Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: debian-gtk-gn...@lists.debian.org
[ Reason ] CVE-2020-17489: If a user logs in and types their password, on switching to the gdm login screen (in particular for "fast user switching") the password entry box is briefly visible, disclosing the length of the password that was entered (by counting the number of character placeholders in the box). [ Impact ] Length of a local user's password is disclosed to other local users. [ Tests ] Tested manually on a Debian 10 machine. [ Risks ] Backport of a straightforward upstream change, considered to be low-risk. Contingency plan: revert it. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable (in 3.36.5-1) [ Changes ] Reset the state of the authentication prompt before starting the fade transition, instead of after.
diffstat for gnome-shell-3.30.2 gnome-shell-3.30.2 changelog | 11 ++ patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch | 44 ++++++++++ patches/series | 1 3 files changed, 56 insertions(+) diff -Nru gnome-shell-3.30.2/debian/changelog gnome-shell-3.30.2/debian/changelog --- gnome-shell-3.30.2/debian/changelog 2019-08-18 19:50:59.000000000 +0100 +++ gnome-shell-3.30.2/debian/changelog 2020-09-13 11:22:32.000000000 +0100 @@ -1,3 +1,14 @@ +gnome-shell (3.30.2-11~deb10u2) buster; urgency=medium + + * Team upload + + [ Mike Gabriel ] + * debian/patches: + + Add loginDialog-*_CVE-2020-17498.patch. loginDialog: Reset auth prompt on + vt switch before fade in. (Closes: #968311. CVE-2020-17489). + + -- Simon McVittie <s...@debian.org> Sun, 13 Sep 2020 11:22:32 +0100 + gnome-shell (3.30.2-11~deb10u1) buster; urgency=medium * Team upload diff -Nru gnome-shell-3.30.2/debian/patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch gnome-shell-3.30.2/debian/patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch --- gnome-shell-3.30.2/debian/patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnome-shell-3.30.2/debian/patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch 2020-09-13 11:22:32.000000000 +0100 @@ -0,0 +1,44 @@ +From 13137aad9db52223e8b62cecbd3456f4a7f66f04 Mon Sep 17 00:00:00 2001 +From: Ray Strode <rstr...@redhat.com> +Date: Mon, 27 Jul 2020 10:58:49 -0400 +Subject: [PATCH] loginDialog: Reset auth prompt on vt switch before fade in + +At the moment, if a user switches to the login screen vt, +the login screen fades in whatever was on screen prior, and +then does a reset. + +It makes more sense to reset first, so we fade in what the +user is going to interact with instead of what they interacted +with before. + +Fixes: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997 + +[sunweaver] Rebased against gnome-shell 3.30.2. + +--- + js/gdm/loginDialog.js | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/js/gdm/loginDialog.js ++++ b/js/gdm/loginDialog.js +@@ -923,6 +923,9 @@ + if (this.actor.opacity == 255 && this._authPrompt.verificationStatus == AuthPrompt.AuthPromptStatus.NOT_VERIFYING) + return; + ++ if (this._authPrompt.verificationStatus != AuthPrompt.AuthPromptStatus.NOT_VERIFYING) ++ this._authPrompt.reset(); ++ + Tweener.addTween(this.actor, + { opacity: 255, + time: _FADE_ANIMATION_TIME, +@@ -936,10 +939,6 @@ + } + }, + onUpdateScope: this, +- onComplete() { +- if (this._authPrompt.verificationStatus != AuthPrompt.AuthPromptStatus.NOT_VERIFYING) +- this._authPrompt.reset(); +- }, + onCompleteScope: this }); + }, + diff -Nru gnome-shell-3.30.2/debian/patches/series gnome-shell-3.30.2/debian/patches/series --- gnome-shell-3.30.2/debian/patches/series 2019-08-18 19:50:59.000000000 +0100 +++ gnome-shell-3.30.2/debian/patches/series 2020-09-13 11:22:32.000000000 +0100 @@ -27,3 +27,4 @@ ShellApp-Use-g_signal_connect_object-for-window-signals.patch tweener-Save-handlers-on-target-and-remove-them-on-destro.patch workaround_crasher_fractional_scaling.patch +loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch
