<html> <head> <base href="https://bugzilla.gnome.org/" /> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - File descriptor leak in gdk_wayland_selection_request_target()" href="https://bugzilla.gnome.org/show_bug.cgi?id=751414">751414</a> </td> </tr> <tr> <th>Summary</th> <td>File descriptor leak in gdk_wayland_selection_request_target() </td> </tr> <tr> <th>Classification</th> <td>Platform </td> </tr> <tr> <th>Product</th> <td>gtk+ </td> </tr> <tr> <th>Version</th> <td>3.16.x </td> </tr> <tr> <th>OS</th> <td>Linux </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>Normal </td> </tr> <tr> <th>Component</th> <td>Backend: Wayland </td> </tr> <tr> <th>Assignee</th> <td>gtk-bugs@gtk.org </td> </tr> <tr> <th>Reporter</th> <td>mcatanzaro@gnome.org </td> </tr> <tr> <th>QA Contact</th> <td>gtk-bugs@gtk.org </td> </tr> <tr> <th>CC</th> <td>rob@robster.org.uk, wayland-bugs@lists.freedesktop.org </td> </tr> <tr> <th>GNOME version</th> <td>--- </td> </tr></table> <p> <div> <pre>I discovered that gdk_wayland_selection_request_target() does not close() wayland_selection->stored_selection.fd before assigning a new fd to it. A malicious Wayland client can trick a user into dragging data to it from a GTK+ app, and then cause the GTK+ app to leak an arbitrary number of file descriptors up to its limit by calling wl_data_offer_receive() in a loop. This probably also work against any GTK+ app that has placed data in the clipboard, though I didn't test that. I'll attach the trivial fix.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are on the CC list for the bug.</li> </ul> </body> </html>