Updated gnome-shell packages fix security vulnerability

2022-01-05T22:45:33

Description

Drop extra capabilities from gnome-shell. They're optional and they break shutdown from the login screen with new glibs. (CVE-2021-3982)

Affected Package

OS	OS Version	Package Name	Package Version
Mageia	8	gnome-shell	3.38.3-2.1

{"id": "MGASA-2022-0007", "vendorId": null, "type": "mageia", "bulletinFamily": "unix", "title": "Updated gnome-shell packages fix security vulnerability\n", "description": "Drop extra capabilities from gnome-shell. They're optional and they break shutdown from the login screen with new glibs. (CVE-2021-3982) \n", "published": "2022-01-05T22:45:33", "modified": "2022-01-05T22:45:33", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1}, "severity": "LOW", "exploitabilityScore": 3.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, "href": "https://advisories.mageia.org/MGASA-2022-0007.html", "reporter": "Gentoo Foundation", "references": ["https://bugs.mageia.org/show_bug.cgi?id=29825", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SCLTOBHCAJ5W2MER2M53HAM2IBEBL2AC/"], "cvelist": ["CVE-2021-3982"], "immutableFields": [], "lastseen": "2022-05-11T17:20:14", "viewCount": 3, "enchantments": {"score": {"value": 1.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-3982"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-3982"]}, {"type": "fedora", "idList": ["FEDORA:2B3CF3052D9F", "FEDORA:699553059E08", "FEDORA:7FA2A3085A35"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-3982"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-3982"]}]}, "epss": [{"cve": "CVE-2021-3982", "epss": "0.000430000", "percentile": "0.069270000", "modified": "2023-03-19"}], "vulnersScore": 1.7}, "_state": {"score": 1660007483, "dependencies": 1660004461, "epss": 1679288289}, "_internal": {"score_hash": "643342d3129fbdb14d6c297f13a3face"}, "affectedPackage": [{"OS": "Mageia", "OSVersion": "8", "arch": "noarch", "packageVersion": "3.38.3-2.1", "operator": "lt", "packageFilename": "gnome-shell-3.38.3-2.1.mga8", "packageName": "gnome-shell"}]}

{"debiancve": [{"lastseen": "2023-03-14T06:06:14", "description": "Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a privilege escalation issue. An attacker, with low privilege permissions, may take advantage of the way CAP_SYS_NICE is currently implemented and eventually load code to increase its process scheduler priority leading to possible DoS of other services running in the same machine.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-29T17:15:00", "type": "debiancve", "title": "CVE-2021-3982", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3982"], "modified": "2022-04-29T17:15:00", "id": "DEBIANCVE:CVE-2021-3982", "href": "https://security-tracker.debian.org/tracker/CVE-2021-3982", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntucve": [{"lastseen": "2023-01-27T13:20:53", "description": "Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a\nprivilege escalation issue. An attacker, with low privilege permissions,\nmay take advantage of the way CAP_SYS_NICE is currently implemented and\neventually load code to increase its process scheduler priority leading to\npossible DoS of other services running in the same machine.\n\n#### Bugs\n\n * <https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/4711>\n * <https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2284>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=2024174>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | Red Hat's gnome-shell packaging was setting CAP_SYS_NICE on the gnome-shell binary. Ubuntu packaging does not do that, so is not vulnerable to this issue.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-29T00:00:00", "type": "ubuntucve", "title": "CVE-2021-3982", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3982"], "modified": "2022-04-29T00:00:00", "id": "UB:CVE-2021-3982", "href": "https://ubuntu.com/security/CVE-2021-3982", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "fedora": [{"lastseen": "2022-05-11T18:24:58", "description": "GNOME Shell provides core user interface functions for the GNOME 3 desktop, like switching to windows and launching applications. GNOME Shell takes advantage of the capabilities of modern graphics hardware and introduces innovative user interface concepts to provide a visually attractive and easy to use experience. ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-28T01:07:46", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: gnome-shell-40.7-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3982"], "modified": "2021-12-28T01:07:46", "id": "FEDORA:2B3CF3052D9F", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SCLTOBHCAJ5W2MER2M53HAM2IBEBL2AC/", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-05-11T18:24:58", "description": "GNOME Shell Extensions is a collection of extensions providing additional a nd optional functionality to GNOME Shell. Enabled extensions: * apps-menu * auto-move-windows * drive-menu * launch-new-instance * native-window-placement * places-menu * screenshot-window-sizer * user-theme * window-list * windowsNavigator * workspace-indicator ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-28T01:07:46", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: gnome-shell-extensions-40.5-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3982"], "modified": "2021-12-28T01:07:46", "id": "FEDORA:699553059E08", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z6BH7VDTIY5TMRGICTKRDEOW5C5RJSEL/", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-05-11T18:24:58", "description": "Mutter is a window and compositing manager that displays and manages your desktop via OpenGL. Mutter combines a sophisticated display engine using the Clutter toolkit with solid window-management logic inherited from the Metacity window manager. While Mutter can be used stand-alone, it is primarily intended to be used as the display core of a larger system such as GNOME Shell. For this reason, Mutter is very extensible via plugins, which are used both to add fancy visual effects and to rework the window management behaviors to meet the needs of the environment. ", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-12-28T01:07:46", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: mutter-40.7-1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3982"], "modified": "2021-12-28T01:07:46", "id": "FEDORA:7FA2A3085A35", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6A6JOVGHBCUV6ABGFUFNNNAJCLCCMZCK/", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2023-02-15T15:19:15", "description": "Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a privilege escalation issue. An attacker, with low privilege permissions, may take advantage of the way CAP_SYS_NICE is currently implemented and eventually load code to increase its process scheduler priority leading to possible DoS of other services running in the same machine.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-04-29T17:15:00", "type": "cve", "title": "CVE-2021-3982", "cwe": ["CWE-273"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3982"], "modified": "2023-02-03T01:57:00", "cpe": ["cpe:/a:gnome:gnome-shell:-"], "id": "CVE-2021-3982", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3982", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:gnome:gnome-shell:-:*:*:*:*:*:*:*"]}], "redhatcve": [{"lastseen": "2023-03-08T02:15:19", "description": "Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a privilege escalation issue. An attacker, with low privilege permissions, may take advantage of the way CAP_SYS_NICE is currently implemented and eventually load code to increase its process scheduler priority leading to possible DoS of other services running in the same machine.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-24T14:08:15", "type": "redhatcve", "title": "CVE-2021-3982", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3982"], "modified": "2023-03-08T00:03:18", "id": "RH:CVE-2021-3982", "href": "https://access.redhat.com/security/cve/cve-2021-3982", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}]}

Updated gnome-shell packages fix security vulnerability

Description

Affected Package

Related