Moderate: GNOME security, bug fix, and enhancement update

Synopsis

Moderate: GNOME security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for GNOME is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

GNOME is the default desktop environment of Red Hat Enterprise Linux.

Security Fix(es):

• LibRaw: stack-based buffer overflow in the parse_makernote function of dcraw_common.cpp (CVE-2018-20337)
  
• gdm: lock screen bypass when timed login is enabled (CVE-2019-3825)
  
• gvfs: mishandling of file ownership in daemon/gvfsbackendadmin.c (CVE-2019-12447)
  
• gvfs: race condition in daemon/gvfsbackendadmin.c due to admin backend not implementing query_info_on_read/write (CVE-2019-12448)
  
• gvfs: mishandling of file's user and group ownership in daemon/gvfsbackendadmin.c due to unavailability of root privileges (CVE-2019-12449)
  

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for ARM 64 8 aarch64
• Red Hat CodeReady Linux Builder for x86_64 8 x86_64
• Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
• Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
• Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x

Fixes

• BZ - 1365717 - Spice Guest's resolution doesn't update after login the guest
• BZ - 1656988 - network: add vpn dialog looks odd
• BZ - 1658001 - Wacom tablet still shown after removal
• BZ - 1661555 - CVE-2018-20337 LibRaw: stack-based buffer overflow in the parse_makernote function of dcraw_common.cpp
• BZ - 1666070 - Wacom Cintiq 22HD and 22HD Touch are Missing Touch Strip Mode Selection
• BZ - 1668901 - Cannot Add Keyboard Layout to Login Screen
• BZ - 1671744 - Rebase libraw to 0.19.5
• BZ - 1672825 - CVE-2019-3825 gdm: lock screen bypass when timed login is enabled
• BZ - 1674535 - Rebase to 3.28.2
• BZ - 1684729 - gnome-remote-desktop prompts for password after set to ask for permission
• BZ - 1687979 - [X11 Session] Various Wacom Screen Tablets Behave Like the Mode Strip Only has one Mode
• BZ - 1690170 - [nvidia binary] Panning incorrectly sets boundaries and creates artifacting outside of boundaries
• BZ - 1692299 - Crash of control center when wired network info window is closed while another module is in the background
• BZ - 1710882 - Allow multiple XDMCP sessions in parallel from the same user account
• BZ - 1715890 - should throw redhat-menus into a ditch
• BZ - 1716754 - Tapping is disabled on Wacom touchpads
• BZ - 1716761 - Lower stylus button does not work
• BZ - 1716767 - Dragging an icon with a stylus has weird side-effects
• BZ - 1716774 - Tablet ring mappings aren't reflected in the OSD
• BZ - 1719819 - Gnome garbage collection leak [rhel-8]
• BZ - 1720249 - Offer subscription enrollment in gnome-settings-daemon
• BZ - 1720251 - Offer subscription enrollment in gnome-control-center
• BZ - 1721124 - ** (nautilus:4549): CRITICAL **: 14:01:37.418: eel_timed_wait_stop: assertion 'wait != NULL' failed
• BZ - 1721133 - bunch of CRITICAL messages after trashing a file
• BZ - 1723462 - Backport the permanent scrollbar setting
• BZ - 1723464 - Backport the permanent scrollbar setting
• BZ - 1724302 - Include the Gnome GUI in RHEL 8 AARCH64
• BZ - 1725154 - no link to website in about dialog
• BZ - 1728330 - $HOME/.profile not sourced on graphical login - .bash_profile is sourced
• BZ - 1728562 - CVE-2019-12447 gvfs: mishandling of file ownership in daemon/gvfsbackendadmin.c
• BZ - 1728564 - CVE-2019-12448 gvfs: race condition in daemon/gvfsbackendadmin.c due to admin backend not implementing query_info_on_read/write
• BZ - 1728567 - CVE-2019-12449 gvfs: mishandling of file's user and group ownership in daemon/gvfsbackendadmin.c due to unavailability of root privileges
• BZ - 1730612 - There are two different high contrast versions of desktop icons
• BZ - 1730891 - Cannot Select Drop-down Menus with Stylus
• BZ - 1736742 - Backport the permanent scrollbar setting
• BZ - 1742710 - [abrt] [faf] gnome-settings-daemon: NSSRWLock_LockRead_Util(): /usr/libexec/gsd-smartcard killed by 11
• BZ - 1744452 - Enable wayland support for qxl-vga
• BZ - 1744527 - Enable wayland support for cirrus
• BZ - 1745147 - GDM does not prevent users with login shell /sbin/nologin from logging on
• BZ - 1747972 - Disable libbluray dependency
• BZ - 1749372 - Gtk-CRITICAL **: 15:20:42.388: gtk_widget_is_visible: assertion 'GTK_IS_WIDGET (widget)' failed
• BZ - 1750516 - GDM initial setup fails to identify that it is connected to an IPA server
• BZ - 1753520 - Update vala to 0.40.19
• BZ - 1759075 - Syncing process does not finish when using "Safely Remove Drive"
• BZ - 1759525 - mouse buttons stop responding after rapid input
• BZ - 1759619 - [Xorg Classic] Cannot Restore Wacom Tablet Screen Mapping
• BZ - 1759913 - Show cockpit and addons in gnome-software
• BZ - 1760363 - evince addons causing problems in gnome-software
• BZ - 1763207 - Screen Sharing is not retaining a password setting
• BZ - 1765448 - remote session shows black screen when starting
• BZ - 1765632 - Can't install both libxslt-devel.i686 and libxslt-devel.x86_64 on RHEL 8.1
• BZ - 1766649 - Keyboard and mouse are unresponsive after ~45 days of uptime
• BZ - 1766695 - Invalid read under idle_monitor_dispatch_timeout()
• BZ - 1768461 - Metadata needs update due to change in evince
• BZ - 1776530 - Bug 1579257 also affects EL8
• BZ - 1777556 - [Wayland] Various Wacom Screen Tablet Functions Displayed on Incorrect Screen
• BZ - 1777911 - [abrt] [faf] gnome-shell: unknown function(): /usr/bin/gnome-shell killed by 5
• BZ - 1778668 - [abrt] [faf] gnome-control-center: unknown function(): /usr/bin/gnome-control-center killed by 11
• BZ - 1782425 - Placeholder text is not shown after removing last VPN connection
• BZ - 1782497 - [X11 Session] Clicking Devices, Details or Network Crashes Control Center
• BZ - 1782517 - [X11 Session] Lenovo x230t Stylus not Detected (Wacom)
• BZ - 1785233 - Clutter-Conform:ERROR:actor-shader-effect.c:233:paint_cb: assertion failed (get_pixel (50, 50) == 0xff0000): (0 == 16711680)
• BZ - 1789474 - Enrolling fingerprint requires more finger touches than shown in control-center
• BZ - 1793413 - Boxes is showing only OSes that are recognized via osinfo-db
• BZ - 1804123 - Incorrectly shows enabled extensions as disabled after enable-all
• BZ - 1809079 - gnome-shell core dump after connection to docking station

CVEs

• CVE-2018-20337
• CVE-2019-3825
• CVE-2019-12447
• CVE-2019-12448
• CVE-2019-12449

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.2_release_notes/index