Fluid Attacks Database

Description

Bad reference counting in the context of accept_ice_connection() in gsm-xsmp-server.c in old versions of gnome-session up until version 2.29.92 allows a local attacker to establish ICE connections to gnome-session with invalid authentication data (an invalid magic cookie). Each failed authentication attempt will leak a file descriptor in gnome-session. When the maximum number of file descriptors is exhausted in the gnome-session process, it will enter an infinite loop trying to communicate without success, consuming 100% of the CPU. The graphical session associated with the gnome-session process will stop working correctly, because communication with gnome-session is no longer possible.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	gnome-session	>=0 <2.30.0-1	2.30.0-1
debian 13	gnome-session	>=0 <2.30.0-1	2.30.0-1
debian 11	gnome-session	>=0 <2.30.0-1	2.30.0-1
debian 12	gnome-session	>=0 <2.30.0-1	2.30.0-1
rpm rhel6	gnome-session	-	-

Aliases

1. CVE-2017-111712. NVD-2017-111713. OSV-DEBIAN-2017-111714. OSV-2017-111715. SECURITY-TRACKER-CVE-2017-11171

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.