Bug 933927 (CVE-2015-3213)

Summary: VUL-0: CVE-2015-3213: clutter: Gnome clutter: screenlock bypass by performing certain mouse gestures
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Scott Reeves <sreeves>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/117292/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2015-06-08 11:30:59 UTC
from redhat bugzilla:

Ray Strode of Red Hat reports:

Clutter contains APIs for recognizing finger and mouse movement based gestures.
GNOME Shell uses these APIs to recognize when the user lifts the "screen shield"
to initiate the screen unlock process (where a password would normally be 

A bug in clutter's gesture handling code leads to a crash in some cases when 
the user performs gestures. This crash can lead to screen lock bypass. The bug 
was fixed upstream in clutter 1.16.2

External reference:
Comment 1 Swamp Workflow Management 2015-06-08 22:01:31 UTC
bugbot adjusting priority
Comment 2 Scott Reeves 2015-06-12 00:13:37 UTC
opensuse 13.1. and 13.2 already have this patch included in the shipping version.

SLE12 does also and the SLE11 version does not have this specific codebase and is not vulnerable (the commit introducing this vulnerability is later than our version)

Nothing to do...