Bug 856846 (CVE-2013-7220) - VUL-0: CVE-2013-7220 CVE-2013-7221: gnome-shell two issues
Summary: VUL-0: CVE-2013-7220 CVE-2013-7221: gnome-shell two issues
Status: RESOLVED FIXED
Alias: CVE-2013-7220
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Dominique Leuenberger
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-27 12:51 UTC by Marcus Meissner
Modified: 2015-02-17 14:56 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-12-27 12:51:35 UTC 
via oss-sec

CVE-2013-7220 CVE-2013-7221

I would like to request CVEs for two slightly related
gnome-shell/screensaver issues. Details as follows:

1. gnome-shell: blind command execution via activities search keyboard focus
The issue is that in Fedora 18, when you open either the Activities
panel or "Enter a command" dialog box (Alt+F2), and then lock the screen
or let the screensaver lock the screen, then if you start typing on the
lock screen, instead of entering the password or just waking the screen,
it actually types anything you type on the Activities panel or "Enter a
command" dialog box, so anyone who enters a executable command and press
enter, the command is executed even when the screen is locked.

https://bugzilla.gnome.org/show_bug.cgi?id=686740

And a series of commits fix this issue via:

https://git.gnome.org/browse/gnome-shell/log/js/ui/screenShield.js?qt=grep&q=686740

This issue was addressed in upstream release of gnome-shell-3.7.92

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1030431

2. gnome-shell: run command dialog visible above screen locker
In Fedora 19, the "Enter the Command" dialog box is visible even after
you lock the screen, so anyone can write the commands in the box and
execute them over a locked screen.

Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=708313

Upstream patch:
https://git.gnome.org/browse/gnome-shell/commit/js/ui/main.js?id=efdf1ff755943fba1f8a9aaeff77daa3ed338088

This issue has been addressed in gnome-shell-3.10.0

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1046839


References:
https://bugzilla.gnome.org/show_bug.cgi?id=708313
https://bugzilla.redhat.com/show_bug.cgi?id=1046839
https://bugzilla.gnome.org/show_bug.cgi?id=686740
https://git.gnome.org/browse/gnome-shell/commit/js/ui/main.js?id=efdf1ff755943fba1f8a9aaeff77daa3ed338088
https://bugzilla.redhat.com/show_bug.cgi?id=1030431
http://comments.gmane.org/gmane.comp.security.oss.general/11752
Comment 2 Marcus Meissner 2013-12-27 12:53:03 UTC 
does this affect just openSUSE or also SLE?

i would SLE did not have gnome-shell yet
Comment 3 Swamp Workflow Management 2013-12-27 23:00:52 UTC 
bugbot adjusting priority
Comment 4 Frederic Crozat 2014-01-08 16:16:01 UTC 
(In reply to comment #2)
> does this affect just openSUSE or also SLE?
> 
> i would SLE did not have gnome-shell yet

SLE 12 will be shipping GNOME 3.10.x so those issues are already fixed there (and SLE 11 isn't affected).
Comment 5 Marcus Meissner 2014-01-09 15:18:02 UTC 
assigning to opensuse gnome guy
Comment 6 Dominique Leuenberger 2014-01-13 20:07:41 UTC 
Bug applicability:

openSUSE 13.1: both bugs not present, due to shipped gnome-shell 3.10.1 (bug 1 fixed in 3.7.92, bug 2 in bug 3.10.0)

openSUSE 12.3: ships gnome-shell 3.6.3.1;
    Bug 1: Seems backportable in reasonable time (done)
    Bug 2: Backport should be possible.. but not five-minute trivial

openSUSE 12.2: ships gnome-shell 3.4.2:
Comment 7 Marcus Meissner 2014-07-03 09:08:14 UTC 
did we fix bug 1 for 12.3?

if you can try, it would be appreciated, but dont waste too much effort on 12.3.
Comment 8 Victor Pereira 2015-02-17 14:56:47 UTC 
pending bugs already fixed.