oss-sec mailing list archives
CVE-2018-14424: Use-after-free in GDM
From: Chris Coulson <chris.coulson () canonical com>
Date: Tue, 14 Aug 2018 09:16:03 +0100
Hi, I recently discovered a use-after-free in the GDM daemon, which is possible to trigger via a specially crafted sequence of D-Bus method calls as an unprivileged user. Details from https://gitlab.gnome.org/GNOME/gdm/issues/401 follow: ---- When GdmDisplayStore (daemon/gdm-display-store.c) emits the "display-removed" signal, the GdmDisplay being removed has already been removed from the store. Subsequent calls to gdm_display_store_lookup from signal handlers using the display ID associated with the signal then fail to look up the removed display. In on_display_removed (daemon/gdm-manager.c), this results in the display object not being correctly unexported from the system bus. Subsequent D-Bus calls to the stale object trigger a use-after-free. An unprivileged user can trigger this by creating a transient display, waiting a short time and then making D-Bus requests to it. ---- A fix for this can be found in the upstream git repository: https://gitlab.gnome.org/GNOME/gdm/commit/1ac1697b3b019f50729a6e992065959586e170da. Many thanks, - Chris
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2018-14424: Use-after-free in GDM Chris Coulson (Aug 14)