Bug#1072124: gnome-shell: CVE-2024-36472
Jeremy Bícha
jeremy.bicha at canonical.com
Wed May 29 14:50:55 BST 2024
On Tue, May 28, 2024 at 5:37 PM Moritz Muehlenhoff <jmm at inutil.org> wrote:
>
> On Tue, May 28, 2024 at 05:33:32PM -0400, Jeremy Bícha wrote:
> > Control: forwarded -1 https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688
> >
> > On Tue, May 28, 2024 at 5:24 PM Moritz Mühlenhoff <jmm at inutil.org> wrote:
> > > CVE-2024-36472[0]:
> > > | In GNOME Shell through 45.7, a portal helper can be launched
> > > | automatically (without user confirmation) based on network responses
> > > | provided by an adversary (e.g., an adversary who controls the local
> > > | Wi-Fi network), and subsequently loads untrusted JavaScript code,
> > > | which may lead to resource consumption or other impacts depending on
> > > | the JavaScript code's behavior.
> >
> > The initial GNOME issue was closed already (the CVE was requested by
> > someone who is not a GNOME developer). But GNOME Shell may change the
> > workflow for the captive portal helper so we can leave this bug open,
> > pointing to the new issue that was opened upstream.
>
> Yeah, the never filed a bug for the botched CVE assignment, this is the
> bug reference explocitly for the followup actionable filed by Michael Catanzaro
Oh, the bug reporter actually requested 2 CVEs. CVE-2024-36472 which
you already filed the Debian bug for, is
https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 and is
recognized as valid by GNOME.
The other CVE, CVE-2023-50977, was closed already in NIST.
Thank you,
Jeremy Bícha
More information about the pkg-gnome-maintainers
mailing list