27303 – gnome-shell new security issue CVE-2020-17489

Bug 27303 - gnome-shell new security issue CVE-2020-17489

Summary: gnome-shell new security issue CVE-2020-17489

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-09-22 19:49 CEST by David Walser
Modified:	2021-07-09 00:44 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	gnome-shell-3.32.1-2.1.mga7.src.rpm
CVE:	CVE-2020-17489
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-09-22 19:49:12 CEST

Debian-LTS has issued a security advisory on September 15:
https://www.debian.org/lts/security/2020/dla-2374

The issue is fixed upstream in 3.36.5.

Comment 1 Lewis Smith 2020-09-22 20:57:54 CEST

This has been maintained by various packagers, so assigning it to the Gnome team.

Assignee: bugsquad => gnome

Comment 2 David Walser 2020-11-11 00:46:19 CET

openSUSE has issued an advisory for this on October 7:
https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html

Comment 3 David Walser 2020-12-28 18:58:39 CET

Upstream and openSUSE fix:
https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/98ab6ae70d7b4428579f1365e93f58cb8bd8aa02
https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/gnome-shell/gnome-shell-CVE-2020-17489.patch?expand=1

Status comment: (none) => Patch available from upstream and openSUSE

Comment 4 Nicolas Lécureuil 2021-03-11 18:24:53 CET

can QA check if we are affected by this bug ?

CC: (none) => mageia

Comment 5 David Walser 2021-03-12 01:39:04 CET

Is there a reason to think we're not?

Comment 6 David Walser 2021-06-28 17:52:09 CEST

Advisory:
========================

Updated gnome-shell packages fix security vulnerability:

An issue was discovered in certain configurations of GNOME gnome-shell through
3.36.4. When logging out of an account, the password box from the login dialog
reappears with the password still visible. If the user had decided to have the
password shown in cleartext at login time, it is then visible for a brief
moment upon a logout. (If the password were never shown in cleartext, only the
password length is revealed.) (CVE-2020-17489).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17489
https://www.debian.org/lts/security/2020/dla-2374
========================

Updated packages in core/updates_testing:
========================
gnome-shell-3.32.1-2.2.mga7

from gnome-shell-3.32.1-2.2.mga7.src.rpm

Assignee: gnome => qa-bugs
Status comment: Patch available from upstream and openSUSE => (none)

Comment 7 Brian Rockwell 2021-07-08 15:57:30 CEST

installed

- logged out

- rebooted

no issues

CC: (none) => brtians1

Brian Rockwell 2021-07-08 16:04:56 CEST

Whiteboard: (none) => MGA7-64-OK

Comment 8 Thomas Andrews 2021-07-08 21:18:32 CEST

Validating. Advisory in Comment 6.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-07-08 22:41:32 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2020-17489

Comment 9 Mageia Robot 2021-07-09 00:44:47 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0316.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.