Bug 980111 (CVE-2013-2190)

Summary: CVE-2013-2190 clutter: Improper translation of hierarchy events (gnome-shell crash after system resume)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fmuellner, itamar, metherid, otaylor, pbrobinson, walters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-01 13:18:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 980116    
Bug Blocks:    

Description Jan Lieskovsky 2013-07-01 13:04:54 UTC 
A security flaw was found in the way Clutter, an open source software library for creating rich graphical user interfaces, used to manage translation of hierarchy events in certain circumstances (when underlying device disappeared, causing XIQueryDevice query to throw an error).  Physically proximate attackers could use this flaw for example to obtain unauthorized access to gnome-shell session right after system resume (due to gnome-shell crash).

Upstream bug:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=701974

References:
[2] http://www.openwall.com/lists/oss-security/2013/06/18/7
[3] http://www.openwall.com/lists/oss-security/2013/06/19/1

Relevant upstream patch:
[4] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.14&id=e310c68d7b38d521e341f4e8a36f54303079d74e
    (against clutter v1.14)
[5] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.16&id=d343cc6289583a7b0d929b82b740499ed588b1ab
    (against clutter v1.16)
Comment 1 Jan Lieskovsky 2013-07-01 13:06:41 UTC 
This issue did NOT affect the version of the clutter package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the clutter package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-07-01 13:07:54 UTC 
Created clutter tracking bugs for this issue:

Affects: fedora-all [bug 980116]
Comment 4 Jan Lieskovsky 2013-07-01 13:18:36 UTC 
Statement:

Not vulnerable. This issue did not affect the version of clutter as shipped with Red Hat Enterprise Linux 6 as it did not include the upstream commit 1b1e77b46989ba97bfff8abdfa61df0f514a7eae that introduced this issue.