Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 27 Dec 2013 11:21:16 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Two CVE request for gnome-shell/screensaver issues

Hi All,

I would like to request CVEs for two slightly related
gnome-shell/screensaver issues. Details as follows:

1. gnome-shell: blind command execution via activities search keyboard focus
The issue is that in Fedora 18, when you open either the Activities
panel or "Enter a command" dialog box (Alt+F2), and then lock the screen
or let the screensaver lock the screen, then if you start typing on the
lock screen, instead of entering the password or just waking the screen,
it actually types anything you type on the Activities panel or "Enter a
command" dialog box, so anyone who enters a executable command and press
enter, the command is executed even when the screen is locked.

https://bugzilla.gnome.org/show_bug.cgi?id=686740

And a series of commits fix this issue via:

https://git.gnome.org/browse/gnome-shell/log/js/ui/screenShield.js?qt=grep&q=686740

This issue was addressed in upstream release of gnome-shell-3.7.92

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1030431

2. gnome-shell: run command dialog visible above screen locker
In Fedora 19, the "Enter the Command" dialog box is visible even after
you lock the screen, so anyone can write the commands in the box and
execute them over a locked screen.

Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=708313

Upstream patch:
https://git.gnome.org/browse/gnome-shell/commit/js/ui/main.js?id=efdf1ff755943fba1f8a9aaeff77daa3ed338088

This issue has been addressed in gnome-shell-3.10.0

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1046839


Can two CVEs be please assigned to these issues?

Thanks!

-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.