https://bugzilla.gnome.org/show_bug.cgi?id=751414
Bug ID: 751414
Summary: File descriptor leak in
gdk_wayland_selection_request_target()
Classification: Platform
Product: gtk+
Version: 3.16.x
OS: Linux
Status: NEW
Severity: normal
Priority: Normal
Component: Backend: Wayland
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected], [email protected]
GNOME version: ---
I discovered that gdk_wayland_selection_request_target() does not close()
wayland_selection->stored_selection.fd before assigning a new fd to it. A
malicious Wayland client can trick a user into dragging data to it from a GTK+
app, and then cause the GTK+ app to leak an arbitrary number of file
descriptors up to its limit by calling wl_data_offer_receive() in a loop. This
probably also work against any GTK+ app that has placed data in the clipboard,
though I didn't test that.
I'll attach the trivial fix.
--
You are receiving this mail because:
You are on the CC list for the bug._______________________________________________
wayland-bugs mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/wayland-bugs
