Bug 21631

Summary: gnome-shell possible new security issue CVE-2017-8288
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, davidwhodgins, lewyssmith, marja11, pterjan, sysadmin-bugs, tmb
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK
Source RPM: gnome-shell-3.14.3-8.1.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 21759    
Bug Blocks:    

Description David Walser 2017-08-29 02:58:16 CEST 
openSUSE has issued an advisory today (August 28):
https://lists.opensuse.org/opensuse-updates/2017-08/msg00101.html

The description on the SUSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=1036494

says 3.22 through 3.24.1 affected, so presumably it was fixed in 3.24.2 (in Mageia 6).  The second comment in that bug says older versions are affected though, so Mageia 5 may be.
Marja Van Waes 2017-08-30 00:02:16 CEST

CC: (none) => marja11
Assignee: bugsquad => gnome

Comment 3 David Walser 2017-12-29 18:00:13 CET 
Thanks Pascal!  Mageia 5 and Mageia 6 are actually both affected.

Updates submitted to the build system, which is way behind right now.

Whiteboard: (none) => MGA5TOO
Version: 5 => 6

Comment 4 David Walser 2017-12-29 18:28:21 CET 
Updates submitted...will be available eventually.

Advisory:
========================

Updated gnome-shell packages fix security vulnerability:

gnome-shell through 3.24.1 mishandles extensions that fail to reload, which can
lead to leaving extensions enabled in the lock screen. With these extensions, a
bystander could launch applications (but not interact with them), see
information from the extensions (e.g., what applications you have opened or
what music you were playing), or even execute arbitrary commands. It all
depends on what extensions a user has enabled. The problem is caused by lack of
exception handling in js/ui/extensionSystem.js (CVE-2017-8288).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8288
https://lists.opensuse.org/opensuse-updates/2017-08/msg00101.html
========================

Updated packages in core/updates_testing:
========================
gnome-shell-3.14.3-8.2.mga5
gnome-shell-docs-3.14.3-8.2.mga5
gnome-shell-3.24.2-2.1.mga6
gnome-shell-docs-3.24.2-2.1.mga6

from SRPMS:
gnome-shell-3.14.3-8.2.mga5.src.rpm
gnome-shell-3.24.2-2.1.mga6.src.rpm

Assignee: gnome => qa-bugs

Comment 5 Brian Rockwell 2017-12-31 03:23:02 CET 
The following 2 packages are going to be installed:

- gnome-shell-3.24.2-2.1.mga6.x86_64
- gnome-shell-docs-3.24.2-2.1.mga6.noarch

1.1MB of additional disk space will be used.

1.2MB of packages will be retrieved.

Is it ok to continue?


Rebooted


VBOX

$ uname -a
Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


no regressinos

Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok
CC: (none) => brtians1

Dave Hodgins 2017-12-31 14:14:02 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 David Walser 2018-01-01 19:33:10 CET 
Sysadmins, please re-push 5/gnome-shell to updates_testing, I just found a patch that I missed.

Keywords: (none) => feedback
CC: (none) => sysadmin-bugs, tmb
Depends on: (none) => 21759

Comment 7 Thomas Backlund 2018-01-01 21:51:30 CET 
 gnome-shell-3.14.3-8.3.mga5 submitted

Keywords: feedback => (none)

Comment 8 David Walser 2018-01-01 22:24:45 CET 
Mageia 6 update moved to Bug 21631.

Advisory:
========================

Updated gnome-shell packages fix security vulnerability:

gnome-shell through 3.24.1 mishandles extensions that fail to reload, which can
lead to leaving extensions enabled in the lock screen. With these extensions, a
bystander could launch applications (but not interact with them), see
information from the extensions (e.g., what applications you have opened or
what music you were playing), or even execute arbitrary commands. It all
depends on what extensions a user has enabled. The problem is caused by lack of
exception handling in js/ui/extensionSystem.js (CVE-2017-8288).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8288
https://lists.opensuse.org/opensuse-updates/2017-08/msg00101.html
========================

Updated packages in core/updates_testing:
========================
gnome-shell-3.14.3-8.3.mga5
gnome-shell-docs-3.14.3-8.3.mga5

from gnome-shell-3.14.3-8.3.mga5.src.rpm

Keywords: advisory => (none)
Version: 6 => 5
CC: sysadmin-bugs => (none)
Whiteboard: MGA5TOO mga6-64-ok => (none)

Comment 9 Lewis Smith 2018-01-03 12:57:08 CET 
Testing M5/64
Updateed to: gnome-shell-3.14.3-8.3.mga5

Using this to revise the Advisory as per the previous comment, which involved several Gnome applications & desktop manipulations. Tried other applications at the same time. All seems as normal, so OKing the update.
As this is now Mageia 5 only, validating it as well.

(In reply to David Walser from comment #8)
> Mageia 6 update moved to Bug 21631.
*This* is the bug number cited. The new equivalent Mageia 6 bug is 21759.

Whiteboard: (none) => MGA5-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 10 Mageia Robot 2018-01-03 19:53:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0055.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED