From ${URL} : 1. gnome-shell: blind command execution via activities search keyboard focus The issue is that in Fedora 18, when you open either the Activities panel or "Enter a command" dialog box (Alt+F2), and then lock the screen or let the screensaver lock the screen, then if you start typing on the lock screen, instead of entering the password or just waking the screen, it actually types anything you type on the Activities panel or "Enter a command" dialog box, so anyone who enters a executable command and press enter, the command is executed even when the screen is locked. https://bugzilla.gnome.org/show_bug.cgi?id=686740 And a series of commits fix this issue via: https://git.gnome.org/browse/gnome-shell/log/js/ui/screenShield.js?qt=grep&q=686740 This issue was addressed in upstream release of gnome-shell-3.7.92 @maintainer(s): since the fixed version is already stable, please remove the affected versions from the tree.@Security: please vote and/or file the request for the GLSA.
Affected versions cleaned
GLSA Vote: No
CVE-2013-7220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7220): js/ui/screenShield.js in GNOME Shell (aka gnome-shell) before 3.8 allows physically proximate attackers to execute arbitrary commands by leveraging an unattended workstation with the keyboard focus on the Activities search.
GLSA vote: no. Closing as [noglsa]
