Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616698 (CVE-2017-8288) - <gnome-base/gnome-shell-3.22.3-r2: Arbitrary command execution
Summary: <gnome-base/gnome-shell-3.22.3-r2: Arbitrary command execution
Status: RESOLVED FIXED
Alias: CVE-2017-8288
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 583422
Blocks:
  Show dependency tree
 
Reported: 2017-04-27 03:46 UTC by Michael Boyle
Modified: 2017-06-04 23:23 UTC (History)
1 user (show)

See Also:
Package list:
gnome-base/gnome-shell-3.22.3-r2 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-04-27 03:46:34 UTC
nome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js.
Comment 1 Mart Raudsepp gentoo-dev 2017-04-27 21:41:25 UTC
Upstream has no idea why this would get a CVE assigned and be treated as some sort of security issue instead of just a little bug.
As in addition to having to have a buggy extension, the user has to have changed, or be coerced to change, the disable-extension-version-validation setting, which is not exposed anywhere but command line gsettings usage when finding out the key to change or dconf-editor (which tells you changing stuff might break things). And it's not about having version validation disabled, the setting has to have been toggled in the same gnome-shell session prior to that screen lock.
Nevertheless, I'll of course include a patch in a revbump, but as there is really no urgency here, probably tomorrow or weekend.
Comment 2 Mart Raudsepp gentoo-dev 2017-04-29 17:53:10 UTC
commit fb7831fd8eb23dd60054c6d564631d4b2549b5bf
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Sat Apr 29 20:47:42 2017 +0300

    gnome-base/gnome-shell: fix bug triggered by version validation ignoring setting toggling
    
    This has a CVE-2017-8288 assigned for some reason.
    
    Gentoo-bug: 616698
Comment 3 Stabilization helper bot gentoo-dev 2017-04-29 18:00:27 UTC
An automated check of this bug failed - the following atom is unknown:

gnome-base/gnome-shell-3.22.3-r2

Please verify the atom list.
Comment 4 Mart Raudsepp gentoo-dev 2017-04-29 18:24:56 UTC
Removing sanity-check result for a rerun, bot seems to be too fast and miss that I already pushed the atom, but only half a minute before
Comment 5 Stabilization helper bot gentoo-dev 2017-04-29 19:00:30 UTC
An automated check of this bug failed - the following atom is unknown:

gnome-base/gnome-shell-3.22.3-r2

Please verify the atom list.
Comment 6 Mart Raudsepp gentoo-dev 2017-04-30 10:50:45 UTC
Maybe now it'll have noticed such an atom does exist since before it was added here initially...
Comment 7 Stabilization helper bot gentoo-dev 2017-04-30 11:03:00 UTC
An automated check of this bug failed - the following atom is unknown:

gnome-base/gnome-shell-3.22.3-r2

Please verify the atom list.
Comment 8 Michael Palimaka (kensington) gentoo-dev 2017-04-30 11:46:31 UTC
The backing repo somehow broke, I reset it now.
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-03 14:56:33 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-05-04 15:56:38 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2017-05-04 23:58:50 UTC
Maintainer(s), Thank you for your work.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 23:23:37 UTC
Cleanup has happen via https://gitweb.gentoo.org/repo/gentoo.git/commit/gnome-base/gnome-shell?id=15906310b95ac63b478b4ccdff509c05c37317f2

Repository is clean, all done.