[Mesa-dev] CVE-2019-19520: Local privilege escalation via xlock
Dave Airlie
airlied at gmail.com
Thu Dec 5 03:59:50 UTC 2019
On Thu, 5 Dec 2019 at 13:42, Jonathan Gray <jsg at jsg.id.au> wrote:
>
> Until very recently OpenBSD built xlockmore against Mesa. xlock is
> setgid auth. As described by Qualys in their advisory
> https://marc.info/?l=oss-security&m=157549260013521&w=2
> "CVE-2019-19520: Local privilege escalation via xlock"
> the setuid check in the loader for LIBGL_DRIVERS_PATH does not handle
> this.
>
Should we just use secure_getenv?
DAve.
More information about the mesa-dev
mailing list