[Mesa-dev] CVE-2019-19520: Local privilege escalation via xlock

Dave Airlie airlied at gmail.com
Thu Dec 5 03:59:50 UTC 2019


On Thu, 5 Dec 2019 at 13:42, Jonathan Gray <jsg at jsg.id.au> wrote:
>
> Until very recently OpenBSD built xlockmore against Mesa.  xlock is
> setgid auth.  As described by Qualys in their advisory
> https://marc.info/?l=oss-security&m=157549260013521&w=2
> "CVE-2019-19520: Local privilege escalation via xlock"
> the setuid check in the loader for LIBGL_DRIVERS_PATH does not handle
> this.
>
Should we just use secure_getenv?

DAve.


More information about the mesa-dev mailing list