Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins

A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

libinput 代码注入漏洞

libinput是freedesktop开源的一个库，它为显示服务器和其他需要处理内核提供的输入设备的应用程序提供完整的输入堆栈。 libinput存在代码注入漏洞，该漏洞源于本地攻击者可在特定配置目录放置特制Lua字节码文件以绕过安全限制，可能导致运行未授权代码并监控键盘输入。

N/A

N/A