On Sun, 17 Sep 2023 at 16:49:59 +0200, Salvatore Bonaccorso wrote: > In this case we even not have yet decided if it's warranted or not, > but I just aimed to make an unstable report to get it for sure fixed > there already. > > Lets decide on it and either me or another team member will come back > to you.
If the security team would like to issue a DSA for this, I've prepared a proposed minimal security update in https://salsa.debian.org/gnome-team/gnome-shell/-/merge_requests/75 and tested it in a VM. I confirm that I can reproduce the issue with current bookworm by following the steps in https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990#note_1840101, and in the proposed version I can no longer reproduce the issue. I can upload this to security-master if wanted, or the security team or other GNOME team members are welcome to sponsor it or upload their own version if they would like to take my response time off the critical path. Unsigned packages are in https://people.debian.org/~smcv/bug1052067/, diff attached. My understanding is that I am not permitted to upload signed packages anywhere until the security team has given approval to upload to security-master, because if I did, someone else would be able to upload them to security-master in a way that would cause extra work for the security team; so I have not uploaded any signed packages. I apologise if this is wrong or has caused inconvenience. If the security team declines to issue a DSA for this, then we will need to retarget this to stable-proposed-updates. Please let me know which route should be taken, because I'm aware that the deadline for 12.2 is next weekend, and I will probably be unable to carry out any Debian work next weekend due to other commitments. Unrelated to this CVE, I have been trying to prepare a stable bugfix update for mutter and gnome-shell incorporating upstream releases 43.7 and 43.8, and now gnome-shell 43.9 as well. The diff for these now cannot be finalized until we know which route will be taken to fix this CVE. smcv