Date: Tue, 14 Aug 2018 09:16:03 +0100 From: Chris Coulson <chris.coulson@...onical.com> To: oss-security@...ts.openwall.com Subject: CVE-2018-14424: Use-after-free in GDM Hi, I recently discovered a use-after-free in the GDM daemon, which is possible to trigger via a specially crafted sequence of D-Bus method calls as an unprivileged user. Details from https://gitlab.gnome.org/GNOME/gdm/issues/401 follow: ---- When GdmDisplayStore (daemon/gdm-display-store.c) emits the "display-removed" signal, the GdmDisplay being removed has already been removed from the store. Subsequent calls to gdm_display_store_lookup from signal handlers using the display ID associated with the signal then fail to look up the removed display. In on_display_removed (daemon/gdm-manager.c), this results in the display object not being correctly unexported from the system bus. Subsequent D-Bus calls to the stale object trigger a use-after-free. An unprivileged user can trigger this by creating a transient display, waiting a short time and then making D-Bus requests to it. ---- A fix for this can be found in the upstream git repository: https://gitlab.gnome.org/GNOME/gdm/commit/1ac1697b3b019f50729a6e992065959586e170da. Many thanks, - Chris Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.