Bug 933927 - (CVE-2015-3213) VUL-0: CVE-2015-3213: clutter: Gnome clutter: screenlock bypass by performing certain mouse gestures
(CVE-2015-3213)
VUL-0: CVE-2015-3213: clutter: Gnome clutter: screenlock bypass by performing...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Scott Reeves
Security Team bot
https://smash.suse.de/issue/117292/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-08 11:30 UTC by Marcus Meissner
Modified: 2015-06-12 00:13 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-06-08 11:30:59 UTC
from redhat bugzilla:

Ray Strode of Red Hat reports:

Clutter contains APIs for recognizing finger and mouse movement based gestures.
GNOME Shell uses these APIs to recognize when the user lifts the "screen shield"
to initiate the screen unlock process (where a password would normally be 
entered). 

A bug in clutter's gesture handling code leads to a crash in some cases when 
the user performs gestures. This crash can lead to screen lock bypass. The bug 
was fixed upstream in clutter 1.16.2

External reference:
https://bugzilla.gnome.org/show_bug.cgi?id=749847
https://bugzilla.redhat.com/show_bug.cgi?id=1227098
Comment 1 Swamp Workflow Management 2015-06-08 22:01:31 UTC
bugbot adjusting priority
Comment 2 Scott Reeves 2015-06-12 00:13:37 UTC
opensuse 13.1. and 13.2 already have this patch included in the shipping version.

SLE12 does also and the SLE11 version does not have this specific codebase and is not vulnerable (the commit introducing this vulnerability is later than our version)

Nothing to do...