On Sun, 17 Sep 2023 at 20:57:36 +0200, Salvatore Bonaccorso wrote:
> On Sun, Sep 17, 2023 at 07:09:45PM +0100, Simon McVittie wrote:
> > As far as I can tell, oldstable is not affected by this, because it
> > doesn't appear to have the new screenshot UI in js/ui/screenshot.js that
> > has the vulnerability.
>
> Do you think it's safe to say that the issue is introduced around the
> commits which introduce in the screenshot-ui the screenshot/screencast
> toggles, e.g. 497d9f32eb02 ("screenshot-ui: Add screenshot/screencast
> toggle") and eb60fa290882 ("screenshot-ui: Bind button to shot/cast")
> which are in 42.beta upstream?
Perhaps a little earlier than that, but I can't see how versions earlier
than 8ebc478f "Add scaffolding for the new screenshot UI" could be
vulnerable, and that commit was also first released in 42.beta.
smcv
