Skip to content
  1. Aug 19, 2017
  2. Aug 12, 2017
  3. Aug 10, 2017
  4. Aug 05, 2017
  5. Jul 25, 2017
  6. Jun 21, 2017
  7. Jun 20, 2017
  8. Jun 19, 2017
  9. Jun 18, 2017
  10. Jun 06, 2017
  11. Jun 01, 2017
  12. Apr 16, 2017
  13. Apr 06, 2017
  14. Apr 05, 2017
  15. Apr 04, 2017
  16. Apr 03, 2017
  17. Apr 02, 2017
  18. Apr 01, 2017
  19. Mar 28, 2017
  20. Mar 23, 2017
    • Tobias Stoeckmann's avatar
      Fix double-free/OOB-write while receiving IPC data · f7a547b7
      Tobias Stoeckmann authored
      
      
      If a malicious client pretends to be the E17 window manager, it is
      possible to trigger an out of boundary heap write while receiving an
      IPC message.
      
      The length of the already received message is stored in an unsigned
      short, which overflows after receiving 64 KB of data. It's comparably
      small amount of data and therefore achievable for an attacker.
      
      When len overflows, realloc() will either be called with a small value
      and therefore chars will be appended out of bounds, or len + 1 will be
      exactly 0, in which case realloc() behaves like free(). This could be
      abused for a later double-free attack as it's even possible to overwrite
      the free information -- but this depends on the malloc implementation.
      
      Signed-off-by: default avatarTobias Stoeckmann <tobias@stoeckmann.org>
      f7a547b7
  21. Feb 26, 2017
  22. Feb 23, 2017
  23. Feb 16, 2017
  24. Jan 22, 2017
  25. Jan 15, 2017
  26. Jan 14, 2017
Loading