Bugzilla – Bug 843441
VUL-0: CVE-2013-2190: clutter: Improper translation of hierarchy events (gnome-shell crash after system resume)
Last modified: 2013-10-10 16:07:59 UTC
is public, via rh bugzilla CVE-2013-2190 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2190 https://bugzilla.redhat.com/show_bug.cgi?id=980111 A security flaw was found in the way Clutter, an open source software library for creating rich graphical user interfaces, used to manage translation of hierarchy events in certain circumstances (when underlying device disappeared, causing XIQueryDevice query to throw an error). Physically proximate attackers could use this flaw for example to obtain unauthorized access to gnome-shell session right after system resume (due to gnome-shell crash). Upstream bug: [1] https://bugzilla.gnome.org/show_bug.cgi?id=701974 References: [2] http://www.openwall.com/lists/oss-security/2013/06/18/7 [3] http://www.openwall.com/lists/oss-security/2013/06/19/1 Relevant upstream patch: [4] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.14&id=e310c68d7b38d521e341f4e8a36f54303079d74e (against clutter v1.14) [5] https://git.gnome.org/browse/clutter/commit/?h=clutter-1.16&id=d343cc6289583a7b0d929b82b740499ed588b1ab (against clutter v1.16)
Table of our shipped /supported versions: > osc ls openSUSE:12.2:Update clutter clutter-1.10.6.tar.xz > osc ls openSUSE:12.3:Update clutter clutter-1.12.2.tar.xz > osc ls openSUSE:13.1:Update clutter (and thus Factory) clutter-1.16.0.tar.xz
bugbot adjusting priority
(In reply to comment #1) > Table of our shipped /supported versions: > > > osc ls openSUSE:12.2:Update clutter > clutter-1.10.6.tar.xz The patch from 1.14.x branch applies with 1 line offset, so cleanly > > > osc ls openSUSE:12.3:Update clutter > clutter-1.12.2.tar.xz The patch from the 1.14.x branch applies cleanly > > > osc ls openSUSE:13.1:Update clutter (and thus Factory) > clutter-1.16.0.tar.xz There is an explicit patch for this branch
(also need to cross check SLE ... but we might not ship the server?)
(In reply to comment #4) > (also need to cross check SLE ... but we might not ship the server?) Do you have the header X11/extensions/XInput2.h and a xi.pc, then you likely build Easiest to check a buildlog: [ 171s] checking X11/extensions/XInput2.h usability... yes [ 171s] checking X11/extensions/XInput2.h presence... yes
(In reply to comment #0) > [5] > https://git.gnome.org/browse/clutter/commit/?h=clutter-1.16&id=d343cc6289583a7b0d929b82b740499ed588b1ab > (against clutter v1.16) This part is weird: this commit was WAY before 1.16 release; commit date: June 11; 1.16 release was just a week ago. According the Factory changelog, the reference bgo#701974 was fixed with clutter 1.15.2.
So far: Request: #201959 maintenance_incident: home:dimstar:branches:OBS_Maintained:clutter/clutter.openSUSE_12.2_Update -> openSUSE:Maintenance (release in openSUSE:12.2:Update) maintenance_incident: home:dimstar:branches:OBS_Maintained:clutter/clutter.openSUSE_12.3_Update -> openSUSE:Maintenance (release in openSUSE:12.3:Update) for openSUSE 13.1 / Factory, there is nothing to be done, as we have already clutter 1.16, which contains the fix.
openSUSE-SU-2013:1540-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 843441 CVE References: CVE-2013-2190 Sources used: openSUSE 12.3 (src): clutter-1.12.2-2.4.1 openSUSE 12.2 (src): clutter-1.10.6-2.4.1
the clutter 1.0.6 in SLE11 does not reference xi or XIQueryDevice, so its not affected.