libinput Unauthorized Code Execution Vulnerability via Lua Bytecode Injection

A vulnerability in libinput allows local attackers to execute unauthorized code by placing a specially crafted Lua bytecode file in specific system or user configuration directories. This exploitation can bypass security restrictions and execute code with the same permissions as the application using libinput, such as a graphical compositor. The vulnerability could lead to monitoring keyboard input and transmitting that information to an external location.

Impact

Exploitation of this vulnerability allows for unauthorized code execution and information disclosure. The injected code can run with the same privileges as the application using libinput, potentially accessing sensitive resources or data.

Reproduction

To reproduce this vulnerability, a local attacker must place a crafted Lua bytecode file in the appropriate libinput plugin directory. This can be either the system-wide directory (/usr/share/libinput/plugins) or the user-specific directory (XDG_CONFIG_HOME/libinput/plugins). Once the file is in place, the graphical compositor must be configured to load Lua plugins. If libinput is compiled with the autoload-plugins option, any plugin in the designated directories will be loaded automatically. After these steps, the injected Lua bytecode can execute unrestricted code in the context of the libinput user.