Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <31e2919a-bcc5-bd87-8df2-5d14054ec65b@canonical.com>
Date: Tue, 14 Aug 2018 09:16:03 +0100
From: Chris Coulson <chris.coulson@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-14424: Use-after-free in GDM

Hi,

I recently discovered a use-after-free in the GDM daemon, which is
possible to trigger via a specially crafted sequence of D-Bus method
calls as an unprivileged user.

Details from https://gitlab.gnome.org/GNOME/gdm/issues/401 follow:

----
When GdmDisplayStore (daemon/gdm-display-store.c) emits the
"display-removed" signal, the GdmDisplay being removed has already been
removed from the store. Subsequent calls to gdm_display_store_lookup
from signal handlers using the display ID associated with the signal
then fail to look up the removed display. In on_display_removed
(daemon/gdm-manager.c), this results in the display object not being
correctly unexported from the system bus. Subsequent D-Bus calls to the
stale object trigger a use-after-free.

An unprivileged user can trigger this by creating a transient display,
waiting a short time and then making D-Bus requests to it.
----

A fix for this can be found in the upstream git repository: https://gitlab.gnome.org/GNOME/gdm/commit/1ac1697b3b019f50729a6e992065959586e170da.

Many thanks,
- Chris




Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.