Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 736802 (CVE-2020-17489) - <gnome-base/gnome-shell-{3.34.5-r1, 3.36.5}: Password from logged-out user may be shown on login screen (CVE-2020-17489)
Summary: <gnome-base/gnome-shell-{3.34.5-r1, 3.36.5}: Password from logged-out user ma...
Status: RESOLVED FIXED
Alias: CVE-2020-17489
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/gnome-...
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-11 21:42 UTC by Sam James
Modified: 2020-12-27 07:45 UTC (History)
1 user (show)

See Also:
Package list:
gnome-base/gnome-shell-3.34.5-r1
Runtime testing required: Yes


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-08-11 21:42:10 UTC
Description:
"An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)"
Comment 1 Sam James archtester gentoo-dev Security 2020-08-11 21:43:13 UTC
Looks like there's patches for 3.36.x in the bug, not clear if being backported to 3.34 yet (someone has asked in the thread: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997#note_889008).
Comment 2 Mart Raudsepp gentoo-dev 2020-08-12 07:14:33 UTC
Might be an excuse to just get most of GNOME 3.36 stabilized and not bother with 3.34 :)
Though a bit confusing when most of the metas aren't ready yet (I think mainly waiting on dealing with vte/gnome-terminal patchset at this point, plus a couple easy bumps)
Comment 3 Mart Raudsepp gentoo-dev 2020-08-12 07:42:03 UTC
It looks like in 3.34 the security issue is that you can see the password length, and in 3.36 you could see the password too, but only if the logging in happened with the password visible via the new feature that can toggle password to be visible on entry.
So I'm not sure it really matters much for 3.34 at all?
Comment 4 Larry the Git Cow gentoo-dev 2020-08-13 20:39:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c4bb6c530c0a64b7e0c776806882026798bc1dc

commit 9c4bb6c530c0a64b7e0c776806882026798bc1dc
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-08-13 20:38:14 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-08-13 20:38:20 +0000

    gnome-base/gnome-shell: backport fix for CVE-2020-17489
    
    Bug: https://bugs.gentoo.org/736802
    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 .../gnome-shell/files/3.34.5-CVE-2020-17489.patch  |  47 +++++
 .../gnome-shell/gnome-shell-3.34.5-r1.ebuild       | 198 +++++++++++++++++++++
 2 files changed, 245 insertions(+)
Comment 5 Mart Raudsepp gentoo-dev 2020-08-13 20:41:36 UTC
It would be nice if someone runtime tested this logout business, as I've done a blind backport for the 3.34.5 (3.34 didn't have ES5 trailing commas yet or something).
I'm aware that 3.36 is still vulnerable in Gentoo after the 3.34 patching; need to runtime test that myself tomorrow/weekend and maybe grab a couple extra patches into there on top of 3.36.5.
Comment 6 Larry the Git Cow gentoo-dev 2020-08-14 08:23:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19dda776a2db2244348857684ddc1a7513c8959e

commit 19dda776a2db2244348857684ddc1a7513c8959e
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-08-14 07:07:00 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-08-14 08:22:09 +0000

    gnome-base/gnome-shell: bump to 3.36.5
    
    Bug: https://bugs.gentoo.org/736802
    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 gnome-base/gnome-shell/Manifest                  |   2 +
 gnome-base/gnome-shell/gnome-shell-3.36.5.ebuild | 190 +++++++++++++++++++++++
 2 files changed, 192 insertions(+)
Comment 7 Sam James archtester gentoo-dev Security 2020-08-29 13:27:50 UTC
amd64 done
Comment 8 Sam James archtester gentoo-dev Security 2020-08-30 01:11:57 UTC
x86 done

all arches done
Comment 9 Sam James archtester gentoo-dev Security 2020-08-30 01:14:21 UTC
Please cleanup.
Comment 10 Thomas Deutschmann gentoo-dev Security 2020-09-13 22:01:16 UTC
New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-09-13 23:41:36 UTC
This issue was resolved and addressed in
 GLSA 202009-08 at https://security.gentoo.org/glsa/202009-08
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-09-13 23:42:06 UTC
Re-opening for cleanup.
Comment 13 NATTkA bot gentoo-dev 2020-11-07 15:24:57 UTC
Unable to check for sanity:

> no match for package: gnome-base/gnome-shell-3.34.5-r1
Comment 14 John Helmert III (ajak) 2020-12-27 07:45:50 UTC
Cleanup appears to be done for a while, so we're all done; GLSA already released. Thanks all.


commit 191651ae7e03e1870da7c57d0037e9809971bb71
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Sat Nov 7 16:46:19 2020 +0200

    gnome-base/gnome-shell: remove old

    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 delete mode 100644 gnome-base/gnome-shell/files/3.28.3-defaults.patch
 delete mode 100644 gnome-base/gnome-shell/files/3.34.4-custom_stylesheet_crash.patch
 delete mode 100644 gnome-base/gnome-shell/files/3.34.5-CVE-2020-17489.patch
 delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.34.5-r1.ebuild
 delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.34.5.ebuild

commit a147a84a1cdc6944c458dbd56e81cf931bf4f925
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Fri Aug 14 10:10:19 2020 +0300

    gnome-base/gnome-shell: remove old

    Package-Manager: Portage-2.3.103, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.36.4-r1.ebuild
 delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.36.4-r2.ebuild
 delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.36.4.ebuild