Summary: | <gnome-base/gnome-shell-3.22.3-r2: Arbitrary command execution | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Boyle <boylemic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gnome |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8288 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
gnome-base/gnome-shell-3.22.3-r2 amd64 x86
|
Runtime testing required: | --- |
Bug Depends on: | 583422 | ||
Bug Blocks: |
Description
Michael Boyle
2017-04-27 03:46:34 UTC
Upstream has no idea why this would get a CVE assigned and be treated as some sort of security issue instead of just a little bug. As in addition to having to have a buggy extension, the user has to have changed, or be coerced to change, the disable-extension-version-validation setting, which is not exposed anywhere but command line gsettings usage when finding out the key to change or dconf-editor (which tells you changing stuff might break things). And it's not about having version validation disabled, the setting has to have been toggled in the same gnome-shell session prior to that screen lock. Nevertheless, I'll of course include a patch in a revbump, but as there is really no urgency here, probably tomorrow or weekend. commit fb7831fd8eb23dd60054c6d564631d4b2549b5bf Author: Mart Raudsepp <leio@gentoo.org> Date: Sat Apr 29 20:47:42 2017 +0300 gnome-base/gnome-shell: fix bug triggered by version validation ignoring setting toggling This has a CVE-2017-8288 assigned for some reason. Gentoo-bug: 616698 An automated check of this bug failed - the following atom is unknown: gnome-base/gnome-shell-3.22.3-r2 Please verify the atom list. Removing sanity-check result for a rerun, bot seems to be too fast and miss that I already pushed the atom, but only half a minute before An automated check of this bug failed - the following atom is unknown: gnome-base/gnome-shell-3.22.3-r2 Please verify the atom list. Maybe now it'll have noticed such an atom does exist since before it was added here initially... An automated check of this bug failed - the following atom is unknown: gnome-base/gnome-shell-3.22.3-r2 Please verify the atom list. The backing repo somehow broke, I reset it now. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Maintainer(s), Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). Cleanup has happen via https://gitweb.gentoo.org/repo/gentoo.git/commit/gnome-base/gnome-shell?id=15906310b95ac63b478b4ccdff509c05c37317f2 Repository is clean, all done. |