That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/05/24/1 It only affects version 46 so only Cauldron is affected.
CVE: (none) => CVE-2024-5148Source RPM: (none) => gnome-remote-desktop-46.0-1.mga10.src.rpm
From the CVE, which is excellent and worth a read: "A) Unauthenticated Handover D-Bus Interface (CVE-2024-5148) =========================================================== Only the "org.gnome.RemoteDesktop.Rdp.Server" D-Bus interface is protected by Polkit. `auth_admin` authorization is required on this interface for all methods. The other two interfaces "Dispatcher" and "Handover" are not authorized and are accessible to all local users in the system. This leads to a number of local security issues described in the following subsections. Local Private Key Leak System Credentials Leak The Socket Connection can be Obtained via TakeClient() The bugfix is available starting from version 46.2 and is found in commit 9fbaae1a [4] B) `find_cr_lf()` Suffers from a one Byte Overread ================================================== The bugfix is found starting in release 46.2 in commit 663ad63172 [5].
Assignee: bugsquad => gnomeStatus comment: (none) => Bugfixes in release 46.2
Fixed!
CC: (none) => geiger.david68210Status: NEW => RESOLVEDResolution: (none) => FIXED