On Sun, 17 Sep 2023 at 20:57:36 +0200, Salvatore Bonaccorso wrote: > On Sun, Sep 17, 2023 at 07:09:45PM +0100, Simon McVittie wrote: > > As far as I can tell, oldstable is not affected by this, because it > > doesn't appear to have the new screenshot UI in js/ui/screenshot.js that > > has the vulnerability. > > Do you think it's safe to say that the issue is introduced around the > commits which introduce in the screenshot-ui the screenshot/screencast > toggles, e.g. 497d9f32eb02 ("screenshot-ui: Add screenshot/screencast > toggle") and eb60fa290882 ("screenshot-ui: Bind button to shot/cast") > which are in 42.beta upstream?
Perhaps a little earlier than that, but I can't see how versions earlier than 8ebc478f "Add scaffolding for the new screenshot UI" could be vulnerable, and that commit was also first released in 42.beta. smcv