Date: Tue, 14 Aug 2018 09:16:03 +0100 From: Chris Coulson <chris.coulson@...onical.com> To: oss-security@...ts.openwall.com Subject: CVE-2018-14424: Use-after-free in GDM Hi, I recently discovered a use-after-free in the GDM daemon, which is possible to trigger via a specially crafted sequence of D-Bus method calls as an unprivileged user. Details from https://gitlab.gnome.org/GNOME/gdm/issues/401 follow: ---- When GdmDisplayStore (daemon/gdm-display-store.c) emits the "display-removed" signal, the GdmDisplay being removed has already been removed from the store. Subsequent calls to gdm_display_store_lookup from signal handlers using the display ID associated with the signal then fail to look up the removed display. In on_display_removed (daemon/gdm-manager.c), this results in the display object not being correctly unexported from the system bus. Subsequent D-Bus calls to the stale object trigger a use-after-free. An unprivileged user can trigger this by creating a transient display, waiting a short time and then making D-Bus requests to it. ---- A fix for this can be found in the upstream git repository: https://gitlab.gnome.org/GNOME/gdm/commit/1ac1697b3b019f50729a6e992065959586e170da. Many thanks, - Chris Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.