Bug 1198111 - (CVE-2022-1215) VUL-0: CVE-2022-1215: libinput: format string vulnerability
(CVE-2022-1215)
VUL-0: CVE-2022-1215: libinput: format string vulnerability
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/328130/
CVSSv3.1:SUSE:CVE-2022-1215:8.2:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-05 15:53 UTC by Marcus Meissner
Modified: 2022-05-13 21:25 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-evdev-strip-the-device-name-of-format-directives.patch (10.59 KB, patch)
2022-04-05 15:54 UTC, Marcus Meissner
Details | Diff
0001-evdev-strip-the-device-name-of-format-directives.patch (10.58 KB, patch)
2022-04-06 07:38 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2022-04-05 15:54:58 UTC
Created attachment 857846 [details]
0001-evdev-strip-the-device-name-of-format-directives.patch

0001-evdev-strip-the-device-name-of-format-directives.patch
Comment 3 Marcus Meissner 2022-04-06 07:38:07 UTC
Created attachment 857857 [details]
0001-evdev-strip-the-device-name-of-format-directives.patch

incremental fixed patch

0001-evdev-strip-the-device-name-of-format-directives.patch
Comment 4 Marcus Meissner 2022-04-13 08:46:20 UTC
Scott, libinput is maintained by gnome-bugs, can you assign to an engineer?
Comment 7 Thomas Leroy 2022-04-20 09:18:48 UTC
Public on OSS mailing list, and on upstream advisory
Comment 8 Thomas Leroy 2022-04-20 09:28:57 UTC
The issue has been made public earlier than expected... @Mike, can you please submit to SUSE:SLE-12-SP1:Update and SUSE:SLE-15-SP4:Update? :)
Comment 9 Michael Gorse 2022-04-20 18:50:02 UTC
SLE-12-SP1 has libinput 1.1.1. I'm not sure if it is affected. The announcement states that versions 1.10 and newer are affected.
Comment 11 Marcus Meissner 2022-04-21 12:24:54 UTC
SLES 12 SP1 libinpout does not use the sysname anywhere, so its not affected.
Comment 13 Swamp Workflow Management 2022-04-22 19:22:41 UTC
SUSE-SU-2022:1305-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198111
CVE References: CVE-2022-1215
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libinput-1.10.5-150000.3.3.1
SUSE Manager Server 4.1 (src):    libinput-1.10.5-150000.3.3.1
SUSE Manager Retail Branch Server 4.1 (src):    libinput-1.10.5-150000.3.3.1
SUSE Manager Proxy 4.1 (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Server for SAP 15 (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Server 15-LTSS (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libinput-1.10.5-150000.3.3.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libinput-1.10.5-150000.3.3.1
SUSE Enterprise Storage 7 (src):    libinput-1.10.5-150000.3.3.1
SUSE Enterprise Storage 6 (src):    libinput-1.10.5-150000.3.3.1
SUSE CaaS Platform 4.0 (src):    libinput-1.10.5-150000.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.