Headline
Gentoo Linux Security Advisory 202310-14
Gentoo Linux Security Advisory 202310-14 - A vulnerability has been discovered in libinput where an attacker may run malicious code by exploiting a format string vulnerability. Versions greater than or equal to 1.20.1 are affected.
Gentoo Linux Security Advisory GLSA 202310-14
https://security.gentoo.org/
Severity: High
Title: libinput: format string vulnerability when using xf86-input-libinput
Date: October 26, 2023
Bugs: #839729
ID: 202310-14
Synopsis
A vulnerability has been discovered in libinput where an attacker may
run malicous code by exploiting a format string vulnerability.
Background
A library to handle input devices in Wayland and, via xf86-input-
libinput, in X.org.
Affected packages
Package Vulnerable Unaffected
dev-libs/libinput < 1.20.1 >= 1.20.1
Description
An attacker may be able to run malicious code by exploiting a format
string vulnerability. Please review the CVE identifier referenced below
for details.
Impact
When a device is detected by libinput, libinput logs several messages
through log handlers set up by the callers. These log handlers usually
eventually result in a printf call. Logging happens with the privileges
of the caller, in the case of Xorg this may be root.
The device name ends up as part of the format string and a kernel device
with printf-style format string placeholders in the device name can
enable an attacker to run malicious code. An exploit is possible through
any device where the attacker controls the device name, e.g. /dev/uinput
or Bluetooth devices.
Workaround
There is no known workaround at this time.
Resolution
All libinput users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>Þv-libs/libinput-1.20.1”
References
[ 1 ] CVE-2022-1215
https://nvd.nist.gov/vuln/detail/CVE-2022-1215
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202310-14
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Red Hat Security Advisory 2022-5069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include code execution, cross site scripting, denial of service, information leakage, and traversal vulnerabilities.
Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2021-23648: sanitize-url: XSS * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-44906:...
Red Hat Security Advisory 2022-5257-01 - libinput is a library that handles input devices for display servers and other applications that need to directly deal with input devices. Issues addressed include format string and privilege escalation vulnerabilities.
An update for libinput is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1215: libinput: format string vulnerability may lead to privilege escalation
An update for libinput is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1215: libinput: format string vulnerability may lead to privilege escalation
A format string vulnerability was found in libinput