Bug 491918 (CVE-2008-6514)

Summary: CVE-2008-6514 compiz-fusion: Possible locked desktop access by using Expo plugin mouse shortcuts
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adel.gadllah
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugzilla.gnome.org/show_bug.cgi?id=561567
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-24 21:42:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-03-24 16:24:21 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6514 to
the following vulnerability:

The Expo plugin in Compiz Fusion 0.7.8 allows local users with
physical access to drag the screen saver aside and access the locked
desktop by using Expo mouse shortcuts, a related issue to
CVE-2007-3920.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6514
https://bugs.launchpad.net/ubuntu/+source/compiz-fusion-plugins-main/+bug/247088
http://bugzilla.gnome.org/show_bug.cgi?id=561567
http://www.securityfocus.com/bid/32712
http://secunia.com/advisories/33077
http://xforce.iss.net/xforce/xfdb/47172

Upstream patch:
http://gitweb.compiz-fusion.org/?p=fusion/plugins/expo;a=commit;h=f97a9fa6f0ad578f674d1f248bd7bef90e3260e0
Comment 1 Jan Lieskovsky 2009-03-24 16:25:11 UTC 
This issue affects the version of compiz-fusion package, as shipped
with Fedora releases of 9 and 10.

Please fix.
Comment 2 Fedora Update System 2009-03-24 19:19:42 UTC 
compiz-fusion-0.7.8-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/compiz-fusion-0.7.8-4.fc10
Comment 3 Fedora Update System 2009-03-24 19:20:26 UTC 
compiz-fusion-0.7.6-6.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/compiz-fusion-0.7.6-6.fc9
Comment 4 Adel Gadllah 2009-03-24 19:23:43 UTC 
(In reply to comment #1)
> This issue affects the version of compiz-fusion package, as shipped
> with Fedora releases of 9 and 10.
> 
> Please fix.  

Thanks for the report, I have built fixed packages in rawhide, F-10 and F-9 and requested a push for the F-10 and F-9 packages in bodhi.
Comment 5 Fedora Update System 2009-03-25 16:01:41 UTC 
compiz-fusion-0.7.8-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-03-25 16:04:12 UTC 
compiz-fusion-0.7.6-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.