An attacker that can deploy a pre-compiled lua bytecode file in {/usr/share,/etc}/libinput/plugins and/or XDG_CONFIG_HOME/libinput/plugins can run unrestricted code in the process that uses libinput, typically the compositor. Lua bytecode is not verified at runtime and the sandboxing restrictions are no longer in effect. This allows an attacker to monitor any keyboard events and send those to an external destination and/or execute virtually any code under the calling process' privileges. For the exploit to work, lua plugins must be enabled in libinput and loaded by the compositor. If libinput is compiled with -Dautoload-plugins any plugin is loaded automatically (Fedora 43 and 44). The XDG_CONFIG_HOME directory is only loaded if enabled by the compositor (e.g. mutter 50 does this). The attacker must be able to deploy a lua plugin in one of the directories loaded by libinput.
This issue affects Fedora 43 and 44 only. It does not affect any current RHEL version.
> This issue affects Fedora 43 and 44 only. This is still significant, as those versions are currently in use. It seems like libinput 1.30.3 and 1.31.1 have the fix applied. https://lore.freedesktop.org/wayland-devel/ac3BvFsDqg9DGmS5@quokka/