CVE-2022-1215: 
NixOS vulnerability analysis and mitigation

A format string vulnerability (CVE-2022-1215) was discovered in libinput, affecting all versions since 1.10 (released Feb 2018). The vulnerability impacts all Wayland compositors and X.Org when using xf86-input-libinput. The issue was discovered by Albin Eldstål-Ahrens, Lukas Lamster, and Benjamin Svensson from Assured AB (OSS Security).

When libinput detects a device, it logs messages through handlers set up by callers, which typically result in printf calls. The vulnerability occurs because device names become part of the format string, allowing printf-style format string placeholders in device names to potentially enable code execution. The vulnerability has a CVSS score of 7.1 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C) (OSS Security).

The logging occurs with the privileges of the caller, which in the case of Xorg may be root. This means that an attacker who controls device names could potentially execute malicious code with elevated privileges (Gentoo Security).

The vulnerability was patched in libinput versions 1.20.1, 1.19.4, and 1.18.2. The fix is available in commit 2a8b8fde90d63d48ce09ddae44142674bbca1c28. Releases of versions 1.17.x and earlier were not planned for updates. Users are advised to upgrade to the patched versions (OSS Security).