Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 435456 (CVE-2012-4427) - gnome-base/gnome-shell: browser plugin can be made to install shell extensions from the official upstream repository without user authorization (CVE-2012-4427)
Summary: gnome-base/gnome-shell: browser plugin can be made to install shell extension...
Alias: CVE-2012-4427
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~? [noglsa]
Depends on:
Reported: 2012-09-18 22:17 UTC by Alexandre Rostovtsev (RETIRED)
Modified: 2013-08-30 11:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-18 22:17:56 UTC
To quote

> Tavis Ormandy discovered that the browser extension installed as part of Gnome Shell ( would install Gnome Shell extensions without authorization from the user running the browser.  While the Gnome Shell extension installer does not install these extensions directly, it does pass them to Gnome Shell via D-BUS, which then in turn installs the extension from  If a malicious user were to upload a malicious extensions to and coerce a user into visiting a site where the extension installer would request that application's installation, the extension would be installed without the victim's knowledge.

Note that only extensions hosted at the official repository can be installed in this manner, and they are all supposed to be vetted, so the security impact of this is as bad as one might first expect.

I believe that all versions of gnome-shell currently in portage and the gnome overlay are affected. At the moment, there is no upstream solution; see
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-10-01 21:36:14 UTC
CVE-2012-4427 (
  The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force the
  download and installation of arbitrary extensions from
  via a crafted web page.
Comment 2 Pacho Ramos gentoo-dev 2013-08-23 09:43:33 UTC
upstream finally closed this as wontfix:
Comment 3 Sergey Popov gentoo-dev 2013-08-30 11:22:49 UTC
Gnome 3.4.* is gone from tree and 3.6/3.8 is not yet stable. Closing this as FIXED