Bug 27303

Summary:	gnome-shell new security issue CVE-2020-17489
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, brtians1, mageia, ouaurelien, sysadmin-bugs
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	gnome-shell-3.32.1-2.1.mga7.src.rpm	CVE:	CVE-2020-17489
Status comment:

Description David Walser 2020-09-22 19:49:12 CEST

Debian-LTS has issued a security advisory on September 15:
https://www.debian.org/lts/security/2020/dla-2374

The issue is fixed upstream in 3.36.5.

Comment 1 Lewis Smith 2020-09-22 20:57:54 CEST

This has been maintained by various packagers, so assigning it to the Gnome team.

Assignee: bugsquad => gnome

Comment 2 David Walser 2020-11-11 00:46:19 CET

openSUSE has issued an advisory for this on October 7:
https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html

Comment 3 David Walser 2020-12-28 18:58:39 CET

Upstream and openSUSE fix:
https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/98ab6ae70d7b4428579f1365e93f58cb8bd8aa02
https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/gnome-shell/gnome-shell-CVE-2020-17489.patch?expand=1

Status comment: (none) => Patch available from upstream and openSUSE

Comment 4 Nicolas Lécureuil 2021-03-11 18:24:53 CET

can QA check if we are affected by this bug ?

CC: (none) => mageia

Comment 5 David Walser 2021-03-12 01:39:04 CET

Is there a reason to think we're not?

Comment 6 David Walser 2021-06-28 17:52:09 CEST

Advisory:
========================

Updated gnome-shell packages fix security vulnerability:

An issue was discovered in certain configurations of GNOME gnome-shell through
3.36.4. When logging out of an account, the password box from the login dialog
reappears with the password still visible. If the user had decided to have the
password shown in cleartext at login time, it is then visible for a brief
moment upon a logout. (If the password were never shown in cleartext, only the
password length is revealed.) (CVE-2020-17489).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17489
https://www.debian.org/lts/security/2020/dla-2374
========================

Updated packages in core/updates_testing:
========================
gnome-shell-3.32.1-2.2.mga7

from gnome-shell-3.32.1-2.2.mga7.src.rpm

Assignee: gnome => qa-bugs
Status comment: Patch available from upstream and openSUSE => (none)

Comment 7 Brian Rockwell 2021-07-08 15:57:30 CEST

installed

- logged out

- rebooted

no issues

CC: (none) => brtians1

Brian Rockwell 2021-07-08 16:04:56 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 8 Thomas Andrews 2021-07-08 21:18:32 CEST

Validating. Advisory in Comment 6.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-07-08 22:41:32 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2020-17489

Comment 9 Mageia Robot 2021-07-09 00:44:47 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0316.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED