From c0f3f5ddb5b9b285d6409b12622f60e5ca53dfbe Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Fri, 5 Jun 2026 16:55:12 +0000
Subject: [PATCH 1/2] Patch libinput for CVE-2026-50292

---
 SPECS/libinput/CVE-2026-50292.patch | 66 +++++++++++++++++++++++++++++
 SPECS/libinput/libinput.spec        |  6 ++-
 2 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/libinput/CVE-2026-50292.patch

diff --git a/SPECS/libinput/CVE-2026-50292.patch b/SPECS/libinput/CVE-2026-50292.patch
new file mode 100644
index 00000000000..a616e8fb47e
--- /dev/null
+++ b/SPECS/libinput/CVE-2026-50292.patch
@@ -0,0 +1,66 @@
+From 18f10cea9cd948e05fab8f28dc2d496b2a64cbe5 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Fri, 5 Jun 2026 16:47:50 +0000
+Subject: [PATCH] libinput-device-group: sanitize phys before printing it
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b.patch
+---
+ udev/libinput-device-group.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c
+index 3da904e..314b5cc 100644
+--- a/udev/libinput-device-group.c
++++ b/udev/libinput-device-group.c
+@@ -109,7 +109,8 @@ wacom_handle_ekr(struct udev_device *device,
+ 
+ 	udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) {
+ 		struct udev_device *d;
+-		const char *path, *phys;
++		_autofree_ char *phys = NULL;
++		const char *path;
+ 		const char *pidstr, *vidstr;
+ 		int pid, vid, dist;
+ 
+@@ -124,7 +125,7 @@ wacom_handle_ekr(struct udev_device *device,
+ 
+ 		vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID");
+ 		pidstr = udev_device_get_property_value(d, "ID_MODEL_ID");
+-		phys = udev_device_get_sysattr_value(d, "phys");
++		phys = str_sanitize(udev_device_get_sysattr_value(d, "phys"));
+ 
+ 		if (vidstr && pidstr && phys &&
+ 		    safe_atoi_base(vidstr, &vid, 16) &&
+@@ -138,7 +139,7 @@ wacom_handle_ekr(struct udev_device *device,
+ 				best_dist = dist;
+ 
+ 				free(*phys_attr);
+-				*phys_attr = safe_strdup(phys);
++				*phys_attr = steal(&phys);
+ 			}
+ 		}
+ 
+@@ -154,8 +155,8 @@ int main(int argc, char **argv)
+ 	int rc = 1;
+ 	struct udev *udev = NULL;
+ 	struct udev_device *device = NULL;
+-	const char *syspath,
+-	           *phys = NULL;
++	_autofree_ char *phys = NULL;
++	const char *syspath = NULL;
+ 	const char *product;
+ 	int bustype, vendor_id, product_id, version;
+ 	char group[1024];
+@@ -180,7 +181,7 @@ int main(int argc, char **argv)
+ 	while (device != NULL) {
+ 		struct udev_device *parent;
+ 
+-		phys = udev_device_get_sysattr_value(device, "phys");
++		phys = str_sanitize(udev_device_get_sysattr_value(device, "phys"));
+ 		if (phys)
+ 			break;
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/libinput/libinput.spec b/SPECS/libinput/libinput.spec
index 2ea14599732..9ae9bdabdb2 100644
--- a/SPECS/libinput/libinput.spec
+++ b/SPECS/libinput/libinput.spec
@@ -3,12 +3,13 @@
 Summary:        Input device library
 Name:           libinput
 Version:        1.25.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://www.freedesktop.org/wiki/Software/libinput/
 Source0:        https://gitlab.freedesktop.org/libinput/libinput/-/archive/%{version}/%{name}-%{version}.tar.bz2
+Patch0:         CVE-2026-50292.patch
 
 BuildRequires:  check
 BuildRequires:  gcc
@@ -104,6 +105,9 @@ find %{buildroot}/%{_mandir}/man1 -type f -regextype posix-egrep -regex "$UTILS_
 %{_mandir}/man1/libinput-test-suite.1*
 
 %changelog
+* Fri Jun 05 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.25.0-2
+- Patch for CVE-2026-50292
+
 * Thu Feb 08 2024 Rohit Rawat <rohitrawat@microsoft.com> - 1.25.0-1
 - Upgrade to 1.25.0
 

From fa83dd6af9cea28d4b7e5ec6224b99d825bdbe79 Mon Sep 17 00:00:00 2001
From: Kshitiz Godara <kgodara@microsoft.com>
Date: Sat, 6 Jun 2026 12:52:47 +0000
Subject: [PATCH 2/2] Modifying patch to adapt for version 1.25.0

---
 SPECS/libinput/CVE-2026-50292.patch | 82 +++++++++++++++++++++++------
 SPECS/libinput/libinput.spec        |  2 +-
 2 files changed, 66 insertions(+), 18 deletions(-)

diff --git a/SPECS/libinput/CVE-2026-50292.patch b/SPECS/libinput/CVE-2026-50292.patch
index a616e8fb47e..925bc55709c 100644
--- a/SPECS/libinput/CVE-2026-50292.patch
+++ b/SPECS/libinput/CVE-2026-50292.patch
@@ -1,66 +1,114 @@
-From 18f10cea9cd948e05fab8f28dc2d496b2a64cbe5 Mon Sep 17 00:00:00 2001
-From: AllSpark <allspark@microsoft.com>
-Date: Fri, 5 Jun 2026 16:47:50 +0000
+From 9ef7fa46ccf201dedbd657436103c88e86e8cdd2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sat, 6 Jun 2026 12:35:26 +0000
 Subject: [PATCH] libinput-device-group: sanitize phys before printing it
 
+A malicious uinput device could set the phys value (via UI_SET_PHYS)
+to contain a '\n'. When the value is printed as part of the device group
+the udev rules will interpret it as separate property.
+
+Depending on the property this can cause local privilege escalation.
+
+Closes #1296
+
+Found-by: Csome
+(cherry picked from commit 76f0d8a7f57e2868882864b4611281f12f704b55)
 Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
 Upstream-reference: AI Backport of https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b.patch
 ---
- udev/libinput-device-group.c | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
+ udev/libinput-device-group.c | 34 ++++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
 
 diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c
-index 3da904e..314b5cc 100644
+index 3da904e0..a376872b 100644
 --- a/udev/libinput-device-group.c
 +++ b/udev/libinput-device-group.c
-@@ -109,7 +109,8 @@ wacom_handle_ekr(struct udev_device *device,
+@@ -30,6 +30,24 @@
+ 
+ #include "libinput-util.h"
+ 
++/**
++ * Return a sanitized copy of the phys string with control characters
++ * replaced to prevent newline injection in udev properties.
++ */
++static char *
++sanitize_phys(const char *phys)
++{
++	if (!phys)
++		return NULL;
++
++	char *s = safe_strdup(phys);
++	for (char *p = s; *p; p++) {
++		if ((unsigned char)*p < 0x20 || *p == 0x7f)
++			*p = '?';
++	}
++	return s;
++}
++
+ #if HAVE_LIBWACOM
+ #include <libwacom/libwacom.h>
+ 
+@@ -109,7 +127,8 @@ wacom_handle_ekr(struct udev_device *device,
  
  	udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) {
  		struct udev_device *d;
 -		const char *path, *phys;
-+		_autofree_ char *phys = NULL;
++		char *phys = NULL;
 +		const char *path;
  		const char *pidstr, *vidstr;
  		int pid, vid, dist;
  
-@@ -124,7 +125,7 @@ wacom_handle_ekr(struct udev_device *device,
+@@ -124,7 +143,7 @@ wacom_handle_ekr(struct udev_device *device,
  
  		vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID");
  		pidstr = udev_device_get_property_value(d, "ID_MODEL_ID");
 -		phys = udev_device_get_sysattr_value(d, "phys");
-+		phys = str_sanitize(udev_device_get_sysattr_value(d, "phys"));
++		phys = sanitize_phys(udev_device_get_sysattr_value(d, "phys"));
  
  		if (vidstr && pidstr && phys &&
  		    safe_atoi_base(vidstr, &vid, 16) &&
-@@ -138,7 +139,7 @@ wacom_handle_ekr(struct udev_device *device,
+@@ -138,10 +157,12 @@ wacom_handle_ekr(struct udev_device *device,
  				best_dist = dist;
  
  				free(*phys_attr);
 -				*phys_attr = safe_strdup(phys);
-+				*phys_attr = steal(&phys);
++				*phys_attr = phys;
++				phys = NULL;
  			}
  		}
  
-@@ -154,8 +155,8 @@ int main(int argc, char **argv)
++		free(phys);
+ 		udev_device_unref(d);
+ 	}
+ 
+@@ -154,8 +175,8 @@ int main(int argc, char **argv)
  	int rc = 1;
  	struct udev *udev = NULL;
  	struct udev_device *device = NULL;
 -	const char *syspath,
 -	           *phys = NULL;
-+	_autofree_ char *phys = NULL;
-+	const char *syspath = NULL;
++	const char *syspath;
++	char *phys = NULL;
  	const char *product;
  	int bustype, vendor_id, product_id, version;
  	char group[1024];
-@@ -180,7 +181,7 @@ int main(int argc, char **argv)
+@@ -180,7 +201,7 @@ int main(int argc, char **argv)
  	while (device != NULL) {
  		struct udev_device *parent;
  
 -		phys = udev_device_get_sysattr_value(device, "phys");
-+		phys = str_sanitize(udev_device_get_sysattr_value(device, "phys"));
++		phys = sanitize_phys(udev_device_get_sysattr_value(device, "phys"));
  		if (phys)
  			break;
  
+@@ -251,6 +272,7 @@ int main(int argc, char **argv)
+ 
+ 	rc = 0;
+ out:
++	free(phys);
+ 	if (device)
+ 		udev_device_unref(device);
+ 	if (udev)
 -- 
 2.45.4
 
diff --git a/SPECS/libinput/libinput.spec b/SPECS/libinput/libinput.spec
index 9ae9bdabdb2..be5608b6c8e 100644
--- a/SPECS/libinput/libinput.spec
+++ b/SPECS/libinput/libinput.spec
@@ -49,7 +49,7 @@ The %{name}-test package contains the libinput test suite. It is not
 intended to be run by users.
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
 %meson -Ddebug-gui=false \