{"object_kind":"push","event_name":"push","before":"faf6f27dfe2dd19b21981892c8d89ed9f087e462","after":"b2bde9504d42a5976d76e1f27c640dc561fbd99b","ref":"refs/heads/1.30-branch","ref_protected":false,"checkout_sha":"b2bde9504d42a5976d76e1f27c640dc561fbd99b","message":null,"user_id":9716,"user_name":"Marge Bot","user_username":"marge-bot","user_email":"","user_avatar":"https://gitlab.freedesktop.org/uploads/-/system/user/avatar/9716/marge.png","project_id":147,"project":{"id":147,"name":"libinput","description":"Input device management and event handling library","web_url":"https://gitlab.freedesktop.org/libinput/libinput","avatar_url":null,"git_ssh_url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","git_http_url":"https://gitlab.freedesktop.org/libinput/libinput.git","namespace":"libinput","visibility_level":20,"path_with_namespace":"libinput/libinput","default_branch":"main","ci_config_path":"","homepage":"https://gitlab.freedesktop.org/libinput/libinput","url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","ssh_url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","http_url":"https://gitlab.freedesktop.org/libinput/libinput.git"},"commits":[{"id":"fc2262e1c1847021239065e84f39f15492ef05cc","message":"util: sanitize control characters in str_sanitize()\n\nstr_sanitize() only escaped '%' characters for format string safety.\nDevice names from uinput devices can contain arbitrary bytes including\nANSI escape sequences (ESC, 0x1b) and other control characters. When\nthese strings are included in log messages and printed to a terminal,\nthe escape sequences are interpreted by the terminal emulator. This\ncould allow an attacker to manipulate terminal output (change colors,\nset window title, clear screen) when an administrator views libinput\nlogs.\n\nReplace all control characters (0x00-0x1f and 0x7f) with '?' in\naddition to the existing '%' escaping. This prevents terminal escape\nsequence injection through device names in log output.\n\nAssisted-by: Claude:claude-opus-4-6\n(cherry picked from commit 71a2c5cae2a80a1e3bb29e3f3a07ccc3f3de5acb)\n\nPart-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1489>\n","title":"util: sanitize control characters in str_sanitize()","timestamp":"2026-06-04T10:32:28+10:00","url":"https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc","author":{"name":"Peter Hutterer","email":"peter.hutterer@who-t.net"},"added":[],"modified":["src/util-strings.h","test/test-utils.c"],"removed":[]},{"id":"b2bde9504d42a5976d76e1f27c640dc561fbd99b","message":"libinput-device-group: sanitize phys before printing it\n\nA malicious uinput device could set the phys value (via UI_SET_PHYS)\nto contain a '\\n'. When the value is printed as part of the device group\nthe udev rules will interpret it as separate property.\n\nDepending on the property this can cause local privilege escalation.\n\nCloses #1296\n\nFound-by: Csome\n(cherry picked from commit 76f0d8a7f57e2868882864b4611281f12f704b55)\n\nPart-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1489>\n","title":"libinput-device-group: sanitize phys before printing it","timestamp":"2026-06-04T10:32:30+10:00","url":"https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b","author":{"name":"Peter Hutterer","email":"peter.hutterer@who-t.net"},"added":[],"modified":["udev/libinput-device-group.c"],"removed":[]}],"total_commits_count":2,"push_options":{},"repository":{"name":"libinput","url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","description":"Input device management and event handling library","homepage":"https://gitlab.freedesktop.org/libinput/libinput","git_http_url":"https://gitlab.freedesktop.org/libinput/libinput.git","git_ssh_url":"git@ssh.gitlab.freedesktop.org:libinput/libinput.git","visibility_level":20}}