The libinput input handling library used by both X.Org and Wayland environments on modern Linux desktops is out with a new security fix release. A new vulnerability is now public allowing for arbitrary root code execution.

Libinput maintainer Peter Hutterer [1]announced the new libinput security advisory for the issue uncovered by Csome. Due to libinput's libinput-device-group udev helper handling, a malicious uinput or uhid device could set a PHYS sysattr containing a "\n" to cause the resulting output to be interpreted as two separate key-value pairs by udev. In turn this could ultimately lead to arbitrary root code execution.

An attacker would need to need to create a malicious uinput or uhid device to pull of this attack. While typically restricted to root, custom udev rules can open this attack up to non-root users such as when installing the "steam-devices" package or similar on Fedora. Simply having the Steam Devices package installed can in turn open up this attack vector to logged in users.

[2]Libinput 1.31.2 is now available to mitigate this issue.



[1] https://lore.freedesktop.org/wayland-devel/aiDRA35Gggyi5mTY@quokka/T/#u

[2] https://lore.freedesktop.org/wayland-devel/aiDR_N7VUOSOfBUA@quokka/T/#u