Bug#968311: gnome-shell in stretch/buster as not affected by CVE-2020-17489

Sat, 29 Aug 2020 03:21:53 -0700 

Hi Salvatore,

On  Sa 29 Aug 2020 09:33:01 CEST, Salvatore Bonaccorso wrote:


Hi Mike,

thanks for triaging the issue further.

On Sat, Aug 29, 2020 at 06:08:06AM +0000, Mike Gabriel wrote:

Hi Simon,

I just looked into CVE-2020-17489/gnome-shell for stretch and buster. It
seems that the cleartext password feature has only become available in
gnome-shell 3.36.x.

Thus, I marked gnome-shell/buster and gnome-shell/stretch as unaffected by
CVE-2020-17489 [1]. Please correct me, if I am wrong on this.


The reporter said that the issue to be visibile since 3.34 (the
password length disclosed) but then got worse with 3.36 when the
password visibility option was introduced leaking the clear-text
password.

There seem to have been several reworks around 3.33.90 with the fade
out/opacitiy so this sounds plausible, but I have not found where the
issue really got introduced and the logout starting missbehaving
showing the information and pin-pointing the commits introducing it or
enough confidence source wise where the issue started to be present.

But as the contributor did some explicit testing with the versions
between 3.28 and the 3.37.3 version this still seems plausible to be
confirmed introduced in 3.34 only.

Regards,
Salvatore

As a rule of thumb: for tracking vulnerabilities, we perfer to rather
err on the "wrong" side saying something is affected but possibly mark
it as no-dsa (when difficult to pin point where the issue got
introduced) rather then be "wrong" on the other side. Thus some issues
will remain be marked no-dsa when there is not enough confidence the
issue is not really present.


here is a summary of what we discussed on IRC.

  * gnome-shell in stretch+buster reveal password length
  * CVE-2020-17489/buster -> bach to <no-dsa> (fix via buster-pu)
  * CVE-2020-17489/stretch -> back to "vulnerable" (fix via LTS in prep)
@smcv: please let me know if you are ok with me uploading to buster-pu or if you'd rather like to have a .debdiff.
(If I don't hear from you through the day, I will send a .debdiff to #9683111). 

Greets,
Mike
--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net

Attachment: pgpFpLxfnylLr.pgp
Description: Digitale PGP-Signatur

Reply via email to