gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked

Debian Bug report logs - #1052067
gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ghome-shell: CVE-2023-43090

Date: Sat, 16 Sep 2023 22:53:55 +0200

Source: gnome-shell
Version: 44.4-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for gnome-shell.

CVE-2023-43090[0]:
| Screenshot tool allows viewing open windows when session is locked


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-43090
    https://www.cve.org/CVERecord?id=CVE-2023-43090
[1] https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990
[2] https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2944

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 1052067@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1052067@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#1052067: gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked

Date: Sun, 17 Sep 2023 15:12:00 +0100

On Sat, 16 Sep 2023 at 22:53:55 +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for gnome-shell.
> 
> CVE-2023-43090[0]:
> | Screenshot tool allows viewing open windows when session is locked

Thank you for reporting this. I'm preparing a 44.5 upload for unstable now,
after which I will look at fixes for older suites.

Does the security team intend to issue a DSA for this? It would be really
helpful if CVE reports from the security team could explicitly mention the
DSA status (wanted / not planned / undecided) so that maintainers can do
the right thing (preparing a security upload or a stable-proposed-updates
upload), without always needing an extra email round-trip to ask what the
right thing is going to be.

    smcv

Message #17 received at 1052067@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Simon McVittie <smcv@debian.org>, 1052067@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#1052067: gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked

Date: Sun, 17 Sep 2023 16:49:59 +0200

Hi Simon,

On Sun, Sep 17, 2023 at 03:12:00PM +0100, Simon McVittie wrote:
> On Sat, 16 Sep 2023 at 22:53:55 +0200, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for gnome-shell.
> > 
> > CVE-2023-43090[0]:
> > | Screenshot tool allows viewing open windows when session is locked
> 
> Thank you for reporting this. I'm preparing a 44.5 upload for unstable now,
> after which I will look at fixes for older suites.

Thanks!

> Does the security team intend to issue a DSA for this? It would be really
> helpful if CVE reports from the security team could explicitly mention the
> DSA status (wanted / not planned / undecided) so that maintainers can do
> the right thing (preparing a security upload or a stable-proposed-updates
> upload), without always needing an extra email round-trip to ask what the
> right thing is going to be.

I can understand the desire; usually our triaging process for things
which are unfixed yet in the topmost unstable suite, are first
reported (to make maintainers aware in case they do not know yet),
then an orthogonal step might be to assess the package.

In case it is already decided to not handle it via a DSA then a no-dsa
tagged entry would be found in the security-tracker.

In this case we even not have yet decided if it's warranted or not,
but I just aimed to make an unstable report to get it for sure fixed
there already.

Lets decide on it and either me or another team member will come back
to you.

Regards,
Salvatore

Message #22 received at 1052067-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1052067-close@bugs.debian.org

Subject: Bug#1052067: fixed in gnome-shell 44.5-1

Date: Sun, 17 Sep 2023 15:49:38 +0000

Source: gnome-shell
Source-Version: 44.5-1
Done: Simon McVittie <smcv@debian.org>

We believe that the bug you reported is fixed in the latest version of
gnome-shell, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1052067@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gnome-shell package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 17 Sep 2023 13:50:52 +0100
Source: gnome-shell
Architecture: source
Version: 44.5-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 1052067
Changes:
 gnome-shell (44.5-1) unstable; urgency=high
 .
   * Team upload
   * New upstream release
     - Fix exposing window previews on lock screen via keyboard shortcuts
       (Closes: #1052067, CVE-2023-43090, gnome-shell#6990)
     - Improve handling of latched vs. locked modes in on-screen keyboard
       (gnome-shell#5763)
     - Reverse slider direction in RTL locales (gnome-shell#5107)
     - Add missing environment variables required to launch ibus-daemon
       (gnome-shell#6998)
     - Translation updates
Checksums-Sha1:
 25a0e41ea5c72abf064ad84629b351db05bb679f 3832 gnome-shell_44.5-1.dsc
 93874bb817adbcc4c230392c011cff7218369d9b 1996432 gnome-shell_44.5.orig.tar.xz
 c5e4802ac668d18fe29fa10b8481641262b082b9 44044 gnome-shell_44.5-1.debian.tar.xz
 63e8320dd0b1402ef3411d11beb0a679f4b7cddc 21590 gnome-shell_44.5-1_source.buildinfo
Checksums-Sha256:
 6db3eb2052742f4d0c9be838527dcfcfc30b6702661910f17f09f25bd3579e87 3832 gnome-shell_44.5-1.dsc
 c16afce0381dd593427d708447a9d1fac7489eb02945efb37e904ca74a924a35 1996432 gnome-shell_44.5.orig.tar.xz
 c4936ea8ac12f252db50e91a6c86bd90dc618a9f10bcb66ba8ab3ce30c3fa259 44044 gnome-shell_44.5-1.debian.tar.xz
 ee4f281dce421763b070cb91fcaa962d2cf53b9a0a202a87eecc953cae745c1c 21590 gnome-shell_44.5-1_source.buildinfo
Files:
 897aba111ef4294ce75a05bb08f4b3d9 3832 gnome optional gnome-shell_44.5-1.dsc
 3ad3fd413264adcf6aac0dc6167c3979 1996432 gnome optional gnome-shell_44.5.orig.tar.xz
 15b73ed6ddf850593075962e7687c130 44044 gnome optional gnome-shell_44.5-1.debian.tar.xz
 a8792340b4670ec3ccc6eb4016baf0e6 21590 gnome optional gnome-shell_44.5-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmUHHJwACgkQ4FrhR4+B
TE/6wg/+MuSPUtC2UPlAYHxKx+0P3Emb/1k3hTvYftb9ywQCQD473CKOMGeXrzli
IKyhgH0G1yNRq63UL8+wcQe7Qe9mZNgSpXjoPPIWQOLIv1NzD4462dT7fyraAtaz
4hKKW6Z4o7rprtKRVkHUVeS3SomfDwuO6gSM2yTisyQIEULY33byEndmKcQ5/LNN
9ulQEcIMgNOLq+UiSuk1/l05SE6bjEGQFieCprJtOvOq4ZB26wusm6NsXQ5TP7DO
zFc4Rk07R/WjB7O8l57yGhmcfMIaDKtcCdNr1rnfTtz79ZUrns+PjYf0dCVxTr+6
vW01PqOT8kQBD1+VfEwd5VxXCxYdkYWjJyuxj0xGRWjxaE7tPyFHBqbxYoUvqqEW
h4PpdB60KMfOilj0U0k9idMxk9p5Qf/3xiu9EuHZgP0otwEhQchTOholgImU5Nfk
aeRYEV0K0yUs3/zHS8kvsMmh9LSu9WsS22ZkzKRSaBol9rPFWIjTXvIkTBJLjwPO
pPdQqFhblq8e4o2AJTQ1PcNG9xZPp0S2f6GvUHE7x/zGmTdhX4YAbkLta8RLcnlR
zxNXn6OuqKkvM5bXyVPd0/dv+JZNbtVRIVqVODXvRvlDEeFeOTsd8dnsGIapPZoz
tRuEf9aiRld7z91yVbcN9zl91qif5WSPPFYq4kdG7MVDh7OrT/c=
=YHc6
-----END PGP SIGNATURE-----

Message #27 received at 1052067@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1052067@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#1052067: gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked

Date: Sun, 17 Sep 2023 18:17:51 +0100

On Sun, 17 Sep 2023 at 16:49:59 +0200, Salvatore Bonaccorso wrote:
> In this case we even not have yet decided if it's warranted or not,
> but I just aimed to make an unstable report to get it for sure fixed
> there already.
> 
> Lets decide on it and either me or another team member will come back
> to you.

If the security team would like to issue a DSA for
this, I've prepared a proposed minimal security update in
https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/75
and tested it in a VM. I confirm that I can reproduce
the issue with current bookworm by following the steps in
https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990#note_1840101,
and in the proposed version I can no longer reproduce the issue.

I can upload this to security-master if wanted, or the security
team or other GNOME team members are welcome to sponsor it
or upload their own version if they would like to take my
response time off the critical path. Unsigned packages are in
https://people.debian.org/~smcv/bug1052067/, diff attached.

My understanding is that I am not permitted to upload signed packages
anywhere until the security team has given approval to upload to
security-master, because if I did, someone else would be able to upload
them to security-master in a way that would cause extra work for the
security team; so I have not uploaded any signed packages. I apologise
if this is wrong or has caused inconvenience.

If the security team declines to issue a DSA for this, then we will need
to retarget this to stable-proposed-updates. Please let me know which
route should be taken, because I'm aware that the deadline for 12.2 is
next weekend, and I will probably be unable to carry out any Debian work
next weekend due to other commitments.

Unrelated to this CVE, I have been trying to prepare a stable bugfix
update for mutter and gnome-shell incorporating upstream releases 43.7
and 43.8, and now gnome-shell 43.9 as well. The diff for these now cannot
be finalized until we know which route will be taken to fix this CVE.

    smcv

Message #32 received at 1052067@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1052067@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#1052067: gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked

Date: Sun, 17 Sep 2023 18:22:00 +0100

[Message part 1 (text/plain, inline)]

On Sun, 17 Sep 2023 at 18:17:56 +0100, Simon McVittie wrote:
> I can upload this to security-master if wanted, or the security
> team or other GNOME team members are welcome to sponsor it
> or upload their own version if they would like to take my
> response time off the critical path. Unsigned packages are in
> https://people.debian.org/~smcv/bug1052067/, diff attached.

Sigh, diff really attached now. I'm sorry, I should be more careful not
to waste your time.

    smcv

[gnome-shell_43.6-1~deb12u2.diff (text/x-diff, attachment)]

Message #37 received at 1052067@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Simon McVittie <smcv@debian.org>

Cc: 1052067@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#1052067: gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked

Date: Sun, 17 Sep 2023 19:39:24 +0200

Am Sun, Sep 17, 2023 at 06:22:00PM +0100 schrieb Simon McVittie:
> On Sun, 17 Sep 2023 at 18:17:56 +0100, Simon McVittie wrote:
> > I can upload this to security-master if wanted, or the security
> > team or other GNOME team members are welcome to sponsor it
> > or upload their own version if they would like to take my
> > response time off the critical path. Unsigned packages are in
> > https://people.debian.org/~smcv/bug1052067/, diff attached.
> 
> Sigh, diff really attached now. I'm sorry, I should be more careful not
> to waste your time.

Thanks! I think we should fix this via a DSA.

The debdiff looks fine, please build with -sa (ftp.d.o and security.d.o
don't share tarballs) and upload to security-master.

Does this also affect oldstable? If so, can you please also prepare
a backport?

Cheers,
        Moritz

Message #42 received at 1052067@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 1052067@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#1052067: gnome-shell: CVE-2023-43090: screenshot tool allows viewing open windows when session is locked

Date: Sun, 17 Sep 2023 18:46:36 +0100

On Sun, 17 Sep 2023 at 19:39:24 +0200, Moritz Mühlenhoff wrote:
> please build with -sa (ftp.d.o and security.d.o don't share tarballs)

I'm sorry, I should have checked more carefully.

> Does this also affect oldstable?

I'm sorry, I haven't checked that yet.

> If so, can you please also prepare a backport?

I'm sorry, I will try to do that next but I cannot guarantee any
particular timeline.

    smcv

Send a report that this bug log contains spam.