From 9dc4791d34525c2c25a8a85476e5e9f4160929c3 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Apr 29 2009 00:20:19 +0000 Subject: fix a use-after-free in xdmcp code --- diff --git a/gdm.spec b/gdm.spec index 3c3a970..4ab1bb3 100644 --- a/gdm.spec +++ b/gdm.spec @@ -16,7 +16,7 @@ Summary: The GNOME Display Manager Name: gdm Version: 2.26.1 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 License: GPLv2+ Group: User Interface/X @@ -101,6 +101,9 @@ Patch19: gdm-2.26.1-multistack.patch # http://bugzilla.gnome.org/show_bug.cgi?id=580189 Patch20: session-client.patch +# fixed upstream +Patch21: xdmcp-use-after-free.patch + # Fedora-specific Patch99: gdm-2.23.1-fedora-logo.patch @@ -145,6 +148,8 @@ The GDM fingerprint plugin provides functionality necessary to use a fingerprint %patch20 -p1 -b .session-client +%patch21 -p1 -b .xdmcp-use-after-free + %patch99 -p1 -b .fedora-logo autoreconf -i -f @@ -385,6 +390,9 @@ fi %{_libdir}/gdm/simple-greeter/plugins/fingerprint.so %changelog +* Tue Apr 28 2009 Matthias Clasen - 1:2.26.1-6 +- fix a use-after-free in XDMCP code paths (#496882) + * Tue Apr 28 2009 Ray Strode - 1:2.26.1-5 - fix crash at shutdown diff --git a/xdmcp-use-after-free.patch b/xdmcp-use-after-free.patch new file mode 100644 index 0000000..15fd32e --- /dev/null +++ b/xdmcp-use-after-free.patch @@ -0,0 +1,20 @@ +--- gdm-2.26.1/daemon/gdm-xdmcp-display-factory.c.orig 2009-03-16 20:12:08.000000000 +0000 ++++ gdm-2.26.1/daemon/gdm-xdmcp-display-factory.c 2009-04-23 11:49:50.000000000 +0100 +@@ -2309,8 +2309,6 @@ + authorization_data.data = (CARD8 *) cookie->data; + authorization_data.length = cookie->len; + +- g_array_free (cookie, TRUE); +- + /* the addrs are NOT copied */ + gdm_xdmcp_send_accept (factory, + address, +@@ -2319,6 +2317,8 @@ + &authentication_data, + &authorization_name, + &authorization_data); ++ ++ g_array_free (cookie, TRUE); + } + } + } else {