Bug 32320 - gnome-shell new security issue CVE-2023-43090
Summary: gnome-shell new security issue CVE-2023-43090
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-25 10:57 CEST by Nicolas Salguero
Modified: 2023-11-09 14:57 CET (History)
7 users (show)

See Also:
Source RPM: gnome-shell-44.2-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2023-09-25 10:57:32 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => gnome-shell-44.2-1.mga9.src.rpm

Comment 1 Lewis Smith 2023-09-25 20:40:23 CEST 
Various packagers have dealt with this SRPM, so assigning to Gnome group.

Assignee: bugsquad => gnome

Comment 2 Nicolas Salguero 2023-11-03 14:02:43 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

GNOME Shell's lock screen allows an unauthenticated local user to view windows of the locked desktop session by using keyboard shortcuts to unlock the restricted functionality of the screenshot tool. (CVE-2023-43090)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43090
https://ubuntu.com/security/notices/USN-6395-1
========================

Updated packages in core/updates_testing:
========================
gnome-shell-44.2-1.1.mga9
gnome-shell-api_doc-44.2-1.1.mga9

from SRPM:
gnome-shell-44.2-1.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: gnome => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 9

Comment 3 Jens Persson 2023-11-03 14:24:52 CET 
Why use an old version?

CC: (none) => xerxes2

Comment 4 Marja Van Waes 2023-11-03 15:31:42 CET 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 5 Marja Van Waes 2023-11-03 15:33:10 CET 
(In reply to Jens Persson from comment #3)
> Why use an old version?

https://wiki.mageia.org/en/Updates_policy#Version_Policy
Comment 6 Jens Persson 2023-11-03 15:51:16 CET 
(In reply to Marja Van Waes from comment #5)
> (In reply to Jens Persson from comment #3)
> > Why use an old version?
> 
> https://wiki.mageia.org/en/Updates_policy#Version_Policy

Yeah that is what I meant. Plenty of bug fix releases out already. Latest is 44.6 I think.

https://download.gnome.org/sources/gnome-shell/44/
Comment 7 Guillaume Royer 2023-11-07 21:00:19 CET 
Updated with QA repo and RPM: 

gnome-shell-44.2-1.1.mga9

No issues after reboot. I can connect my user and lock/unlock my session without problem.

CC: (none) => guillaume.royer

Comment 8 Brian Rockwell 2023-11-08 03:48:18 CET 
MGA9-64, GNOME

The following package is going to be installed:

- gnome-shell-44.2-1.1.mga9.x86_64

0B of additional disk space will be used.

1.7MB of packages will be retrieved.

--

rebooted

spent most of a day with it.  No issues and screenlocks working as expected.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => brtians1

Comment 9 Thomas Andrews 2023-11-08 15:00:50 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Thomas Andrews 2023-11-08 15:08:42 CET 
@Jens: If you believe we should update all of Gnome, then by all means file a bug on the subject and debate it there. 

But in the meantime, we shouldn't hold this security patch back for it.
Comment 11 Mageia Robot 2023-11-09 14:57:29 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0311.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.