nome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js.
Upstream has no idea why this would get a CVE assigned and be treated as some sort of security issue instead of just a little bug. As in addition to having to have a buggy extension, the user has to have changed, or be coerced to change, the disable-extension-version-validation setting, which is not exposed anywhere but command line gsettings usage when finding out the key to change or dconf-editor (which tells you changing stuff might break things). And it's not about having version validation disabled, the setting has to have been toggled in the same gnome-shell session prior to that screen lock. Nevertheless, I'll of course include a patch in a revbump, but as there is really no urgency here, probably tomorrow or weekend.
commit fb7831fd8eb23dd60054c6d564631d4b2549b5bf Author: Mart Raudsepp <leio@gentoo.org> Date: Sat Apr 29 20:47:42 2017 +0300 gnome-base/gnome-shell: fix bug triggered by version validation ignoring setting toggling This has a CVE-2017-8288 assigned for some reason. Gentoo-bug: 616698
An automated check of this bug failed - the following atom is unknown: gnome-base/gnome-shell-3.22.3-r2 Please verify the atom list.
Removing sanity-check result for a rerun, bot seems to be too fast and miss that I already pushed the atom, but only half a minute before
Maybe now it'll have noticed such an atom does exist since before it was added here initially...
The backing repo somehow broke, I reset it now.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Maintainer(s), Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
Cleanup has happen via https://gitweb.gentoo.org/repo/gentoo.git/commit/gnome-base/gnome-shell?id=15906310b95ac63b478b4ccdff509c05c37317f2 Repository is clean, all done.