Summary: | x11-wm/windowmaker-0.91.0 buggy code | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | solar (RETIRED) <solar> |
Component: | Auditing | Assignee: | Luis Medinas (RETIRED) <metalgod> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | lev, spb |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
solar (RETIRED)
2005-02-09 10:15:57 UTC
This is what the start of the second function looks like. ------------------------------------------------------------------------ int WMHandleEvent(XEvent *event) { W_EventHandler *hPtr; W_View *view, *toplevel; unsigned long mask; Window window; WMArrayIterator iter; if (event->type == MappingNotify) { XRefreshKeyboardMapping(&event->xmapping); return True; } mask = eventMasks[event->xany.type]; ------------------------------------------------------------------------ And it's the "mask = eventMasks[event->xany.type];" that triggers on the debug compiler. On line 11.. static unsigned long eventMasks[] = { .... Regarding the first one, there's a clear overflow there, however the ewmh specs do say only the window manager and pager should set this property: http://standards.freedesktop.org/wm-spec/1.3/ar01s03.html#id2522754 If an attacker can change this, it's safe to assume he can set any random property and can do all kinds of craziness such as modifying the clipboard, changing keybindings and modifying resources, so if he's already got to this point...i don't think he would be interested in this :) regarding the second one, I think we have to assume XEvents are trusted input, if an attacker can create his own synthetic events (he's got to a point where he can use XSendEvent(), for example) he can already fake input events to terminals for example, close windows, send click events, anything..so it's already game over :) These should probably still be fixed, but afaict don't look like security issues. Thanks Tavis.. Reassigning bug to gnustep@ as a normal bug report then. we can close this since 0.91.0 isn't on the tree anymore. |