libinput-1.20.1

[Douglas R. Reno]

New point release, containing a security fix

Title: Format string vulnerability in libinput
Component: libinput, affecting all Wayland compositors and X.Org when using xf86-input-libinput
Report URL: https://gitlab.freedesktop.org/libinput/libinput/-/issues/752
Reporter: Albin Eldstål-Ahrens and Lukas Lamster
CVSS: 7.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

When a device is detected by libinput, libinput logs several messages through
log handlers set up by the callers. These log handlers usually eventually
result in a printf call. Logging happens with the privileges of the caller, in
the case of Xorg this may be root.

The device name ends up as part of the format string and a kernel device with
printf-style format string placeholders in the device name can enable an
attacker to run malicious code. An exploit is possible through any device
where the attacker controls the device name, e.g. /dev/uinput or Bluetooth
devices.

All versions of libinput since 1.10 (released Feb 2018) are affected.

The upstream patch is available as commit a423d7d3269dc
https://gitlab.freedesktop.org/libinput/libinput/-/commit/a423d7d3269dc32a87384f79e29bb5ac021c83d1

libinput releases that include these patches are:
- 1.20.1
- 1.19.4
- 1.18.2
Releases of versions 1.17.x and earlier are not planned at this stage.

[Bruce Dubbs]

Fixed at commits

f99b8f19e4 Update to postfix-3.7.1.
ea41a4ef25 Update to .cbindgen-0.22.0.
5b8fa178f6 Update to xauth-1.1.2.
5cf79594b7 pdate to libaio-0.3.113.
71fb66c1c7 Update to libinput-1.20.1 (Xorg driver).
0f96903689 Update to xorgproto-2022.1.