SUSE update for libinput

Published: 2022-04-22

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2022-1215
CWE-ID	CWE-134
Exploitation vector	Local
Public exploit	N/A
Vulnerable software Subscribe	SUSE Linux Enterprise Realtime Extension Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system SUSE Linux Enterprise Desktop Operating systems & Components / Operating system SUSE CaaS Platform Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications Operating systems & Components / Operating system SUSE Linux Enterprise Module for Basesystem Operating systems & Components / Operating system libinput10-32bit-debuginfo Operating systems & Components / Operating system package or component libinput10-32bit Operating systems & Components / Operating system package or component libinput10-debuginfo Operating systems & Components / Operating system package or component libinput10 Operating systems & Components / Operating system package or component libinput-udev-debuginfo Operating systems & Components / Operating system package or component libinput-udev Operating systems & Components / Operating system package or component libinput-tools-debuginfo Operating systems & Components / Operating system package or component libinput-tools Operating systems & Components / Operating system package or component libinput-devel Operating systems & Components / Operating system package or component libinput-debugsource Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Format string error

EUVDB-ID: #VU62452

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-1215

CWE-ID: CWE-134 - Use of Externally-Controlled Format String

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a format string error during logging operation. A local user with ability to control the device name, e.g. /dev/uinput or Bluetooth devices can trigger a format string error and execute arbitrary code on the system with elevated privileges.

Mitigation

Update the affected package libinput to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Realtime Extension: 15-SP2

SUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3

SUSE Linux Enterprise Server: 15-LTSS - 15-SP3-LTSS

SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP3-LTSS

SUSE Enterprise Storage: 6 - 7.1

SUSE Manager Server: 4.1 - 4.2

SUSE Manager Retail Branch Server: 4.1

SUSE Manager Proxy: 4.1 - 4.2

SUSE Linux Enterprise Desktop: 15-SP3

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.3

SUSE Linux Enterprise Server for SAP Applications: 15-SP3

SUSE Linux Enterprise Module for Basesystem: 15-SP3

libinput10-32bit-debuginfo: before 1.10.5-150000.3.3.1

libinput10-32bit: before 1.10.5-150000.3.3.1

libinput10-debuginfo: before 1.10.5-150000.3.3.1

libinput10: before 1.10.5-150000.3.3.1

libinput-udev-debuginfo: before 1.10.5-150000.3.3.1

libinput-udev: before 1.10.5-150000.3.3.1

libinput-tools-debuginfo: before 1.10.5-150000.3.3.1

libinput-tools: before 1.10.5-150000.3.3.1

libinput-devel: before 1.10.5-150000.3.3.1

libinput-debugsource: before 1.10.5-150000.3.3.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20221305-1/

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.