Mageia Bugzilla – Bug 11448
clutter new security issue CVE-2013-2190
Last modified: 2013-10-17 22:07:08 CEST
OpenSuSE has issued an advisory on October 10:
The issue is fixed upstream in 1.16.0, which is already in Cauldron.
Patched packages uploaded for Mageia 2 and Mageia 3.
Updated clutter packages fix security vulnerability:
A security flaw was found in the way Clutter, an open source software library
for creating rich graphical user interfaces, used to manage translation of
hierarchy events in certain circumstances (when underlying device disappeared,
causing XIQueryDevice query to throw an error). Physically proximate attackers
could use this flaw for example to obtain unauthorized access to gnome-shell
session right after system resume (due to gnome-shell crash) (CVE-2013-2190).
Updated packages in core/updates_testing:
Steps to Reproduce:
This seems to be triggered when resuming from suspend in gnome with the screen lock active. It is occasionally reported to crash and drop to the running gnome session, thereby bypassing the lock.
Testing complete mga2 32 and mga3 32
Tested by logging in to gnome and setting the screen lock to on, when the screen turns off, in gnome settings, brightness & lock.
Suspended mga2 32 laptop and resumed and entered the password to unlock the screen
Wasn't able to suspend mga3 32 so locked the screen and unlocked it.
I wasn't able to reproduce the crash but noticed no regression with the updated packages.
Locked/unlocked and suspended/resumed several times in testing.
Testing complete mga2 64 in vbox, which doesn't like gnome, with lock/unlock
Removed gnome when finished with
# urpme --auto-orphans task-gnome
Testing complete mga3 64
Validating. Advisory uploaded.
Could sysadmin please push from 2&3 core/updates_testing to updates