Summary: | gnome-base/gnome-shell: browser plugin can be made to install shell extensions from the official upstream repository without user authorization (CVE-2012-4427) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexandre Rostovtsev (RETIRED) <tetromino> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugzilla.redhat.com/show_bug.cgi?id=858034 https://bugzilla.gnome.org/show_bug.cgi?id=684215 |
||
Whiteboard: | ~? [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alexandre Rostovtsev (RETIRED)
2012-09-18 22:17:56 UTC
CVE-2012-4427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4427): The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force the download and installation of arbitrary extensions from extensions.gnome.org via a crafted web page. upstream finally closed this as wontfix: https://bugzilla.gnome.org/show_bug.cgi?id=684215#c6 Gnome 3.4.* is gone from tree and 3.6/3.8 is not yet stable. Closing this as FIXED |