oss-sec mailing list archives
Two CVE request for gnome-shell/screensaver issues
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Fri, 27 Dec 2013 11:21:16 +0530
Hi All, I would like to request CVEs for two slightly related gnome-shell/screensaver issues. Details as follows: 1. gnome-shell: blind command execution via activities search keyboard focus The issue is that in Fedora 18, when you open either the Activities panel or "Enter a command" dialog box (Alt+F2), and then lock the screen or let the screensaver lock the screen, then if you start typing on the lock screen, instead of entering the password or just waking the screen, it actually types anything you type on the Activities panel or "Enter a command" dialog box, so anyone who enters a executable command and press enter, the command is executed even when the screen is locked. https://bugzilla.gnome.org/show_bug.cgi?id=686740 And a series of commits fix this issue via: https://git.gnome.org/browse/gnome-shell/log/js/ui/screenShield.js?qt=grep&q=686740 This issue was addressed in upstream release of gnome-shell-3.7.92 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1030431 2. gnome-shell: run command dialog visible above screen locker In Fedora 19, the "Enter the Command" dialog box is visible even after you lock the screen, so anyone can write the commands in the box and execute them over a locked screen. Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=708313 Upstream patch: https://git.gnome.org/browse/gnome-shell/commit/js/ui/main.js?id=efdf1ff755943fba1f8a9aaeff77daa3ed338088 This issue has been addressed in gnome-shell-3.10.0 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1046839 Can two CVEs be please assigned to these issues? Thanks! -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Current thread:
- Two CVE request for gnome-shell/screensaver issues Huzaifa Sidhpurwala (Dec 26)
- Re: Two CVE request for gnome-shell/screensaver issues cve-assign (Dec 26)
- Re: Re: Two CVE request for gnome-shell/screensaver issues Huzaifa Sidhpurwala (Dec 27)
- Re: Two CVE request for gnome-shell/screensaver issues cve-assign (Dec 27)
- Re: Two CVE request for gnome-shell/screensaver issues cve-assign (Dec 26)