Koen Tange

Name of the Vulnerable Software and Affected Versions libinput (affected versions not specified) Description A flaw exists in libinput that allows a local attacker to bypass security restrictions by placing a specially crafted Lua bytecode file in specific system or user configuration directories. This can lead to the execution of unauthorized code with the same permissions as the program utilizing libinput, such as a graphical compositor. Successful exploitation could allow an attacker to monitor keyboard input and transmit it to an external location. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions libinput (affected versions not specified) Description A flaw exists in libinput where an attacker who can deploy a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, resulting in a pointer that could be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. Successful exploitation requires Lua plugins to be enabled in libinput and loaded by the compositor. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.