OpenSuSE has issued an advisory on October 10: http://lists.opensuse.org/opensuse-updates/2013-10/msg00014.html The issue is fixed upstream in 1.16.0, which is already in Cauldron. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated clutter packages fix security vulnerability: A security flaw was found in the way Clutter, an open source software library for creating rich graphical user interfaces, used to manage translation of hierarchy events in certain circumstances (when underlying device disappeared, causing XIQueryDevice query to throw an error). Physically proximate attackers could use this flaw for example to obtain unauthorized access to gnome-shell session right after system resume (due to gnome-shell crash) (CVE-2013-2190). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2190 http://lists.opensuse.org/opensuse-updates/2013-10/msg00014.html ======================== Updated packages in core/updates_testing: ======================== clutter-i18n-1.10.8-1.1.mga2 libclutter1.0_0-1.10.8-1.1.mga2 libclutter1.0-devel-1.10.8-1.1.mga2 libclutter-gir1.0-1.10.8-1.1.mga2 clutter-i18n-1.12.2-2.1.mga3 libclutter1.0_0-1.12.2-2.1.mga3 libclutter1.0-devel-1.12.2-2.1.mga3 libclutter-gir1.0-1.12.2-2.1.mga3 from SRPMS: clutter-1.10.8-1.1.mga2.src.rpm clutter-1.12.2-2.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
This seems to be triggered when resuming from suspend in gnome with the screen lock active. It is occasionally reported to crash and drop to the running gnome session, thereby bypassing the lock.
Testing complete mga2 32 and mga3 32 Tested by logging in to gnome and setting the screen lock to on, when the screen turns off, in gnome settings, brightness & lock. Suspended mga2 32 laptop and resumed and entered the password to unlock the screen Wasn't able to suspend mga3 32 so locked the screen and unlocked it. I wasn't able to reproduce the crash but noticed no regression with the updated packages.
Whiteboard: MGA2TOO => MGA2TOO has_procedure mga2-32-ok mga3-32-ok
Locked/unlocked and suspended/resumed several times in testing.
Testing complete mga2 64 in vbox, which doesn't like gnome, with lock/unlock Removed gnome when finished with # urpme --auto-orphans task-gnome
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga3-32-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok
Testing complete mga3 64
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0312.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED