libinput 1.29-rc3 (1.28.903) is now available. *This release fixes key codes being logged as part of the debug log output.* Note that only a few users will have been affected by this, see the details below.
Affected are libinput commits 7137eb9702f1 (May 29) and newer, including
1.29-rc1 (1.28.901) and 1.29-rc2 (1.28.902).
The 1.28.x releases and earlier are not affected.
Due to a mixup of #if and #ifdef the meson "internal-event-debugging" option was
always interpreted as true and all evdev events were printed as part of the
debug log output. Since those include the keyboard key codes, this may
result in sensitive data such as passwords ending up in the logs.
These events were printed at the DEBUG priority level and discarded wherever
the level was set to anything higher (the default is INFO). So users are only
affected where debug printing was enabled.
A check of the git repositories of the more common compositors shows:
- kwin: possibly affected.
kwin always enables debug logging via libinput_log_set_priority() but passes
the log messages to qCDebug(KWIN_LIBINPUT). Unless you have enabled the
"kwin_libinput" log category the messages should have been discarded.
- mutter: not affected
mutter does not call libinput_log_set_priority() and thus defaults to INFO,
debug logging is thus not enabled
- wlroots: not affected
wlroots calls libinput_log_set_priority(ERROR), debug logging is thus not
enabled
- Xorg via xf86-input-libinput: possibly affected
The xf86-input-libinput always enables debug logging and passes the messages
with
verbosity X_DEBUG to the server. This is filtered by the server unless
--verbose 10 or --logverbose 10 or higher was given by the user (the default
for both is 3).
If you use a compositor other than the above, check if
libinput_log_set_priority() enables debug logging and if so whether those logs
are filtered elsewhere.
If you have recently used libinput debug-events --verbose on a keyboard device
and posted those online, double-check those recordings and change your secrets
accordingly. libinput record output is not affected, libinput debug-events
without the --verbose flag is also not affected.
The issue has been fixed in this RC and, in addition, keycodes that fall into
the (roughly) alphanumeric range are now obfuscated to only print as KEY_A.
Unless your password is a multiple of 'a', this prevents leakage even where
the debug option is enabled.
As usual, the git shortlog is below.
Peter Hutterer (7):
test: fix litest_assert_str_not_in
test: a skipped test does not count as failure
plugin/evdev: drop the duplicate event frame printing
plugin: prevent potential keycode leakage to the logs
plugin: always obfuscate keycodes
libinput: obfuscate the keycodes in the "Queuing ..." debug log
libinput 1.28.903
signature.asc
Description: PGP signature
