Bug 11448 - clutter new security issue CVE-2013-2190
: clutter new security issue CVE-2013-2190
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/570146/
: MGA2TOO has_procedure mga2-32-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-11 20:53 CEST by David Walser
Modified: 2013-10-17 22:07 CEST (History)
2 users (show)

See Also:
Source RPM: clutter-1.12.2-2.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-10-11 20:53:26 CEST
OpenSuSE has issued an advisory on October 10:
http://lists.opensuse.org/opensuse-updates/2013-10/msg00014.html

The issue is fixed upstream in 1.16.0, which is already in Cauldron.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated clutter packages fix security vulnerability:

A security flaw was found in the way Clutter, an open source software library
for creating rich graphical user interfaces, used to manage translation of
hierarchy events in certain circumstances (when underlying device disappeared,
causing XIQueryDevice query to throw an error). Physically proximate attackers
could use this flaw for example to obtain unauthorized access to gnome-shell
session right after system resume (due to gnome-shell crash) (CVE-2013-2190).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2190
http://lists.opensuse.org/opensuse-updates/2013-10/msg00014.html
========================

Updated packages in core/updates_testing:
========================
clutter-i18n-1.10.8-1.1.mga2
libclutter1.0_0-1.10.8-1.1.mga2
libclutter1.0-devel-1.10.8-1.1.mga2
libclutter-gir1.0-1.10.8-1.1.mga2
clutter-i18n-1.12.2-2.1.mga3
libclutter1.0_0-1.12.2-2.1.mga3
libclutter1.0-devel-1.12.2-2.1.mga3
libclutter-gir1.0-1.12.2-2.1.mga3

from SRPMS:
clutter-1.10.8-1.1.mga2.src.rpm
clutter-1.12.2-2.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-10-14 15:52:30 CEST
This seems to be triggered when resuming from suspend in gnome with the screen lock active. It is occasionally reported to crash and drop to the running gnome session, thereby bypassing the lock.
Comment 2 claire robinson 2013-10-14 16:41:28 CEST
Testing complete mga2 32 and mga3 32

Tested by logging in to gnome and setting the screen lock to on, when the screen turns off, in gnome settings, brightness & lock.

Suspended mga2 32 laptop and resumed and entered the password to unlock the screen

Wasn't able to suspend mga3 32 so locked the screen and unlocked it.

I wasn't able to reproduce the crash but noticed no regression with the updated packages.
Comment 3 claire robinson 2013-10-14 16:42:24 CEST
Locked/unlocked and suspended/resumed several times in testing.
Comment 4 claire robinson 2013-10-14 16:52:35 CEST
Testing complete mga2 64 in vbox, which doesn't like gnome, with lock/unlock

Removed gnome when finished with

# urpme --auto-orphans task-gnome
Comment 5 claire robinson 2013-10-15 09:35:36 CEST
Testing complete mga3 64
Comment 6 claire robinson 2013-10-15 09:40:41 CEST
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 7 Thomas Backlund 2013-10-17 22:07:08 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0312.html

Note You need to log in before you can comment on or make changes to this bug.