A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor.
An attacker that can deploy a lua file {/usr/share,/etc}/libinput/plugins and possibly XDG_CONFIG_HOME/libinput/plugins can call a GC cleanup function and leave a dangling pointer. This pointer can then be printed to the system logs, potentially exposing sensitive data once the memory location is re-used.
For the exploit to work, lua plugins must be enabled in libinput and loaded by the compositor. If libinputis compiled with -Dautoload-plugins any plugin is loaded automatically (Fedora 43 and 44). The XDG_CONFIG_HOME directory is only loaded if enabled by the compositor (e.g. mutter 50 does this). The attacker must be able to deploy a lua plugin in one of the directories loaded by libinput.
An attacker that can deploy a lua file {/usr/share,/etc}/libinput/plugins and possibly XDG_CONFIG_HOME/libinput/plugins can call a GC cleanup function and leave a dangling pointer. This pointer can then be printed to the system logs, potentially exposing sensitive data once the memory location is re-used. For the exploit to work, lua plugins must be enabled in libinput and loaded by the compositor. If libinputis compiled with -Dautoload-plugins any plugin is loaded automatically (Fedora 43 and 44). The XDG_CONFIG_HOME directory is only loaded if enabled by the compositor (e.g. mutter 50 does this). The attacker must be able to deploy a lua plugin in one of the directories loaded by libinput.