Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Dec 2013 11:21:16 +0530
From: Huzaifa Sidhpurwala <>
Subject: Two CVE request for gnome-shell/screensaver issues

Hi All,

I would like to request CVEs for two slightly related
gnome-shell/screensaver issues. Details as follows:

1. gnome-shell: blind command execution via activities search keyboard focus
The issue is that in Fedora 18, when you open either the Activities
panel or "Enter a command" dialog box (Alt+F2), and then lock the screen
or let the screensaver lock the screen, then if you start typing on the
lock screen, instead of entering the password or just waking the screen,
it actually types anything you type on the Activities panel or "Enter a
command" dialog box, so anyone who enters a executable command and press
enter, the command is executed even when the screen is locked.

And a series of commits fix this issue via:

This issue was addressed in upstream release of gnome-shell-3.7.92


2. gnome-shell: run command dialog visible above screen locker
In Fedora 19, the "Enter the Command" dialog box is visible even after
you lock the screen, so anyone can write the commands in the box and
execute them over a locked screen.

Upstream bug:

Upstream patch:

This issue has been addressed in gnome-shell-3.10.0


Can two CVEs be please assigned to these issues?


Huzaifa Sidhpurwala / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.