On Tue, Dec 06, 2016 at 10:26:59PM +0100, Matthieu Herrb wrote: This is from https://bugs.freedesktop.org/show_bug.cgi?id=98822
> From: Tobias Stoeckmann <[email protected]> > > The function IceAuthFileName is vulnerable to a use after free. The > flaw can be triggered by calling the function three times: > > - First call succeeds and stores the path in buf, a dynamically > allocated buffer with size bsize. > - Second call fails due to out of memory. It frees buf, but keeps > the old size in bsize. > - Third call only checks if bsize is large enough. Then it uses > buf without allocating it again -- the use after free happens. > > In order to exploit this, an attacker must change environment variables > between each call, namely ICEAUTHORITY or HOME. It also takes subsequent > calls. Due to these limitations, I don't consider this to be of high > priority. > --- > src/authutil.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git src/authutil.c src/authutil.c > index 04c0791..ca0504a 100644 > --- src/authutil.c > +++ src/authutil.c > @@ -114,8 +114,10 @@ IceAuthFileName (void) > if (buf) > free (buf); > buf = malloc (size); > - if (!buf) > + if (!buf) { > + bsize = 0; > return (NULL); > + } > bsize = size; > } > > -- > 2.10.2 > > _______________________________________________ > [email protected]: X.Org development > Archives: http://lists.x.org/archives/xorg-devel > Info: https://lists.x.org/mailman/listinfo/xorg-devel -- Matthieu Herrb
signature.asc
Description: PGP signature
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
