Source: libinput Version: 1.31.0-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for libinput. I make the severity grave to make sure fix go in before forky (I would expect that anyway), but feel free to downgrade if you do not agree. CVE-2026-35093[0]: | A flaw was found in libinput. A local attacker who can place a | specially crafted Lua bytecode file in certain system or user | configuration directories can bypass security restrictions. This | allows the attacker to run unauthorized code with the same | permissions as the program using libinput, such as a graphical | compositor. This could lead to the attacker monitoring keyboard | input and sending that information to an external location. CVE-2026-35094[1]: | A flaw was found in libinput. An attacker capable of deploying a Lua | plugin file in specific system directories can exploit a dangling | pointer vulnerability. This occurs when a garbage collection cleanup | function is called, leaving a pointer that can then be printed to | system logs. This could potentially expose sensitive data if the | memory location is re-used, leading to information disclosure. For | this exploit to work, Lua plugins must be enabled in libinput and | loaded by the compositor. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-35093 https://www.cve.org/CVERecord?id=CVE-2026-35093 [1] https://security-tracker.debian.org/tracker/CVE-2026-35094 https://www.cve.org/CVERecord?id=CVE-2026-35094 Regards, Salvatore
