{"object_kind":"push","event_name":"push","before":"29338d824b5ec28c99880e71ac879b88c2fa0f36","after":"7c49e6112d5b109755e6b2685f1fbfbaa29ec9e6","ref":"refs/heads/main","ref_protected":false,"checkout_sha":"7c49e6112d5b109755e6b2685f1fbfbaa29ec9e6","message":null,"user_id":9716,"user_name":"Marge Bot","user_username":"marge-bot","user_email":"","user_avatar":"https://gitlab.freedesktop.org/uploads/-/system/user/avatar/9716/marge.png","project_id":147,"project":{"id":147,"name":"libinput","description":"Input device management and event handling library","web_url":"https://gitlab.freedesktop.org/libinput/libinput","avatar_url":null,"git_ssh_url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","git_http_url":"https://gitlab.freedesktop.org/libinput/libinput.git","namespace":"libinput","visibility_level":20,"path_with_namespace":"libinput/libinput","default_branch":"main","ci_config_path":"","homepage":"https://gitlab.freedesktop.org/libinput/libinput","url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","ssh_url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","http_url":"https://gitlab.freedesktop.org/libinput/libinput.git"},"commits":[{"id":"6efbf9ff74ab401009761e86b0ce23caf957266c","message":"totem: require both touch size axes to have resolution\n\nWe use the resolution later as divisor so let's protect agianst division\nby zero. This is not an issue on the real device but a malicious uinput\ndevice may try to trigger this.\n\nAssisted-by: Claude:claude-opus-4-6\nPart-of: \n","title":"totem: require both touch size axes to have resolution","timestamp":"2026-06-03T21:45:28+00:00","url":"https://gitlab.freedesktop.org/libinput/libinput/-/commit/6efbf9ff74ab401009761e86b0ce23caf957266c","author":{"name":"Peter Hutterer","email":"peter.hutterer@who-t.net"},"added":[],"modified":["src/evdev-totem.c","test/litest.h","test/test-totem.c"],"removed":[]},{"id":"04a35384e6bd6a8d6d1f6c4c3bad7c79ae7ad163","message":"evdev: be stricter about devices with odd absinfo values\n\nReject devices that have extreme min/max values (might cause integer\noverflow in libinput), negative resolutions and a min > max.\n\nThe former two could be triggered by malicious input devices.\n\nPart-of: \n","title":"evdev: be stricter about devices with odd absinfo values","timestamp":"2026-06-03T21:45:28+00:00","url":"https://gitlab.freedesktop.org/libinput/libinput/-/commit/04a35384e6bd6a8d6d1f6c4c3bad7c79ae7ad163","author":{"name":"Peter Hutterer","email":"peter.hutterer@who-t.net"},"added":[],"modified":["src/evdev.c","test/test-device.c"],"removed":[]},{"id":"af084f375c5fd1a23760fae9fca59a74f90404a0","message":"pad: ignore invalid strip axis values\n\nwe call log2() on both maximum and value so ensure they're never zero or\nnegative.\n\nPart-of: \n","title":"pad: ignore invalid strip axis values","timestamp":"2026-06-03T21:45:28+00:00","url":"https://gitlab.freedesktop.org/libinput/libinput/-/commit/af084f375c5fd1a23760fae9fca59a74f90404a0","author":{"name":"Peter Hutterer","email":"peter.hutterer@who-t.net"},"added":[],"modified":["src/evdev-tablet-pad.c","test/test-pad.c"],"removed":[]},{"id":"71a2c5cae2a80a1e3bb29e3f3a07ccc3f3de5acb","message":"util: sanitize control characters in str_sanitize()\n\nstr_sanitize() only escaped '%' characters for format string safety.\nDevice names from uinput devices can contain arbitrary bytes including\nANSI escape sequences (ESC, 0x1b) and other control characters. When\nthese strings are included in log messages and printed to a terminal,\nthe escape sequences are interpreted by the terminal emulator. This\ncould allow an attacker to manipulate terminal output (change colors,\nset window title, clear screen) when an administrator views libinput\nlogs.\n\nReplace all control characters (0x00-0x1f and 0x7f) with '?' in\naddition to the existing '%' escaping. This prevents terminal escape\nsequence injection through device names in log output.\n\nAssisted-by: Claude:claude-opus-4-6\nPart-of: \n","title":"util: sanitize control characters in str_sanitize()","timestamp":"2026-06-03T21:45:28+00:00","url":"https://gitlab.freedesktop.org/libinput/libinput/-/commit/71a2c5cae2a80a1e3bb29e3f3a07ccc3f3de5acb","author":{"name":"Peter Hutterer","email":"peter.hutterer@who-t.net"},"added":[],"modified":["src/util-strings.h","test/test-utils.c"],"removed":[]},{"id":"7c49e6112d5b109755e6b2685f1fbfbaa29ec9e6","message":"tools: sanitize device names in libinput-record YAML output\n\nThe device name was written directly into a YAML double-quoted string\nwithout sanitization. A malicious device name containing control\ncharacters or newlines can break the YAML structure, potentially\ncausing parsers (libinput-replay, libinput-analyze-recording) to\ninterpret injected YAML keys.\n\nUse str_sanitize() to replace control characters before writing the\nname into the YAML output.\n\nThis will also replace any % in the device name with % but... meh.\n\nAssisted-by: Claude:claude-opus-4-6\nPart-of: \n","title":"tools: sanitize device names in libinput-record YAML output","timestamp":"2026-06-03T21:45:28+00:00","url":"https://gitlab.freedesktop.org/libinput/libinput/-/commit/7c49e6112d5b109755e6b2685f1fbfbaa29ec9e6","author":{"name":"Peter Hutterer","email":"peter.hutterer@who-t.net"},"added":[],"modified":["tools/libinput-record.c"],"removed":[]}],"total_commits_count":5,"push_options":{},"repository":{"name":"libinput","url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","description":"Input device management and event handling library","homepage":"https://gitlab.freedesktop.org/libinput/libinput","git_http_url":"https://gitlab.freedesktop.org/libinput/libinput.git","git_ssh_url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","visibility_level":20}}