*** This bug is a security vulnerability ***
Public security bug reported:
Security Impact
---------------
Open windows can be viewed from the lock screen without unlocking the screen.
Test Case
---------
>From upstream
This is the broken case and should not happen:
- Lock screen (e.g. Super+L)
- Press PrtScn to open screenshot tool
- Press V twice to toggle the screenshot tool from picture mode to video mode
and then back to picture mode. (First bug: it should not be possible to enter
video mode when the UI element is insensitive.)
- Enter the window selection mode by clicking or pressing W
- Now all of the user's windows may be viewed despite the session being locked.
Initial Testing Done
--------------------
I built the package locally. I installed the updated packages on Ubuntu 23.04
and was no longer able to reproduce the failure case.
Other Info
----------
I was unable to duplicate the failure with Ubuntu 22.04 LTS.
GNOME Shell 42 (included in 22.04 LTS) was the first GNOME release with
an embedded screenshot tool; previously it used gnome-screenshot. So
older versions are definitely not affected. GNOME Shell 42 reached End
of Life earlier this year, but it does not appear to be affected by this
issue.
This issue has been fixed for Ubuntu 23.10 with GNOME Shell 45.0
** Affects: gnome-shell
Importance: Unknown
Status: Unknown
** Affects: gnome-shell (Ubuntu)
Importance: Undecided
Status: Fix Released
** Affects: gnome-shell (Ubuntu Lunar)
Importance: Undecided
Status: Confirmed
** Tags: lunar
** Changed in: gnome-shell (Ubuntu)
Status: Confirmed => Fix Released
** Also affects: gnome-shell (Ubuntu Lunar)
Importance: Undecided
Status: New
** Changed in: gnome-shell (Ubuntu Lunar)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-shell in Ubuntu.
https://bugs.launchpad.net/bugs/2036746
Title:
CVE-2023-43090: avoid exposing window previews on lock screen via
keyboard
Status in GNOME Shell:
Unknown
Status in gnome-shell package in Ubuntu:
Fix Released
Status in gnome-shell source package in Lunar:
Confirmed
Bug description:
Security Impact
---------------
Open windows can be viewed from the lock screen without unlocking the screen.
Test Case
---------
From upstream
This is the broken case and should not happen:
- Lock screen (e.g. Super+L)
- Press PrtScn to open screenshot tool
- Press V twice to toggle the screenshot tool from picture mode to video mode
and then back to picture mode. (First bug: it should not be possible to enter
video mode when the UI element is insensitive.)
- Enter the window selection mode by clicking or pressing W
- Now all of the user's windows may be viewed despite the session being
locked.
Initial Testing Done
--------------------
I built the package locally. I installed the updated packages on Ubuntu 23.04
and was no longer able to reproduce the failure case.
Other Info
----------
I was unable to duplicate the failure with Ubuntu 22.04 LTS.
GNOME Shell 42 (included in 22.04 LTS) was the first GNOME release
with an embedded screenshot tool; previously it used gnome-screenshot.
So older versions are definitely not affected. GNOME Shell 42 reached
End of Life earlier this year, but it does not appear to be affected
by this issue.
This issue has been fixed for Ubuntu 23.10 with GNOME Shell 45.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnome-shell/+bug/2036746/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
