Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 435456 (CVE-2012-4427)

Summary: gnome-base/gnome-shell: browser plugin can be made to install shell extensions from the official upstream repository without user authorization (CVE-2012-4427)
Product: Gentoo Security Reporter: Alexandre Rostovtsev (RETIRED) <tetromino>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: ~? [noglsa]
Package list:
Runtime testing required: ---

Description Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-18 22:17:56 UTC
To quote

> Tavis Ormandy discovered that the browser extension installed as part of Gnome Shell ( would install Gnome Shell extensions without authorization from the user running the browser.  While the Gnome Shell extension installer does not install these extensions directly, it does pass them to Gnome Shell via D-BUS, which then in turn installs the extension from  If a malicious user were to upload a malicious extensions to and coerce a user into visiting a site where the extension installer would request that application's installation, the extension would be installed without the victim's knowledge.

Note that only extensions hosted at the official repository can be installed in this manner, and they are all supposed to be vetted, so the security impact of this is as bad as one might first expect.

I believe that all versions of gnome-shell currently in portage and the gnome overlay are affected. At the moment, there is no upstream solution; see
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-10-01 21:36:14 UTC
CVE-2012-4427 (
  The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force the
  download and installation of arbitrary extensions from
  via a crafted web page.
Comment 2 Pacho Ramos gentoo-dev 2013-08-23 09:43:33 UTC
upstream finally closed this as wontfix:
Comment 3 Sergey Popov gentoo-dev 2013-08-30 11:22:49 UTC
Gnome 3.4.* is gone from tree and 3.6/3.8 is not yet stable. Closing this as FIXED