Date: Fri, 27 Dec 2013 11:21:16 +0530 From: Huzaifa Sidhpurwala <huzaifas@...hat.com> To: oss-security@...ts.openwall.com Subject: Two CVE request for gnome-shell/screensaver issues Hi All, I would like to request CVEs for two slightly related gnome-shell/screensaver issues. Details as follows: 1. gnome-shell: blind command execution via activities search keyboard focus The issue is that in Fedora 18, when you open either the Activities panel or "Enter a command" dialog box (Alt+F2), and then lock the screen or let the screensaver lock the screen, then if you start typing on the lock screen, instead of entering the password or just waking the screen, it actually types anything you type on the Activities panel or "Enter a command" dialog box, so anyone who enters a executable command and press enter, the command is executed even when the screen is locked. https://bugzilla.gnome.org/show_bug.cgi?id=686740 And a series of commits fix this issue via: https://git.gnome.org/browse/gnome-shell/log/js/ui/screenShield.js?qt=grep&q=686740 This issue was addressed in upstream release of gnome-shell-3.7.92 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1030431 2. gnome-shell: run command dialog visible above screen locker In Fedora 19, the "Enter the Command" dialog box is visible even after you lock the screen, so anyone can write the commands in the box and execute them over a locked screen. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=708313 Upstream patch: https://git.gnome.org/browse/gnome-shell/commit/js/ui/main.js?id=efdf1ff755943fba1f8a9aaeff77daa3ed338088 This issue has been addressed in gnome-shell-3.10.0 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1046839 Can two CVEs be please assigned to these issues? Thanks! -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.