CVE-2018-14424: Use-after-free in GDM

[Chris Coulson <chris.coulson () canonical com>]

Hi,

I recently discovered a use-after-free in the GDM daemon, which is
possible to trigger via a specially crafted sequence of D-Bus method
calls as an unprivileged user.

Details from https://gitlab.gnome.org/GNOME/gdm/issues/401 follow:

----
When GdmDisplayStore (daemon/gdm-display-store.c) emits the
"display-removed" signal, the GdmDisplay being removed has already been
removed from the store. Subsequent calls to gdm_display_store_lookup
from signal handlers using the display ID associated with the signal
then fail to look up the removed display. In on_display_removed
(daemon/gdm-manager.c), this results in the display object not being
correctly unexported from the system bus. Subsequent D-Bus calls to the
stale object trigger a use-after-free.

An unprivileged user can trigger this by creating a transient display,
waiting a short time and then making D-Bus requests to it.
----

A fix for this can be found in the upstream git repository: 
https://gitlab.gnome.org/GNOME/gdm/commit/1ac1697b3b019f50729a6e992065959586e170da.

Many thanks,
- Chris

Attachment: signature.asc
Description: OpenPGP digital signature