Description: "An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)"
Looks like there's patches for 3.36.x in the bug, not clear if being backported to 3.34 yet (someone has asked in the thread: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997#note_889008).
Might be an excuse to just get most of GNOME 3.36 stabilized and not bother with 3.34 :) Though a bit confusing when most of the metas aren't ready yet (I think mainly waiting on dealing with vte/gnome-terminal patchset at this point, plus a couple easy bumps)
It looks like in 3.34 the security issue is that you can see the password length, and in 3.36 you could see the password too, but only if the logging in happened with the password visible via the new feature that can toggle password to be visible on entry. So I'm not sure it really matters much for 3.34 at all?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c4bb6c530c0a64b7e0c776806882026798bc1dc commit 9c4bb6c530c0a64b7e0c776806882026798bc1dc Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-08-13 20:38:14 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-08-13 20:38:20 +0000 gnome-base/gnome-shell: backport fix for CVE-2020-17489 Bug: https://bugs.gentoo.org/736802 Package-Manager: Portage-2.3.103, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> .../gnome-shell/files/3.34.5-CVE-2020-17489.patch | 47 +++++ .../gnome-shell/gnome-shell-3.34.5-r1.ebuild | 198 +++++++++++++++++++++ 2 files changed, 245 insertions(+)
It would be nice if someone runtime tested this logout business, as I've done a blind backport for the 3.34.5 (3.34 didn't have ES5 trailing commas yet or something). I'm aware that 3.36 is still vulnerable in Gentoo after the 3.34 patching; need to runtime test that myself tomorrow/weekend and maybe grab a couple extra patches into there on top of 3.36.5.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19dda776a2db2244348857684ddc1a7513c8959e commit 19dda776a2db2244348857684ddc1a7513c8959e Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2020-08-14 07:07:00 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2020-08-14 08:22:09 +0000 gnome-base/gnome-shell: bump to 3.36.5 Bug: https://bugs.gentoo.org/736802 Package-Manager: Portage-2.3.103, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> gnome-base/gnome-shell/Manifest | 2 + gnome-base/gnome-shell/gnome-shell-3.36.5.ebuild | 190 +++++++++++++++++++++++ 2 files changed, 192 insertions(+)
amd64 done
x86 done all arches done
Please cleanup.
New GLSA request filed.
This issue was resolved and addressed in GLSA 202009-08 at https://security.gentoo.org/glsa/202009-08 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup.
Unable to check for sanity: > no match for package: gnome-base/gnome-shell-3.34.5-r1
Cleanup appears to be done for a while, so we're all done; GLSA already released. Thanks all. commit 191651ae7e03e1870da7c57d0037e9809971bb71 Author: Mart Raudsepp <leio@gentoo.org> Date: Sat Nov 7 16:46:19 2020 +0200 gnome-base/gnome-shell: remove old Package-Manager: Portage-2.3.103, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> delete mode 100644 gnome-base/gnome-shell/files/3.28.3-defaults.patch delete mode 100644 gnome-base/gnome-shell/files/3.34.4-custom_stylesheet_crash.patch delete mode 100644 gnome-base/gnome-shell/files/3.34.5-CVE-2020-17489.patch delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.34.5-r1.ebuild delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.34.5.ebuild commit a147a84a1cdc6944c458dbd56e81cf931bf4f925 Author: Mart Raudsepp <leio@gentoo.org> Date: Fri Aug 14 10:10:19 2020 +0300 gnome-base/gnome-shell: remove old Package-Manager: Portage-2.3.103, Repoman-2.3.20 Signed-off-by: Mart Raudsepp <leio@gentoo.org> delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.36.4-r1.ebuild delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.36.4-r2.ebuild delete mode 100644 gnome-base/gnome-shell/gnome-shell-3.36.4.ebuild
