Hi Salvatore, On Sa 29 Aug 2020 09:33:01 CEST, Salvatore Bonaccorso wrote:
Hi Mike, thanks for triaging the issue further. On Sat, Aug 29, 2020 at 06:08:06AM +0000, Mike Gabriel wrote:Hi Simon, I just looked into CVE-2020-17489/gnome-shell for stretch and buster. It seems that the cleartext password feature has only become available in gnome-shell 3.36.x. Thus, I marked gnome-shell/buster and gnome-shell/stretch as unaffected by CVE-2020-17489 [1]. Please correct me, if I am wrong on this.The reporter said that the issue to be visibile since 3.34 (the password length disclosed) but then got worse with 3.36 when the password visibility option was introduced leaking the clear-text password. There seem to have been several reworks around 3.33.90 with the fade out/opacitiy so this sounds plausible, but I have not found where the issue really got introduced and the logout starting missbehaving showing the information and pin-pointing the commits introducing it or enough confidence source wise where the issue started to be present. But as the contributor did some explicit testing with the versions between 3.28 and the 3.37.3 version this still seems plausible to be confirmed introduced in 3.34 only. Regards, Salvatore As a rule of thumb: for tracking vulnerabilities, we perfer to rather err on the "wrong" side saying something is affected but possibly mark it as no-dsa (when difficult to pin point where the issue got introduced) rather then be "wrong" on the other side. Thus some issues will remain be marked no-dsa when there is not enough confidence the issue is not really present.
here is a summary of what we discussed on IRC. * gnome-shell in stretch+buster reveal password length * CVE-2020-17489/buster -> bach to <no-dsa> (fix via buster-pu) * CVE-2020-17489/stretch -> back to "vulnerable" (fix via LTS in prep)@smcv: please let me know if you are ok with me uploading to buster-pu or if you'd rather like to have a .debdiff.
(If I don't hear from you through the day, I will send a .debdiff to #9683111).
Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net
pgpFpLxfnylLr.pgp
Description: Digitale PGP-Signatur