oss-sec mailing list archives
Re: libinput: libinput-device-group unescaped phys output can inject udev properties
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 5 Jun 2026 22:23:15 +0200
Hi, On Fri, Jun 05, 2026 at 09:01:56AM +1000, Peter Hutterer wrote:
On Thu, Jun 04, 2026 at 08:12:22PM +1000, Peter Hutterer wrote:========================================= libinput Security Advisory: June 4, 2026 ========================================= An issue has been found in libinput: 1) libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution libinput uses a udev helper called libinput-device-group. This helper uses a device's phys sysattr as one element of a udev property value which is printed as a KEY=VALUE pair and imported as ENV by udev. A malicious uinput or uhid device that sets a phys sysattr containing \n caused the output to be interpreted as two separate KEY=VALUE pairs by udev. This could cause arbitrary execution as root (e.g. by setting the REMOVE_CMD property). A CVE has been requested for this issue but did not get assigned in time for this disclosure. Upstream issue: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296 Upstream fix: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 Versions affected: libinput <= 1.31.2 and <= 1.30.3 Fixed versions: libinput 1.31.3, 1.30.4This issue has now been assigned CVE-2026-50265
FTR, this is bit odd since before that assignment MITRE seems to have already assigned CVE-2026-50292: https://www.cve.org/CVERecord?id=CVE-2026-50292 And it had the references: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296 https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 https://www.openwall.com/lists/oss-security/2026/06/04/5 So that is clashing with the assignment from Red Hat as CVE-2026-50265: https://www.cve.org/CVERecord?id=CVE-2026-50265 I asked Red Hat CNA if they can reject the later assigned one, but not sure which should be kept now. Regards, Salvatore
Current thread:
- libinput: libinput-device-group unescaped phys output can inject udev properties Peter Hutterer (Jun 04)
- Re: libinput: libinput-device-group unescaped phys output can inject udev properties Peter Hutterer (Jun 04)
- Re: libinput: libinput-device-group unescaped phys output can inject udev properties Salvatore Bonaccorso (Jun 05)
- Re: libinput: libinput-device-group unescaped phys output can inject udev properties Peter Hutterer (Jun 04)