Bug 33434 - gnome-shell new security issue CVE-2024-36472
Summary: gnome-shell new security issue CVE-2024-36472
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on: 33198
Blocks:
  Show dependency treegraph
 
Reported: 2024-07-25 10:05 CEST by Nicolas Salguero
Modified: 2024-09-27 03:31 CEST (History)
4 users (show)

See Also:
Source RPM: gnome-shell-44.2-1.1.mga9.src.rpm
CVE: CVE-2024-36472
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-07-25 10:05:05 CEST 
SUSE has issued an advisory on July 22:
https://lists.suse.com/pipermail/sle-updates/2024-July/036098.html
Nicolas Salguero 2024-07-25 10:06:51 CEST

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Patch available from upstream and openSUSE
Source RPM: (none) => gnome-shell-46.2-1.mga10.src.rpm
CVE: (none) => CVE-2024-36472

Comment 1 Lewis Smith 2024-07-25 21:54:00 CEST 
I could not find a patch anywhere, following links.

Assignee: bugsquad => gnome

Comment 2 Nicolas Salguero 2024-09-06 09:33:52 CEST 
Ubuntu has issued an advisory on August 15:
https://ubuntu.com/security/notices/USN-6963-1
Comment 3 Nicolas Salguero 2024-09-18 15:19:11 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In GNOME Shell through 45.7, a portal helper can be launched automatically (without user confirmation) based on network responses provided by an adversary (e.g., an adversary who controls the local Wi-Fi network), and subsequently loads untrusted JavaScript code, which may lead to resource consumption or other impacts depending on the JavaScript code's behavior. (CVE-2024-36472)

References:
https://lists.suse.com/pipermail/sle-updates/2024-July/036098.html
https://ubuntu.com/security/notices/USN-6963-1
========================

Updated packages in core/updates_testing:
========================
gnome-shell-44.2-1.2.mga9
gnome-shell-api_doc-44.2-1.2.mga9

from SRPM:
gnome-shell-44.2-1.2.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Assignee: gnome => qa-bugs
Status comment: Patch available from upstream and openSUSE => (none)
Source RPM: gnome-shell-46.2-1.mga10.src.rpm => gnome-shell-44.2-1.1.mga9.src.rpm
Depends on: (none) => 33198

katnatek 2024-09-18 18:43:57 CEST

Keywords: (none) => advisory

Comment 4 Ben McMonagle 2024-09-23 01:35:01 CEST 
installed both packages:

gnome-shell-44.2-1.2.mga9
gnome-shell-api_doc-44.2-1.2.mga9

reboot and login to x11 session

logout and into a wayland session

ff ok.
.mp4 playback (totem) sound and video -ok

CC: (none) => westel

Comment 5 Ben McMonagle 2024-09-23 01:35:51 CEST 
meant to add : x86_84 system
Comment 6 Ben McMonagle 2024-09-23 02:01:51 CEST 
updated also glibc for this DE.

seems ok.
Comment 7 Brian Rockwell 2024-09-25 15:04:49 CEST 
MGA9-64, Gnome

installed both packages and rebooted


No issues to report.  I will need to test Cinnamon as well.

CC: (none) => brtians1

Comment 8 Brian Rockwell 2024-09-25 15:47:41 CEST 
nothing in cinnamon for gnomeshell
Comment 9 Thomas Andrews 2024-09-25 17:26:12 CEST 
Does anyone have a 32-bit Gnome system that could be tested? I realize they would not be commonplace.

If not, I will send this on as is.

CC: (none) => andrewsfarm

Comment 10 Thomas Andrews 2024-09-27 02:19:27 CEST 
Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update

Comment 11 Mageia Robot 2024-09-27 03:31:45 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0314.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.