
- 1.18.2
Releases of versions 1.17.x and earlier are not planned at this stage.

Many thanks to Albin Eldstål-Ahrens and Benjamin Svensson from Assured 
AB for their discovery and responsible reporting of this issue.

This issue was independently discovered by Lukas Lamster. Many thanks 
for their discovery and responsible reporting.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.