Bug 2074952 (CVE-2022-1215)

Summary: CVE-2022-1215 libinput: format string vulnerability may lead to privilege escalation
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajak, btissoir, msiddiqu, peter.hutterer, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libinput 1.20.1, libinput 1.18.4, libinput 1.18.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-01 07:27:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2076815, 2076816, 2077658, 2077659, 2077955    
Bug Blocks: 2074953    

Description Marian Rehak 2022-04-13 11:22:24 UTC 
When a device is detected by libinput, libinput logs several messages through log handlers set up by the callers. These log handlers usually eventually result in a printf call. Logging happens with the privileges of the caller, in the case of Xorg this may be root.
Comment 2 Todd Cullum 2022-04-22 17:04:25 UTC 
Created libinput tracking bugs for this issue:

Affects: fedora-all [bug 2077955]
Comment 3 John Helmert III 2022-04-28 15:27:56 UTC 
Why hasn't this CVE been made public yet? This bug has been public since 04.22, and the issue itself has been public since 04.20.

https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
https://www.openwall.com/lists/oss-security/2022/04/20/2
Comment 5 Todd Cullum 2022-05-20 00:19:20 UTC 
In reply to comment #3:
> Why hasn't this CVE been made public yet? This bug has been public since
> 04.22, and the issue itself has been public since 04.20.
> 
> https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
> https://www.openwall.com/lists/oss-security/2022/04/20/2

Note that we did not assign this CVE ID, so we do not know the answer to this.
Comment 6 John Helmert III 2022-05-20 00:31:01 UTC 
Well, that leaves me really baffled. MITRE directed me to RedHat as the assigning CNA.
Comment 7 Todd Cullum 2022-05-20 00:35:32 UTC 
In reply to comment #6:
> Well, that leaves me really baffled. MITRE directed me to RedHat as the
> assigning CNA.

Yeah that's incorrect. In fact, they assigned this. See here: https://github.com/CVEProject/cvelist/blob/fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json
Comment 8 Todd Cullum 2022-05-20 00:43:39 UTC 
In reply to comment #7:
> In reply to comment #6:
> > Well, that leaves me really baffled. MITRE directed me to RedHat as the
> > assigning CNA.
> 
> Yeah that's incorrect. In fact, they assigned this. See here:
> https://github.com/CVEProject/cvelist/blob/
> fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json

Actually, that that I just provided may be incorrect. I'm bringing attention of someone here who could potentially confirm, we'll update you as soon as we can; thanks for bringing this up.
Comment 10 John Helmert III 2022-05-20 01:05:31 UTC 
(In reply to Todd Cullum from comment #7)
> In reply to comment #6:
> > Well, that leaves me really baffled. MITRE directed me to RedHat as the
> > assigning CNA.
> 
> Yeah that's incorrect. In fact, they assigned this. See here:
> https://github.com/CVEProject/cvelist/blob/
> fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json

As far as I've seen, that JSON is the same for all reserved CVEs, with the assigner always being MITRE. I've not been able to find any way to associate a reserved CVE with its CNA.
Comment 11 Todd Cullum 2022-05-23 19:53:21 UTC 
In reply to comment #10:
> (In reply to Todd Cullum from comment #7)
> > In reply to comment #6:
> > > Well, that leaves me really baffled. MITRE directed me to RedHat as the
> > > assigning CNA.
> > 
> > Yeah that's incorrect. In fact, they assigned this. See here:
> > https://github.com/CVEProject/cvelist/blob/
> > fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json
> 
> As far as I've seen, that JSON is the same for all reserved CVEs, with the
> assigner always being MITRE. I've not been able to find any way to associate
> a reserved CVE with its CNA.
Hi!

You're right, hence my comment#8 shortly thereafter above. Sorry about that, stay tuned!
Comment 13 msiddiqu 2022-05-27 12:17:01 UTC 
In reply to comment #3:
> Why hasn't this CVE been made public yet? This bug has been public since
> 04.22, and the issue itself has been public since 04.20.
> 
> https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
> https://www.openwall.com/lists/oss-security/2022/04/20/2

Hi, We have re-published this to MITRE's end. It should be up there shortly at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1215
Comment 14 errata-xmlrpc 2022-06-28 15:15:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5331 https://access.redhat.com/errata/RHSA-2022:5331
Comment 15 errata-xmlrpc 2022-06-28 16:04:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5257 https://access.redhat.com/errata/RHSA-2022:5257
Comment 16 Product Security DevOps Team 2022-07-01 07:27:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1215
Comment 17 John Helmert III 2022-07-03 17:55:05 UTC 
(In reply to msiddiqu from comment #13)
> In reply to comment #3:
> > Why hasn't this CVE been made public yet? This bug has been public since
> > 04.22, and the issue itself has been public since 04.20.
> > 
> > https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
> > https://www.openwall.com/lists/oss-security/2022/04/20/2
> 
> Hi, We have re-published this to MITRE's end. It should be up there shortly
> at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1215

Thanks. It would be nice if you could include direct references to the issue/patches and downstream tracking in the CVE:

https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
https://www.openwall.com/lists/oss-security/2022/04/20/2
https://bugzilla.redhat.com/show_bug.cgi?id=2074952
https://gitlab.freedesktop.org/libinput/libinput/-/commit/a423d7d3269dc32a87384f79e29bb5ac021c83d1
https://gitlab.freedesktop.org/libinput/libinput/-/commit/562157f2a56537f353ca49b194efeb770004ba63
https://gitlab.freedesktop.org/libinput/libinput/-/commit/04f22107e1a2ead05401d9169fa4306e8c7eefad
https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-1215