When a device is detected by libinput, libinput logs several messages through log handlers set up by the callers. These log handlers usually eventually result in a printf call. Logging happens with the privileges of the caller, in the case of Xorg this may be root.
Created libinput tracking bugs for this issue: Affects: fedora-all [bug 2077955]
Why hasn't this CVE been made public yet? This bug has been public since 04.22, and the issue itself has been public since 04.20. https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 https://www.openwall.com/lists/oss-security/2022/04/20/2
In reply to comment #3: > Why hasn't this CVE been made public yet? This bug has been public since > 04.22, and the issue itself has been public since 04.20. > > https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 > https://www.openwall.com/lists/oss-security/2022/04/20/2 Note that we did not assign this CVE ID, so we do not know the answer to this.
Well, that leaves me really baffled. MITRE directed me to RedHat as the assigning CNA.
In reply to comment #6: > Well, that leaves me really baffled. MITRE directed me to RedHat as the > assigning CNA. Yeah that's incorrect. In fact, they assigned this. See here: https://github.com/CVEProject/cvelist/blob/fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json
In reply to comment #7: > In reply to comment #6: > > Well, that leaves me really baffled. MITRE directed me to RedHat as the > > assigning CNA. > > Yeah that's incorrect. In fact, they assigned this. See here: > https://github.com/CVEProject/cvelist/blob/ > fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json Actually, that that I just provided may be incorrect. I'm bringing attention of someone here who could potentially confirm, we'll update you as soon as we can; thanks for bringing this up.
(In reply to Todd Cullum from comment #7) > In reply to comment #6: > > Well, that leaves me really baffled. MITRE directed me to RedHat as the > > assigning CNA. > > Yeah that's incorrect. In fact, they assigned this. See here: > https://github.com/CVEProject/cvelist/blob/ > fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json As far as I've seen, that JSON is the same for all reserved CVEs, with the assigner always being MITRE. I've not been able to find any way to associate a reserved CVE with its CNA.
In reply to comment #10: > (In reply to Todd Cullum from comment #7) > > In reply to comment #6: > > > Well, that leaves me really baffled. MITRE directed me to RedHat as the > > > assigning CNA. > > > > Yeah that's incorrect. In fact, they assigned this. See here: > > https://github.com/CVEProject/cvelist/blob/ > > fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json > > As far as I've seen, that JSON is the same for all reserved CVEs, with the > assigner always being MITRE. I've not been able to find any way to associate > a reserved CVE with its CNA. Hi! You're right, hence my comment#8 shortly thereafter above. Sorry about that, stay tuned!
In reply to comment #3: > Why hasn't this CVE been made public yet? This bug has been public since > 04.22, and the issue itself has been public since 04.20. > > https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 > https://www.openwall.com/lists/oss-security/2022/04/20/2 Hi, We have re-published this to MITRE's end. It should be up there shortly at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1215
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5331 https://access.redhat.com/errata/RHSA-2022:5331
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5257 https://access.redhat.com/errata/RHSA-2022:5257
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1215
(In reply to msiddiqu from comment #13) > In reply to comment #3: > > Why hasn't this CVE been made public yet? This bug has been public since > > 04.22, and the issue itself has been public since 04.20. > > > > https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 > > https://www.openwall.com/lists/oss-security/2022/04/20/2 > > Hi, We have re-published this to MITRE's end. It should be up there shortly > at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1215 Thanks. It would be nice if you could include direct references to the issue/patches and downstream tracking in the CVE: https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 https://www.openwall.com/lists/oss-security/2022/04/20/2 https://bugzilla.redhat.com/show_bug.cgi?id=2074952 https://gitlab.freedesktop.org/libinput/libinput/-/commit/a423d7d3269dc32a87384f79e29bb5ac021c83d1 https://gitlab.freedesktop.org/libinput/libinput/-/commit/562157f2a56537f353ca49b194efeb770004ba63 https://gitlab.freedesktop.org/libinput/libinput/-/commit/04f22107e1a2ead05401d9169fa4306e8c7eefad https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28 https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-1215