[ANNOUNCE] libinput 1.20.1

Peter Hutterer peter.hutterer at who-t.net
Wed Apr 20 05:47:23 UTC 2022

libinput 1.20.1 is now available

One single patch only, for a format string vulnerability, assigned CVE-2020-1215.
See https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 for details

When a device is detected by libinput, libinput logs several messages through
log handlers set up by the callers. These log handlers usually eventually
result in a printf call. Logging happens with the privileges of the caller, in
the case of Xorg this may be root.

The device name ends up as part of the format string and a kernel device with
printf-style format string placeholders in the device name can enable an
attacker to run malicious code. An exploit is possible through any device
where the attacker controls the device name, e.g. /dev/uinput or Bluetooth

Many thanks to Albin Eldstål-Ahrens and Benjamin Svensson from Assured AB for their
discovery and responsible reporting of this issue.

This issue was independently discovered by Lukas Lamster. Many thanks for their discovery
and responsible reporting.

The release is available via gitlab from 

Peter Hutterer (2):
      evdev: strip the device name of format directives
      libinput 1.20.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20220420/3188fb31/attachment.sig>

More information about the wayland-devel mailing list