Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 435456 (CVE-2012-4427)

Summary: gnome-base/gnome-shell: browser plugin can be made to install shell extensions from the official upstream repository without user authorization (CVE-2012-4427)
Product: Gentoo Security Reporter: Alexandre Rostovtsev (RETIRED) <tetromino>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=858034
https://bugzilla.gnome.org/show_bug.cgi?id=684215
Whiteboard: ~? [noglsa]
Package list:
Runtime testing required: ---

Description Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-18 22:17:56 UTC 
To quote https://bugzilla.redhat.com/show_bug.cgi?id=858034:

> Tavis Ormandy discovered that the browser extension installed as part of Gnome Shell (libgnome-shell-browser-plugin.so) would install Gnome Shell extensions without authorization from the user running the browser.  While the Gnome Shell extension installer does not install these extensions directly, it does pass them to Gnome Shell via D-BUS, which then in turn installs the extension from extensions.gnome.org.  If a malicious user were to upload a malicious extensions to extensions.gnome.org and coerce a user into visiting a site where the extension installer would request that application's installation, the extension would be installed without the victim's knowledge.

Note that only extensions hosted at the official extensions.gnome.org repository can be installed in this manner, and they are all supposed to be vetted, so the security impact of this is as bad as one might first expect.

I believe that all versions of gnome-shell currently in portage and the gnome overlay are affected. At the moment, there is no upstream solution; see https://bugzilla.gnome.org/show_bug.cgi?id=684215
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-10-01 21:36:14 UTC 
CVE-2012-4427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4427):
  The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force the
  download and installation of arbitrary extensions from extensions.gnome.org
  via a crafted web page.
Comment 2 Pacho Ramos gentoo-dev 2013-08-23 09:43:33 UTC 
upstream finally closed this as wontfix:
https://bugzilla.gnome.org/show_bug.cgi?id=684215#c6
Comment 3 Sergey Popov gentoo-dev 2013-08-30 11:22:49 UTC 
Gnome 3.4.* is gone from tree and 3.6/3.8 is not yet stable. Closing this as FIXED