diff --git a/0001-evdev-strip-the-device-name-of-format-directives.patch b/0001-evdev-strip-the-device-name-of-format-directives.patch deleted file mode 100644 index e3bda87..0000000 --- a/0001-evdev-strip-the-device-name-of-format-directives.patch +++ /dev/null @@ -1,355 +0,0 @@ -From 0fd73ca67649b359abc68ee7f6c6778c97681f76 Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Wed, 30 Mar 2022 09:25:22 +1000 -Subject: [PATCH] evdev: strip the device name of format directives -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This fixes a format string vulnerabilty. - -evdev_log_message() composes a format string consisting of a fixed -prefix (including the rendered device name) and the passed-in format -buffer. This format string is then passed with the arguments to the -actual log handler, which usually and eventually ends up being printf. - -If the device name contains a printf-style format directive, these ended -up in the format string and thus get interpreted correctly, e.g. for a -device "Foo%sBar" the log message vs printf invocation ends up being: - evdev_log_message(device, "some message %s", "some argument"); - printf("event9 - Foo%sBar: some message %s", "some argument"); - -This can enable an attacker to execute malicious code with the -privileges of the process using libinput. - -To exploit this, an attacker needs to be able to create a kernel device -with a malicious name, e.g. through /dev/uinput or a Bluetooth device. - -To fix this, convert any potential format directives in the device name -by duplicating percentages. - -Pre-rendering the device to avoid the issue altogether would be nicer -but the current log level hooks do not easily allow for this. The device -name is the only user-controlled part of the format string. - -A second potential issue is the sysname of the device which is also -sanitized. - -This issue was found by Albin Eldstål-Ahrens and Benjamin Svensson from -Assured AB. - -Signed-off-by: Peter Hutterer ---- - meson.build | 1 + - src/evdev.c | 31 +++++++++++------ - src/evdev.h | 6 ++-- - src/util-strings.h | 30 ++++++++++++++++ - test/litest-device-format-string.c | 56 ++++++++++++++++++++++++++++++ - test/litest.h | 1 + - test/test-utils.c | 26 ++++++++++++++ - 7 files changed, 139 insertions(+), 12 deletions(-) - create mode 100644 test/litest-device-format-string.c - -diff --git meson.build meson.build -index 97649e57..1407aac5 100644 ---- meson.build -+++ meson.build -@@ -734,6 +734,7 @@ if get_option('tests') - 'test/litest-device-dell-canvas-totem-touch.c', - 'test/litest-device-elantech-touchpad.c', - 'test/litest-device-elan-tablet.c', -+ 'test/litest-device-format-string.c', - 'test/litest-device-generic-pressurepad.c', - 'test/litest-device-generic-singletouch.c', - 'test/litest-device-gpio-keys.c', -diff --git src/evdev.c src/evdev.c -index d0090c86..3c31b59a 100644 ---- src/evdev.c -+++ src/evdev.c -@@ -2384,19 +2384,19 @@ evdev_device_create(struct libinput_seat *seat, - struct libinput *libinput = seat->libinput; - struct evdev_device *device = NULL; - int rc; -- int fd; -+ int fd = -1; - int unhandled_device = 0; - const char *devnode = udev_device_get_devnode(udev_device); -- const char *sysname = udev_device_get_sysname(udev_device); -+ char *sysname = str_sanitize(udev_device_get_sysname(udev_device)); - - if (!devnode) { - log_info(libinput, "%s: no device node associated\n", sysname); -- return NULL; -+ goto err; - } - - if (udev_device_should_be_ignored(udev_device)) { - log_debug(libinput, "%s: device is ignored\n", sysname); -- return NULL; -+ goto err; - } - - /* Use non-blocking mode so that we can loop on read on -@@ -2410,13 +2410,15 @@ evdev_device_create(struct libinput_seat *seat, - sysname, - devnode, - strerror(-fd)); -- return NULL; -+ goto err; - } - - if (!evdev_device_have_same_syspath(udev_device, fd)) - goto err; - - device = zalloc(sizeof *device); -+ device->sysname = sysname; -+ sysname = NULL; - - libinput_device_init(&device->base, seat); - libinput_seat_ref(seat); -@@ -2439,6 +2441,9 @@ evdev_device_create(struct libinput_seat *seat, - device->dispatch = NULL; - device->fd = fd; - device->devname = libevdev_get_name(device->evdev); -+ /* the log_prefix_name is used as part of a printf format string and -+ * must not contain % directives, see evdev_log_msg */ -+ device->log_prefix_name = str_sanitize(device->devname); - device->scroll.threshold = 5.0; /* Default may be overridden */ - device->scroll.direction_lock_threshold = 5.0; /* Default may be overridden */ - device->scroll.direction = 0; -@@ -2479,12 +2484,16 @@ evdev_device_create(struct libinput_seat *seat, - return device; - - err: -- close_restricted(libinput, fd); -- if (device) { -- unhandled_device = device->seat_caps == 0; -- evdev_device_destroy(device); -+ if (fd >= 0) { -+ close_restricted(libinput, fd); -+ if (device) { -+ unhandled_device = device->seat_caps == 0; -+ evdev_device_destroy(device); -+ } - } - -+ free(sysname); -+ - return unhandled_device ? EVDEV_UNHANDLED_DEVICE : NULL; - } - -@@ -2497,7 +2506,7 @@ evdev_device_get_output(struct evdev_device *device) - const char * - evdev_device_get_sysname(struct evdev_device *device) - { -- return udev_device_get_sysname(device->udev_device); -+ return device->sysname; - } - - const char * -@@ -3094,6 +3103,8 @@ evdev_device_destroy(struct evdev_device *device) - if (device->base.group) - libinput_device_group_unref(device->base.group); - -+ free(device->log_prefix_name); -+ free(device->sysname); - free(device->output_name); - filter_destroy(device->pointer.filter); - libinput_timer_destroy(&device->scroll.timer); -diff --git src/evdev.h src/evdev.h -index c7d130f8..980c5943 100644 ---- src/evdev.h -+++ src/evdev.h -@@ -169,6 +169,8 @@ struct evdev_device { - struct udev_device *udev_device; - char *output_name; - const char *devname; -+ char *log_prefix_name; -+ char *sysname; - bool was_removed; - int fd; - enum evdev_device_seat_capability seat_caps; -@@ -786,7 +788,7 @@ evdev_log_msg(struct evdev_device *device, - sizeof(buf), - "%-7s - %s%s%s", - evdev_device_get_sysname(device), -- (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "", -+ (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "", - (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "", - format); - -@@ -824,7 +826,7 @@ evdev_log_msg_ratelimit(struct evdev_device *device, - sizeof(buf), - "%-7s - %s%s%s", - evdev_device_get_sysname(device), -- (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->devname : "", -+ (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? device->log_prefix_name : "", - (priority > LIBINPUT_LOG_PRIORITY_DEBUG) ? ": " : "", - format); - -diff --git src/util-strings.h src/util-strings.h -index 2a15fab3..d5a84146 100644 ---- src/util-strings.h -+++ src/util-strings.h -@@ -43,6 +43,8 @@ - #include - #endif - -+#include "util-macros.h" -+ - static inline bool - streq(const char *str1, const char *str2) - { -@@ -398,3 +400,31 @@ safe_basename(const char *filename); - - char * - trunkname(const char *filename); -+ -+/** -+ * Return a copy of str with all % converted to %% to make the string -+ * acceptable as printf format. -+ */ -+static inline char * -+str_sanitize(const char *str) -+{ -+ if (!str) -+ return NULL; -+ -+ if (!strchr(str, '%')) -+ return strdup(str); -+ -+ size_t slen = min(strlen(str), 512); -+ char *sanitized = zalloc(2 * slen + 1); -+ const char *src = str; -+ char *dst = sanitized; -+ -+ for (size_t i = 0; i < slen; i++) { -+ if (*src == '%') -+ *dst++ = '%'; -+ *dst++ = *src++; -+ } -+ *dst = '\0'; -+ -+ return sanitized; -+} -diff --git test/litest-device-format-string.c test/litest-device-format-string.c -new file mode 100644 -index 00000000..aed15db4 ---- /dev/null -+++ test/litest-device-format-string.c -@@ -0,0 +1,56 @@ -+ -+/* -+ * Copyright © 2013 Red Hat, Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice (including the next -+ * paragraph) shall be included in all copies or substantial portions of the -+ * Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER -+ * DEALINGS IN THE SOFTWARE. -+ */ -+ -+#include "config.h" -+ -+#include "litest.h" -+#include "litest-int.h" -+ -+static struct input_id input_id = { -+ .bustype = 0x3, -+ .vendor = 0x0123, -+ .product = 0x0456, -+}; -+ -+static int events[] = { -+ EV_KEY, BTN_LEFT, -+ EV_KEY, BTN_RIGHT, -+ EV_KEY, BTN_MIDDLE, -+ EV_REL, REL_X, -+ EV_REL, REL_Y, -+ EV_REL, REL_WHEEL, -+ EV_REL, REL_WHEEL_HI_RES, -+ -1 , -1, -+}; -+ -+TEST_DEVICE("mouse-format-string", -+ .type = LITEST_MOUSE_FORMAT_STRING, -+ .features = LITEST_RELATIVE | LITEST_BUTTON | LITEST_WHEEL, -+ .interface = NULL, -+ -+ .name = "Evil %s %d %x Mouse %p %", -+ .id = &input_id, -+ .absinfo = NULL, -+ .events = events, -+) -diff --git test/litest.h test/litest.h -index 4982e516..1b1daa90 100644 ---- test/litest.h -+++ test/litest.h -@@ -321,6 +321,7 @@ enum litest_device_type { - LITEST_KEYBOARD_QUIRKED, - LITEST_SYNAPTICS_PRESSUREPAD, - LITEST_GENERIC_PRESSUREPAD, -+ LITEST_MOUSE_FORMAT_STRING, - }; - - #define LITEST_DEVICELESS -2 -diff --git test/test-utils.c test/test-utils.c -index ca804a94..46444d8a 100644 ---- test/test-utils.c -+++ test/test-utils.c -@@ -1316,6 +1316,31 @@ START_TEST(strstartswith_test) - } - END_TEST - -+START_TEST(strsanitize_test) -+{ -+ struct strsanitize_test { -+ const char *string; -+ const char *expected; -+ } tests[] = { -+ { "foobar", "foobar" }, -+ { "", "" }, -+ { "%", "%%" }, -+ { "%%%%", "%%%%%%%%" }, -+ { "x %s", "x %%s" }, -+ { "x %", "x %%" }, -+ { "%sx", "%%sx" }, -+ { "%s%s", "%%s%%s" }, -+ { NULL, NULL }, -+ }; -+ -+ for (struct strsanitize_test *t = tests; t->string; t++) { -+ char *sanitized = str_sanitize(t->string); -+ ck_assert_str_eq(sanitized, t->expected); -+ free(sanitized); -+ } -+} -+END_TEST -+ - START_TEST(list_test_insert) - { - struct list_test { -@@ -1538,6 +1563,7 @@ litest_utils_suite(void) - tcase_add_test(tc, strstrip_test); - tcase_add_test(tc, strendswith_test); - tcase_add_test(tc, strstartswith_test); -+ tcase_add_test(tc, strsanitize_test); - tcase_add_test(tc, time_conversion); - tcase_add_test(tc, human_time); - --- -2.35.1 - diff --git a/libinput-1.14.1-vs-1.15.6.yaml b/libinput-1.14.1-vs-1.15.6.yaml deleted file mode 100644 index cb3f37a..0000000 --- a/libinput-1.14.1-vs-1.15.6.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: libinput -old_version: 1.14.1 -new_version: 1.15.6 -interface_differences: -- type: 'feature' - item: 添加HP Elite x2 1013 G3 - diff: 将HP Elite x2 1013 G3键盘标记为外部键盘 - influence: 功能增强 -- type: 'feature' - item: markdown - diff: 删除markdown源码解析器,废弃此功能 - influence: 功能优化 -- type: 'feature' - item: 增加Lenovo ThinkPad X200 Tablet - diff: 为quirk模式添加Lenovo ThinkPad X200 Tablet - influence: 功能增强 -- type: 'feature' - item: 使用qemu - diff: 添加使用qemu运行完整的测试套件的支持,允许失败,至少可以利用它 - influence: 功能增强 -- type: 'feature' - item: 添加滚动按钮 - diff: 添加滚动按钮锁定功能 - influence: 功能增强 -- type: 'feature' - item: 在quirks模式添加RollerMouse Free 3 - diff: 添加RollerMouse Free 3进行双击修复 - influence: 功能增强 -- type: 'feature' - item: 从libinput - diff: 删除特定的libinput度量工具 - influence: 功能优化 -- type: 'feature' - item: tools - diff: 只要笔尖在逻辑上向下,就会显示一个额外的正方形。 - influence: 功能增强 -- type: 'ABI' - item: tablet - diff: 添加一个tablet_get_current_tool,用于获取当前工具 - influence: 功能增强 -- type: 'ABI' - item: touchpad - diff: 添加一个tp_tap_move_to_dead,用于控制移动后不允许多手指点击 - influence: 功能增强 -remark: '新增函数和特性,对老特性无影响,libinput为触摸屏基础库,被图形桌面引入,无相关产品使用,影响小;' \ No newline at end of file diff --git a/libinput-1.19.2.tar.xz b/libinput-1.19.2.tar.xz deleted file mode 100644 index 54dc33e..0000000 Binary files a/libinput-1.19.2.tar.xz and /dev/null differ diff --git a/libinput-1.22.1.tar.gz b/libinput-1.22.1.tar.gz new file mode 100755 index 0000000..d2c706c Binary files /dev/null and b/libinput-1.22.1.tar.gz differ diff --git a/libinput.spec b/libinput.spec index b240d7f..3ac3df1 100644 --- a/libinput.spec +++ b/libinput.spec @@ -1,11 +1,10 @@ Name: libinput -Version: 1.19.2 -Release: 2 +Version: 1.22.1 +Release: 1 Summary: Input device management and event handling library License: MIT -URL: https://www.freedesktop.org/wiki/Software/libinput/ -Source0: https://www.freedesktop.org/software/libinput/libinput-%{version}.tar.xz -patch0001: 0001-evdev-strip-the-device-name-of-format-directives.patch +URL: https://gitlab.freedesktop.org/libinput/libinput/-/releases +Source0: https://gitlab.freedesktop.org/libinput/libinput/-/archive/%{version}/libinput-%{version}.tar.gz BuildRequires: gcc gcc-c++ python3-devel meson pkgconfig(libudev) pkgconfig(mtdev) pkgconfig(libevdev) pkgconfig(libwacom) @@ -84,6 +83,9 @@ The %{name}-doc package contains document files. %{_mandir}/man1/* %changelog +* Fri Feb 10 2023 Liu Yuntao - 1.22.1-1 +- update to 1.22.1, and update upstream URL + * Tue Jun 7 2022 zhouwenpei - 1.19.2-2 - fix CVE-2022-1215