Bug#968311: gnome-shell in stretch/buster as not affected by CVE-2020-17489

Salvatore Bonaccorso carnil at debian.org
Sat Aug 29 08:33:01 BST 2020


Hi Mike,

thanks for triaging the issue further.

On Sat, Aug 29, 2020 at 06:08:06AM +0000, Mike Gabriel wrote:
> Hi Simon,
> 
> I just looked into CVE-2020-17489/gnome-shell for stretch and buster. It
> seems that the cleartext password feature has only become available in
> gnome-shell 3.36.x.
> 
> Thus, I marked gnome-shell/buster and gnome-shell/stretch as unaffected by
> CVE-2020-17489 [1]. Please correct me, if I am wrong on this.

The reporter said that the issue to be visibile since 3.34 (the
password length disclosed) but then got worse with 3.36 when the
password visibility option was introduced leaking the clear-text
password.

There seem to have been several reworks around 3.33.90 with the fade
out/opacitiy so this sounds plausible, but I have not found where the
issue really got introduced and the logout starting missbehaving
showing the information and pin-pointing the commits introducing it or
enough confidence source wise where the issue started to be present.

But as the contributor did some explicit testing with the versions
between 3.28 and the 3.37.3 version this still seems plausible to be
confirmed introduced in 3.34 only.

Regards,
Salvatore

As a rule of thumb: for tracking vulnerabilities, we perfer to rather
err on the "wrong" side saying something is affected but possibly mark
it as no-dsa (when difficult to pin point where the issue got
introduced) rather then be "wrong" on the other side. Thus some issues
will remain be marked no-dsa when there is not enough confidence the
issue is not really present.



More information about the pkg-gnome-maintainers mailing list