A security flaw was found in the way Clutter, an open source software library for creating rich graphical user interfaces, used to manage translation of hierarchy events in certain circumstances (when underlying device disappeared, causing XIQueryDevice query to throw an error). Physically proximate attackers could use this flaw for example to obtain unauthorized access to gnome-shell session right after system resume (due to gnome-shell crash). Upstream bug: [1] https://bugzilla.gnome.org/show_bug.cgi?id=701974 References: [2] http://www.openwall.com/lists/oss-security/2013/06/18/7 [3] http://www.openwall.com/lists/oss-security/2013/06/19/1 Relevant upstream patch: [4] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.14&id=e310c68d7b38d521e341f4e8a36f54303079d74e (against clutter v1.14) [5] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.16&id=d343cc6289583a7b0d929b82b740499ed588b1ab (against clutter v1.16)
This issue did NOT affect the version of the clutter package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the clutter package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Created clutter tracking bugs for this issue: Affects: fedora-all [bug 980116]
Statement: Not vulnerable. This issue did not affect the version of clutter as shipped with Red Hat Enterprise Linux 6 as it did not include the upstream commit 1b1e77b46989ba97bfff8abdfa61df0f514a7eae that introduced this issue.