Bug#1052067: gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked
Simon McVittie
smcv at debian.org
Sun Sep 17 18:17:51 BST 2023
On Sun, 17 Sep 2023 at 16:49:59 +0200, Salvatore Bonaccorso wrote:
> In this case we even not have yet decided if it's warranted or not,
> but I just aimed to make an unstable report to get it for sure fixed
> there already.
>
> Lets decide on it and either me or another team member will come back
> to you.
If the security team would like to issue a DSA for
this, I've prepared a proposed minimal security update in
https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/75
and tested it in a VM. I confirm that I can reproduce
the issue with current bookworm by following the steps in
https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990#note_1840101,
and in the proposed version I can no longer reproduce the issue.
I can upload this to security-master if wanted, or the security
team or other GNOME team members are welcome to sponsor it
or upload their own version if they would like to take my
response time off the critical path. Unsigned packages are in
https://people.debian.org/~smcv/bug1052067/, diff attached.
My understanding is that I am not permitted to upload signed packages
anywhere until the security team has given approval to upload to
security-master, because if I did, someone else would be able to upload
them to security-master in a way that would cause extra work for the
security team; so I have not uploaded any signed packages. I apologise
if this is wrong or has caused inconvenience.
If the security team declines to issue a DSA for this, then we will need
to retarget this to stable-proposed-updates. Please let me know which
route should be taken, because I'm aware that the deadline for 12.2 is
next weekend, and I will probably be unable to carry out any Debian work
next weekend due to other commitments.
Unrelated to this CVE, I have been trying to prepare a stable bugfix
update for mutter and gnome-shell incorporating upstream releases 43.7
and 43.8, and now gnome-shell 43.9 as well. The diff for these now cannot
be finalized until we know which route will be taken to fix this CVE.
smcv
More information about the pkg-gnome-maintainers
mailing list