Bug 980111 (CVE-2013-2190) - CVE-2013-2190 clutter: Improper translation of hierarchy events (gnome-shell crash after system resume)
Summary: CVE-2013-2190 clutter: Improper translation of hierarchy events (gnome-shell ...
Alias: CVE-2013-2190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 980116
TreeView+ depends on / blocked
Reported: 2013-07-01 13:04 UTC by Jan Lieskovsky
Modified: 2021-02-17 07:33 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-07-01 13:18:36 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2013-07-01 13:04:54 UTC
A security flaw was found in the way Clutter, an open source software library for creating rich graphical user interfaces, used to manage translation of hierarchy events in certain circumstances (when underlying device disappeared, causing XIQueryDevice query to throw an error).  Physically proximate attackers could use this flaw for example to obtain unauthorized access to gnome-shell session right after system resume (due to gnome-shell crash).

Upstream bug:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=701974

[2] http://www.openwall.com/lists/oss-security/2013/06/18/7
[3] http://www.openwall.com/lists/oss-security/2013/06/19/1

Relevant upstream patch:
[4] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.14&id=e310c68d7b38d521e341f4e8a36f54303079d74e
    (against clutter v1.14)
[5] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.16&id=d343cc6289583a7b0d929b82b740499ed588b1ab
    (against clutter v1.16)

Comment 1 Jan Lieskovsky 2013-07-01 13:06:41 UTC
This issue did NOT affect the version of the clutter package, as shipped with Red Hat Enterprise Linux 6.


This issue affects the versions of the clutter package, as shipped with Fedora release of 17 and 18. Please schedule an update.

Comment 3 Jan Lieskovsky 2013-07-01 13:07:54 UTC
Created clutter tracking bugs for this issue:

Affects: fedora-all [bug 980116]

Comment 4 Jan Lieskovsky 2013-07-01 13:18:36 UTC

Not vulnerable. This issue did not affect the version of clutter as shipped with Red Hat Enterprise Linux 6 as it did not include the upstream commit 1b1e77b46989ba97bfff8abdfa61df0f514a7eae that introduced this issue.

Note You need to log in before you can comment on or make changes to this bug.