CVE-2013-7221
https://notcve.org/view.php?id=CVE-2013-7221
The automatic screen lock functionality in GNOME Shell (aka gnome-shell) before 3.10 does not prevent access to the "Enter a Command" dialog, which allows physically proximate attackers to execute arbitrary commands by leveraging an unattended workstation. La funcionalidad de bloqueo de pantalla automático en GNOME Shell (también conocido como gnome-shell) anterior a 3.10 no previene acceso al dialogo "Enter a Command", lo que permite a atacantes físicamente próximos ejecutar comandos arbitrarios aprovechandose de una estación de trabajo desatendida. • http://www.openwall.com/lists/oss-security/2013/12/27/4 http://www.openwall.com/lists/oss-security/2013/12/27/8 https://bugzilla.gnome.org/show_bug.cgi?id=708313 https://git.gnome.org/browse/gnome-shell/commit/js/ui/main.js?id=efdf1ff755943fba1f8a9aaeff77daa3ed338088 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-7273
https://notcve.org/view.php?id=CVE-2013-7273
GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service (unable to login) by pressing the cancel button after entering a user name. GNOME Display Manager (gdm) 3.4.1 y anteriores, cuando "disable-user-list" está configurado como "true", permite a usuarios locales causar una denegación de servicio (incapacidad de iniciar sesión) al pulsar el botón Cancel después de escribir un nombre de usuario. • http://www.openwall.com/lists/oss-security/2014/01/07/10 http://www.openwall.com/lists/oss-security/2014/01/07/16 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683338 https://bugzilla.gnome.org/show_bug.cgi?id=704284 https://bugzilla.redhat.com/show_bug.cgi?id=1050745 •
CVE-2013-4169 – gdm: TOCTTOU race condition on /tmp/.X11-unix
https://notcve.org/view.php?id=CVE-2013-4169
GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/. GNOME Display Manager (gdm) anteriores a 2.21.1 permiten a usuarios locales cambiar permisos de directorios arbitrarios a través de un ataque de enlaces simbólicos sobre /tmp/.X11-unix/. • http://rhn.redhat.com/errata/RHSA-2013-1213.html http://secunia.com/advisories/54661 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=988498 https://access.redhat.com/security/cve/CVE-2013-4169 https://bugzilla.redhat.com/show_bug.cgi?id=988498 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-552: Files or Directories Accessible to External Parties •
CVE-2013-0240
https://notcve.org/view.php?id=CVE-2013-0240
Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.5, does not properly validate SSL certificates when creating accounts such as Windows Live and Facebook accounts, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network. Gnome Online Accounts (GOA) 3.4.x, 3.6.x anterior a 3.6.3 y 3.7.x anterior a 3.7.91, no valida adecuadamente los certificados SSL cuando crea cuentas para Windows Live o Facebook, lo que permite a atacantes "man-in-the-middle", obtener información sensible como credenciales mediante la captura de tráfico de red. • http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html http://secunia.com/advisories/51976 http://secunia.com/advisories/52791 http://ubuntu.com/usn/usn-1779-1 https://bugzilla.gnome.org/show_bug.cgi?id=693214 https://bugzilla.redhat.com/show_bug.cgi?id=894352 https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1 https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f https:/ • CWE-310: Cryptographic Issues •
CVE-2013-1799
https://notcve.org/view.php?id=CVE-2013-1799
Gnome Online Accounts (GOA) 3.6.x before 3.6.3 and 3.7.x before 3.7.91, does not properly validate SSL certificates when creating accounts for providers who use the libsoup library, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network. NOTE: this issue exists because of an incomplete fix for CVE-2013-0240. Gnome Online Accounts (GOA) 3.6.x anterior a 3.6.3 y 3.7.x anterior a 3.7.91, no valida adecuadamente los certificados SSL cuando crear cuentas para proveedores que utilizan la biblioteca libsoup, lo que permite a atacantes "man-in-the-middle", obtener información sensible como credenciales mediante la captura de tráfico de red. NOTA: este problema existe ya que no se corrigió correctamente la vulnerabilidad CVE-2013-0240. • http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html http://secunia.com/advisories/51976 http://secunia.com/advisories/52791 http://ubuntu.com/usn/usn-1779-1 https://bugzilla.gnome.org/show_bug.cgi?id=693214 https://bugzilla.gnome.org/show_bug.cgi?id=695106 https://git.gnome.org/browse/gnome-online-accounts/commit/?id=9cf4bc0ced2c53bcdd36922caa65afc8a167bbd8 https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html https://mail.gnome.org/archives/gnome-a • CWE-310: Cryptographic Issues •