Hide Forgot
When a device is detected by libinput, libinput logs several messages through log handlers set up by the callers. These log handlers usually eventually result in a printf call. Logging happens with the privileges of the caller, in the case of Xorg this may be root.
Created libinput tracking bugs for this issue: Affects: fedora-all [bug 2077955]
Why hasn't this CVE been made public yet? This bug has been public since 04.22, and the issue itself has been public since 04.20. https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 https://www.openwall.com/lists/oss-security/2022/04/20/2
In reply to comment #3: > Why hasn't this CVE been made public yet? This bug has been public since > 04.22, and the issue itself has been public since 04.20. > > https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 > https://www.openwall.com/lists/oss-security/2022/04/20/2 Note that we did not assign this CVE ID, so we do not know the answer to this.
Well, that leaves me really baffled. MITRE directed me to RedHat as the assigning CNA.
In reply to comment #6: > Well, that leaves me really baffled. MITRE directed me to RedHat as the > assigning CNA. Yeah that's incorrect. In fact, they assigned this. See here: https://github.com/CVEProject/cvelist/blob/fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json
In reply to comment #7: > In reply to comment #6: > > Well, that leaves me really baffled. MITRE directed me to RedHat as the > > assigning CNA. > > Yeah that's incorrect. In fact, they assigned this. See here: > https://github.com/CVEProject/cvelist/blob/ > fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json Actually, that that I just provided may be incorrect. I'm bringing attention of someone here who could potentially confirm, we'll update you as soon as we can; thanks for bringing this up.
(In reply to Todd Cullum from comment #7) > In reply to comment #6: > > Well, that leaves me really baffled. MITRE directed me to RedHat as the > > assigning CNA. > > Yeah that's incorrect. In fact, they assigned this. See here: > https://github.com/CVEProject/cvelist/blob/ > fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json As far as I've seen, that JSON is the same for all reserved CVEs, with the assigner always being MITRE. I've not been able to find any way to associate a reserved CVE with its CNA.
In reply to comment #10: > (In reply to Todd Cullum from comment #7) > > In reply to comment #6: > > > Well, that leaves me really baffled. MITRE directed me to RedHat as the > > > assigning CNA. > > > > Yeah that's incorrect. In fact, they assigned this. See here: > > https://github.com/CVEProject/cvelist/blob/ > > fd2d9a4b9ec1412ab5fe680d05c29e1e9687482d/2022/1xxx/CVE-2022-1215.json > > As far as I've seen, that JSON is the same for all reserved CVEs, with the > assigner always being MITRE. I've not been able to find any way to associate > a reserved CVE with its CNA. Hi! You're right, hence my comment#8 shortly thereafter above. Sorry about that, stay tuned!
In reply to comment #3: > Why hasn't this CVE been made public yet? This bug has been public since > 04.22, and the issue itself has been public since 04.20. > > https://gitlab.freedesktop.org/libinput/libinput/-/issues/752 > https://www.openwall.com/lists/oss-security/2022/04/20/2 Hi, We have re-published this to MITRE's end. It should be up there shortly at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1215