Bug#1052067: gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked

Simon McVittie smcv at debian.org
Sun Sep 17 21:24:19 BST 2023


On Sun, 17 Sep 2023 at 20:57:36 +0200, Salvatore Bonaccorso wrote:
> On Sun, Sep 17, 2023 at 07:09:45PM +0100, Simon McVittie wrote:
> > As far as I can tell, oldstable is not affected by this, because it
> > doesn't appear to have the new screenshot UI in js/ui/screenshot.js that
> > has the vulnerability.
> 
> Do you think it's safe to say that the issue is introduced around the
> commits which introduce in the screenshot-ui the screenshot/screencast
> toggles, e.g. 497d9f32eb02 ("screenshot-ui: Add screenshot/screencast
> toggle") and eb60fa290882 ("screenshot-ui: Bind button to shot/cast")
> which are in 42.beta upstream?

Perhaps a little earlier than that, but I can't see how versions earlier
than 8ebc478f "Add scaffolding for the new screenshot UI" could be
vulnerable, and that commit was also first released in 42.beta.

    smcv



More information about the pkg-gnome-maintainers mailing list