1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00

libinput: fix for CVE-2026-50292

Pick patch from [1] & [2] also mentioned at Debian report in [3].

[1] https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc
[2] https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b
[3] https://security-tracker.debian.org/tracker/CVE-2026-50292

More details :
1. https://nvd.nist.gov/vuln/detail/CVE-2026-50292
2. https://www.openwall.com/lists/oss-security/2026/06/04/5

(From OE-Core rev: 19fc681a3fca99801e2e50d6a9c6c921c66a2ce9)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Hitendra Prajapati
2026-06-17 12:03:03 +05:30
committed by Paul Barker
parent ee3a1921cf
commit c0aa173936
3 changed files with 210 additions and 0 deletions
@@ -0,0 +1,109 @@
From fc2262e1c1847021239065e84f39f15492ef05cc Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 1 Jun 2026 10:12:29 +1000
Subject: [PATCH] util: sanitize control characters in str_sanitize()
str_sanitize() only escaped '%' characters for format string safety.
Device names from uinput devices can contain arbitrary bytes including
ANSI escape sequences (ESC, 0x1b) and other control characters. When
these strings are included in log messages and printed to a terminal,
the escape sequences are interpreted by the terminal emulator. This
could allow an attacker to manipulate terminal output (change colors,
set window title, clear screen) when an administrator views libinput
logs.
Replace all control characters (0x00-0x1f and 0x7f) with '?' in
addition to the existing '%' escaping. This prevents terminal escape
sequence injection through device names in log output.
Assisted-by: Claude:claude-opus-4-6
(cherry picked from commit 71a2c5cae2a80a1e3bb29e3f3a07ccc3f3de5acb)
Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1489>
CVE: CVE-2026-50292
Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/util-strings.h | 30 +++++++++++++++++++++++-------
test/test-utils.c | 10 ++++++++++
2 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/src/util-strings.h b/src/util-strings.h
index b0916815..3429ec9c 100644
--- a/src/util-strings.h
+++ b/src/util-strings.h
@@ -456,26 +456,42 @@ trunkname(const char *filename);
/**
* Return a copy of str with all % converted to %% to make the string
- * acceptable as printf format.
+ * acceptable as printf format, and all non-NUL control characters
+ * (bytes 0x01-0x1f, 0x7f) replaced with '?' to prevent terminal
+ * escape sequence injection. NUL bytes are excluded implicitly
+ * because the string is null-terminated.
*/
static inline char *
str_sanitize(const char *str)
{
if (!str)
return NULL;
+ size_t slen = strlen(str);
+ slen = min(slen, 512);
- if (!strchr(str, '%'))
+ bool needs_sanitization = false;
+ for (size_t i = 0; i < slen; i++) {
+ unsigned char c = str[i];
+ if (c == '%' || c < 0x20 || c == 0x7f) {
+ needs_sanitization = true;
+ break;
+ }
+ }
+ if (!needs_sanitization)
return strdup(str);
-
- size_t slen = min(strlen(str), 512);
char *sanitized = zalloc(2 * slen + 1);
const char *src = str;
char *dst = sanitized;
-
for (size_t i = 0; i < slen; i++) {
- if (*src == '%')
+ unsigned char c = *src++;
+ if (c == '%') {
*dst++ = '%';
- *dst++ = *src++;
+ *dst++ = '%';
+ } else if (c < 0x20 || c == 0x7f) {
+ *dst++ = '?';
+ } else {
+ *dst++ = c;
+ }
}
*dst = '\0';
diff --git a/test/test-utils.c b/test/test-utils.c
index fa307031..88aede23 100644
--- a/test/test-utils.c
+++ b/test/test-utils.c
@@ -1388,6 +1388,16 @@ START_TEST(strsanitize_test)
{ "x %", "x %%" },
{ "%sx", "%%sx" },
{ "%s%s", "%%s%%s" },
+ { "\t", "?" },
+ { "\n", "?" },
+ { "\r", "?" },
+ { "\x1b[31m", "?[31m" },
+ { "foo\tbar", "foo?bar" },
+ { "foo\nbar", "foo?bar" },
+ { "\x01\x1f\x7f", "???" },
+ { "clean", "clean" },
+ { "a\x1b[0mb", "a?[0mb" },
+ { "%\n", "%%?" },
{ NULL, NULL },
};
--
2.50.1
@@ -0,0 +1,99 @@
From b2bde9504d42a5976d76e1f27c640dc561fbd99b Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 1 Jun 2026 10:48:24 +1000
Subject: [PATCH] libinput-device-group: sanitize phys before printing it
Bug: https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-50292
A malicious uinput device could set the phys value (via UI_SET_PHYS)
to contain a '\n'. When the value is printed as part of the device group
the udev rules will interpret it as separate property.
Depending on the property this can cause local privilege escalation.
Closes #1296
Found-by: Csome
(cherry picked from commit 76f0d8a7f57e2868882864b4611281f12f704b55)
Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1489>
CVE: CVE-2026-50292
Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
udev/libinput-device-group.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c
index 3da904e0..d0522685 100644
--- a/udev/libinput-device-group.c
+++ b/udev/libinput-device-group.c
@@ -109,7 +109,8 @@ wacom_handle_ekr(struct udev_device *device,
udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) {
struct udev_device *d;
- const char *path, *phys;
+ char *phys = NULL;
+ const char *path;
const char *pidstr, *vidstr;
int pid, vid, dist;
@@ -124,7 +125,7 @@ wacom_handle_ekr(struct udev_device *device,
vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID");
pidstr = udev_device_get_property_value(d, "ID_MODEL_ID");
- phys = udev_device_get_sysattr_value(d, "phys");
+ phys = str_sanitize(udev_device_get_sysattr_value(d, "phys"));
if (vidstr && pidstr && phys &&
safe_atoi_base(vidstr, &vid, 16) &&
@@ -138,11 +139,13 @@ wacom_handle_ekr(struct udev_device *device,
best_dist = dist;
free(*phys_attr);
- *phys_attr = safe_strdup(phys);
+ *phys_attr = phys;
+ phys = NULL;
}
}
udev_device_unref(d);
+ free(phys);
}
udev_enumerate_unref(e);
@@ -154,8 +157,8 @@ int main(int argc, char **argv)
int rc = 1;
struct udev *udev = NULL;
struct udev_device *device = NULL;
- const char *syspath,
- *phys = NULL;
+ char *phys = NULL;
+ const char *syspath = NULL;
const char *product;
int bustype, vendor_id, product_id, version;
char group[1024];
@@ -179,8 +182,7 @@ int main(int argc, char **argv)
* bit and use the remainder as device group identifier */
while (device != NULL) {
struct udev_device *parent;
-
- phys = udev_device_get_sysattr_value(device, "phys");
+ phys = str_sanitize(udev_device_get_sysattr_value(device, "phys"));
if (phys)
break;
@@ -249,6 +251,8 @@ int main(int argc, char **argv)
printf("LIBINPUT_DEVICE_GROUP=%s\n", group);
+ free(phys);
+
rc = 0;
out:
if (device)
--
2.50.1
@@ -14,6 +14,8 @@ DEPENDS = "libevdev udev mtdev"
SRC_URI = "git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;branch=main \
file://run-ptest \
file://CVE-2026-50292-01.patch \
file://CVE-2026-50292-02.patch \
"
SRCREV = "3fd38d89276b679ac3565efd7c2150fd047902cb"
S = "${WORKDIR}/git"