Bug#1072124: gnome-shell: CVE-2024-36472
Jeremy Bícha
jeremy.bicha at canonical.com
Tue May 28 22:33:32 BST 2024
Control: forwarded -1 https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688
On Tue, May 28, 2024 at 5:24 PM Moritz Mühlenhoff <jmm at inutil.org> wrote:
> CVE-2024-36472[0]:
> | In GNOME Shell through 45.7, a portal helper can be launched
> | automatically (without user confirmation) based on network responses
> | provided by an adversary (e.g., an adversary who controls the local
> | Wi-Fi network), and subsequently loads untrusted JavaScript code,
> | which may lead to resource consumption or other impacts depending on
> | the JavaScript code's behavior.
The initial GNOME issue was closed already (the CVE was requested by
someone who is not a GNOME developer). But GNOME Shell may change the
workflow for the captive portal helper so we can leave this bug open,
pointing to the new issue that was opened upstream.
Thank you,
Jeremy Bícha
More information about the pkg-gnome-maintainers
mailing list