Debian Bug report logs -
#968311
gnome-shell: CVE-2020-17489
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#968311; Package src:gnome-shell.
(Wed, 12 Aug 2020 19:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Wed, 12 Aug 2020 19:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gnome-shell
Version: 3.36.4-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for gnome-shell.
CVE-2020-17489[0]:
| An issue was discovered in certain configurations of GNOME gnome-shell
| through 3.36.4. When logging out of an account, the password box from
| the login dialog reappears with the password still visible. If the
| user had decided to have the password shown in cleartext at login
| time, it is then visible for a brief moment upon a logout. (If the
| password were never shown in cleartext, only the password length is
| revealed.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-17489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17489
[1] https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997
[2] https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1377
[3] https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/13137aad9db52223e8b62cecbd3456f4a7f66f04
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#968311.
(Wed, 12 Aug 2020 23:42:02 GMT) (full text, mbox, link).
Message #8 received at 968311-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #968311 in gnome-shell reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/gnome-shell/-/commit/e4d10e5c065e737cbe116326a5a0cdd672ce0971
------------------------------------------------------------------------
New upstream release
Closes: #968311
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/968311
Added tag(s) pending.
Request was from Simon McVittie <noreply@salsa.debian.org>
to 968311-submitter@bugs.debian.org.
(Wed, 12 Aug 2020 23:42:02 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Thu, 13 Aug 2020 00:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 13 Aug 2020 00:06:03 GMT) (full text, mbox, link).
Message #15 received at 968311-close@bugs.debian.org (full text, mbox, reply):
Source: gnome-shell
Source-Version: 3.36.5-1
Done: Simon McVittie <smcv@debian.org>
We believe that the bug you reported is fixed in the latest version of
gnome-shell, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 968311@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gnome-shell package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 12 Aug 2020 21:28:22 +0100
Source: gnome-shell
Architecture: source
Version: 3.36.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 968311
Changes:
gnome-shell (3.36.5-1) unstable; urgency=medium
.
* Team upload
* New upstream release
- Fix password briefly showing on login dialog during logout if it
was previously made visible (CVE-2020-17489, Closes: #968311)
* Drop most patches, applied upstream
Checksums-Sha1:
a69f51521669ba143df147dbe993baf1f3bc710d 3700 gnome-shell_3.36.5-1.dsc
8430ca51ae3831e7a02e7b383e784574a43e07a7 1776080 gnome-shell_3.36.5.orig.tar.xz
c7ad0bb5d53b6bc2ae73d6be5a30280822067b93 33324 gnome-shell_3.36.5-1.debian.tar.xz
df260f38523d97bbe53aae3dd3c2296fe6c65c6a 19052 gnome-shell_3.36.5-1_source.buildinfo
Checksums-Sha256:
ab11ab52bd682b82a5d96261baa5e0ffce09c39592eb088e94bdb0cdecedc064 3700 gnome-shell_3.36.5-1.dsc
a4a5f030a2f5a131c560fd86e61efbcb09696a99ff1efe68b35d245f657d47c2 1776080 gnome-shell_3.36.5.orig.tar.xz
d46fb2964d853eb75c36317762ff13516e3d1d82678f7b7bd8217789f598b553 33324 gnome-shell_3.36.5-1.debian.tar.xz
e38b40152d6e7913ef554faf52fc6bd4da9a58842b1d5dec7874a149a98ce03d 19052 gnome-shell_3.36.5-1_source.buildinfo
Files:
06ca264e49b58a86d8bba8bc2b6623f6 3700 gnome optional gnome-shell_3.36.5-1.dsc
27e80b0d7b817e18b01821f4a64506f0 1776080 gnome optional gnome-shell_3.36.5.orig.tar.xz
4a2e3eaef7ca0a66eebbf05945d2b65a 33324 gnome optional gnome-shell_3.36.5-1.debian.tar.xz
4c899c5eb9c6f0bb754e9a434d86d1ae 19052 gnome optional gnome-shell_3.36.5-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl80fWMQHHNtY3ZAZGVi
aWFuLm9yZwAKCRDgWuFHj4FMTx9GEACdzdM8g/yaie7AqlTyo8z2Q9j/nMerFovg
EOwvp8MfL35sOVAhIaGArm74iS2SfJ/6Xo4apn1rwzXoOmvyJ/tS/K412sqwSprh
yUsgz1pgBJVscIE01JknO1Tsn0Qm9972ymZ5rK1tiHbjLZT/+gNOPLrsYu0ehFmr
HOl8TPI9c6hzNooanbRcOcJezwlSFfurJWtn3m5qKKttSh6M/fVVohbGrWZPIsMY
8DjIgI2odbhFczmi8SyC1wm9aMaRvC5HCsnZTTIOEo0MtVKUYIDxdAx+uK6hta+w
G0ZqH23hP9farjZSmRb6mNRkX32Q2/yy5CzD9uiItCfQtRm42kSECHeMh4pnRpAZ
NqpSoSPIDHd7bKPgxDacoitDNLC6z1c3PF++cePv5F14bvgUoO7Mi+s/kZbGecuL
CjSuVjfdIvU2mT4e4/gNmEfx/3jlDYPmSu8Z/0SxQ5jvWkEPnvVS6Espl4t7/Zug
UHFic9kGUwq25po3DJHy2r3nQcpowTVNeXgQVrFdNkzPg8cfarAQpNGTdqmC6904
0UsBq3H1VW9JKfMLl1gAbM3/x6T6bcwirPW4m0+FAO+FeQSNAiGaHHzSrQF9rQDE
1eV+NJwj1Zss6MNvrpUyWkDsA2uNFazNkDZ2pD8SE0K8u9wT3svUUEtY6l4MizIq
m5ojQ3ljyA==
=wqq8
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 13 10:22:58 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon