openSUSE has issued an advisory today (August 28): https://lists.opensuse.org/opensuse-updates/2017-08/msg00101.html The description on the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1036494 says 3.22 through 3.24.1 affected, so presumably it was fixed in 3.24.2 (in Mageia 6). The second comment in that bug says older versions are affected though, so Mageia 5 may be.
CC: (none) => marja11Assignee: bugsquad => gnome
The 2 patches: https://git.gnome.org/browse/gnome-shell/commit/?id=d461d02 https://git.gnome.org/browse/gnome-shell/commit/?id=e845f41
CC: (none) => pterjan
+ https://git.gnome.org/browse/gnome-shell/commit/?id=88b1a5d3a098d83f63ca88db9d76993fe7a70e6b
Thanks Pascal! Mageia 5 and Mageia 6 are actually both affected. Updates submitted to the build system, which is way behind right now.
Whiteboard: (none) => MGA5TOOVersion: 5 => 6
Updates submitted...will be available eventually. Advisory: ======================== Updated gnome-shell packages fix security vulnerability: gnome-shell through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js (CVE-2017-8288). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8288 https://lists.opensuse.org/opensuse-updates/2017-08/msg00101.html ======================== Updated packages in core/updates_testing: ======================== gnome-shell-3.14.3-8.2.mga5 gnome-shell-docs-3.14.3-8.2.mga5 gnome-shell-3.24.2-2.1.mga6 gnome-shell-docs-3.24.2-2.1.mga6 from SRPMS: gnome-shell-3.14.3-8.2.mga5.src.rpm gnome-shell-3.24.2-2.1.mga6.src.rpm
Assignee: gnome => qa-bugs
The following 2 packages are going to be installed: - gnome-shell-3.24.2-2.1.mga6.x86_64 - gnome-shell-docs-3.24.2-2.1.mga6.noarch 1.1MB of additional disk space will be used. 1.2MB of packages will be retrieved. Is it ok to continue? Rebooted VBOX $ uname -a Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux no regressinos
Whiteboard: MGA5TOO => MGA5TOO mga6-64-okCC: (none) => brtians1
CC: (none) => davidwhodginsKeywords: (none) => advisory
Sysadmins, please re-push 5/gnome-shell to updates_testing, I just found a patch that I missed.
Keywords: (none) => feedbackCC: (none) => sysadmin-bugs, tmbDepends on: (none) => 21759
gnome-shell-3.14.3-8.3.mga5 submitted
Keywords: feedback => (none)
Mageia 6 update moved to Bug 21631. Advisory: ======================== Updated gnome-shell packages fix security vulnerability: gnome-shell through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js (CVE-2017-8288). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8288 https://lists.opensuse.org/opensuse-updates/2017-08/msg00101.html ======================== Updated packages in core/updates_testing: ======================== gnome-shell-3.14.3-8.3.mga5 gnome-shell-docs-3.14.3-8.3.mga5 from gnome-shell-3.14.3-8.3.mga5.src.rpm
Keywords: advisory => (none)Version: 6 => 5CC: sysadmin-bugs => (none)Whiteboard: MGA5TOO mga6-64-ok => (none)
Testing M5/64 Updateed to: gnome-shell-3.14.3-8.3.mga5 Using this to revise the Advisory as per the previous comment, which involved several Gnome applications & desktop manipulations. Tried other applications at the same time. All seems as normal, so OKing the update. As this is now Mageia 5 only, validating it as well. (In reply to David Walser from comment #8) > Mageia 6 update moved to Bug 21631. *This* is the bug number cited. The new equivalent Mageia 6 bug is 21759.
Whiteboard: (none) => MGA5-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0055.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED