Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 736802 (CVE-2020-17489) - <gnome-base/gnome-shell-{3.34.5-r1, 3.36.5}: Password from logged-out user may be shown on login screen (CVE-2020-17489)
Summary: <gnome-base/gnome-shell-{3.34.5-r1, 3.36.5}: Password from logged-out user ma...
Status: CONFIRMED
Alias: CVE-2020-17489
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/gnome-...
Whiteboard: A4 [cleanup glsa+ cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-08-11 21:42 UTC by Sam James
Modified: 2020-09-13 23:42 UTC (History)
1 user (show)

See Also:
Package list:
gnome-base/gnome-shell-3.34.5-r1
Runtime testing required: Yes
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-08-11 21:42:10 UTC
Description:
"An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)"
Comment 1 Sam James gentoo-dev Security 2020-08-11 21:43:13 UTC
Looks like there's patches for 3.36.x in the bug, not clear if being backported to 3.34 yet (someone has asked in the thread: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997#note_889008).
Comment 2 Mart Raudsepp gentoo-dev 2020-08-12 07:14:33 UTC
Might be an excuse to just get most of GNOME 3.36 stabilized and not bother with 3.34 :)
Though a bit confusing when most of the metas aren't ready yet (I think mainly waiting on dealing with vte/gnome-terminal patchset at this point, plus a couple easy bumps)
Comment 3 Mart Raudsepp gentoo-dev 2020-08-12 07:42:03 UTC
It looks like in 3.34 the security issue is that you can see the password length, and in 3.36 you could see the password too, but only if the logging in happened with the password visible via the new feature that can toggle password to be visible on entry.
So I'm not sure it really matters much for 3.34 at all?
Comment 4 Larry the Git Cow gentoo-dev 2020-08-13 20:39:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c4bb6c530c0a64b7e0c776806882026798bc1dc

commit 9c4bb6c530c0a64b7e0c776806882026798bc1dc
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-08-13 20:38:14 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-08-13 20:38:20 +0000

    gnome-base/gnome-shell: backport fix for CVE-2020-17489
    
    Bug: https://bugs.gentoo.org/736802
    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 .../gnome-shell/files/3.34.5-CVE-2020-17489.patch  |  47 +++++
 .../gnome-shell/gnome-shell-3.34.5-r1.ebuild       | 198 +++++++++++++++++++++
 2 files changed, 245 insertions(+)
Comment 5 Mart Raudsepp gentoo-dev 2020-08-13 20:41:36 UTC
It would be nice if someone runtime tested this logout business, as I've done a blind backport for the 3.34.5 (3.34 didn't have ES5 trailing commas yet or something).
I'm aware that 3.36 is still vulnerable in Gentoo after the 3.34 patching; need to runtime test that myself tomorrow/weekend and maybe grab a couple extra patches into there on top of 3.36.5.
Comment 6 Larry the Git Cow gentoo-dev 2020-08-14 08:23:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19dda776a2db2244348857684ddc1a7513c8959e

commit 19dda776a2db2244348857684ddc1a7513c8959e
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-08-14 07:07:00 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-08-14 08:22:09 +0000

    gnome-base/gnome-shell: bump to 3.36.5
    
    Bug: https://bugs.gentoo.org/736802
    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 gnome-base/gnome-shell/Manifest                  |   2 +
 gnome-base/gnome-shell/gnome-shell-3.36.5.ebuild | 190 +++++++++++++++++++++++
 2 files changed, 192 insertions(+)
Comment 7 Sam James gentoo-dev Security 2020-08-29 13:27:50 UTC
amd64 done
Comment 8 Sam James gentoo-dev Security 2020-08-30 01:11:57 UTC
x86 done

all arches done
Comment 9 Sam James gentoo-dev Security 2020-08-30 01:14:21 UTC
Please cleanup.
Comment 10 Thomas Deutschmann gentoo-dev Security 2020-09-13 22:01:16 UTC
New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-09-13 23:41:36 UTC
This issue was resolved and addressed in
 GLSA 202009-08 at https://security.gentoo.org/glsa/202009-08
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-09-13 23:42:06 UTC
Re-opening for cleanup.