Bug#1052067: gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked
Salvatore Bonaccorso
carnil at debian.org
Mon Sep 18 06:27:24 BST 2023
Hi Simon,
On Sun, Sep 17, 2023 at 09:24:19PM +0100, Simon McVittie wrote:
> On Sun, 17 Sep 2023 at 20:57:36 +0200, Salvatore Bonaccorso wrote:
> > On Sun, Sep 17, 2023 at 07:09:45PM +0100, Simon McVittie wrote:
> > > As far as I can tell, oldstable is not affected by this, because it
> > > doesn't appear to have the new screenshot UI in js/ui/screenshot.js that
> > > has the vulnerability.
> >
> > Do you think it's safe to say that the issue is introduced around the
> > commits which introduce in the screenshot-ui the screenshot/screencast
> > toggles, e.g. 497d9f32eb02 ("screenshot-ui: Add screenshot/screencast
> > toggle") and eb60fa290882 ("screenshot-ui: Bind button to shot/cast")
> > which are in 42.beta upstream?
>
> Perhaps a little earlier than that, but I can't see how versions earlier
> than 8ebc478f "Add scaffolding for the new screenshot UI" could be
> vulnerable, and that commit was also first released in 42.beta.
Thank you, I have updated the security-tracker accordingly.
Moritz is taking care of releasing the DSA.
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list