Bug 980111 - (CVE-2013-2190) CVE-2013-2190 clutter: Improper translation of hierarchy events (gnome-shell crash after system resume)
CVE-2013-2190 clutter: Improper translation of hierarchy events (gnome-shell ...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130618,reported=2...
: Security
Depends On: 980116
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-01 09:04 EDT by Jan Lieskovsky
Modified: 2015-07-31 03:08 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-01 09:18:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-07-01 09:04:54 EDT
A security flaw was found in the way Clutter, an open source software library for creating rich graphical user interfaces, used to manage translation of hierarchy events in certain circumstances (when underlying device disappeared, causing XIQueryDevice query to throw an error).  Physically proximate attackers could use this flaw for example to obtain unauthorized access to gnome-shell session right after system resume (due to gnome-shell crash).

Upstream bug:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=701974

References:
[2] http://www.openwall.com/lists/oss-security/2013/06/18/7
[3] http://www.openwall.com/lists/oss-security/2013/06/19/1

Relevant upstream patch:
[4] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.14&id=e310c68d7b38d521e341f4e8a36f54303079d74e
    (against clutter v1.14)
[5] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.16&id=d343cc6289583a7b0d929b82b740499ed588b1ab
    (against clutter v1.16)
Comment 1 Jan Lieskovsky 2013-07-01 09:06:41 EDT
This issue did NOT affect the version of the clutter package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the clutter package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-07-01 09:07:54 EDT
Created clutter tracking bugs for this issue:

Affects: fedora-all [bug 980116]
Comment 4 Jan Lieskovsky 2013-07-01 09:18:36 EDT
Statement:

Not vulnerable. This issue did not affect the version of clutter as shipped with Red Hat Enterprise Linux 6 as it did not include the upstream commit 1b1e77b46989ba97bfff8abdfa61df0f514a7eae that introduced this issue.

Note You need to log in before you can comment on or make changes to this bug.