Bug#970239: marked as done (buster-pu: package gnome-shell/3.30.2-11~deb10u2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970239,
regarding buster-pu: package gnome-shell/3.30.2-11~deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970239: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970239
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: package gnome-shell/3.30.2-11~deb10u2
• From: Simon McVittie <smcv@debian.org>
• Date: Sun, 13 Sep 2020 13:26:15 +0100
• Message-id: <[🔎] 20200913122615.GA98377@espresso.pseudorandom.co.uk>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-gtk-gnome@lists.debian.org

[ Reason ]

CVE-2020-17489: If a user logs in and types their password, on switching
to the gdm login screen (in particular for "fast user switching") the
password entry box is briefly visible, disclosing the length of the
password that was entered (by counting the number of character placeholders
in the box).

[ Impact ]

Length of a local user's password is disclosed to other local users.

[ Tests ]

Tested manually on a Debian 10 machine.

[ Risks ]

Backport of a straightforward upstream change, considered to be low-risk.
Contingency plan: revert it.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable (in 3.36.5-1)

[ Changes ]

Reset the state of the authentication prompt before starting the fade
transition, instead of after.

diffstat for gnome-shell-3.30.2 gnome-shell-3.30.2

 changelog                                                                              |   11 ++
 patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch |   44 ++++++++++
 patches/series                                                                         |    1 
 3 files changed, 56 insertions(+)

diff -Nru gnome-shell-3.30.2/debian/changelog gnome-shell-3.30.2/debian/changelog
--- gnome-shell-3.30.2/debian/changelog	2019-08-18 19:50:59.000000000 +0100
+++ gnome-shell-3.30.2/debian/changelog	2020-09-13 11:22:32.000000000 +0100
@@ -1,3 +1,14 @@
+gnome-shell (3.30.2-11~deb10u2) buster; urgency=medium
+
+  * Team upload
+
+  [ Mike Gabriel ]
+  * debian/patches:
+    + Add loginDialog-*_CVE-2020-17498.patch. loginDialog: Reset auth prompt on
+      vt switch before fade in. (Closes: #968311. CVE-2020-17489).
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 13 Sep 2020 11:22:32 +0100
+
 gnome-shell (3.30.2-11~deb10u1) buster; urgency=medium
 
   * Team upload
diff -Nru gnome-shell-3.30.2/debian/patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch gnome-shell-3.30.2/debian/patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch
--- gnome-shell-3.30.2/debian/patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch	1970-01-01 01:00:00.000000000 +0100
+++ gnome-shell-3.30.2/debian/patches/loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch	2020-09-13 11:22:32.000000000 +0100
@@ -0,0 +1,44 @@
+From 13137aad9db52223e8b62cecbd3456f4a7f66f04 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Mon, 27 Jul 2020 10:58:49 -0400
+Subject: [PATCH] loginDialog: Reset auth prompt on vt switch before fade in
+
+At the moment, if a user switches to the login screen vt,
+the login screen fades in whatever was on screen prior, and
+then does a reset.
+
+It makes more sense to reset first, so we fade in what the
+user is going to interact with instead of what they interacted
+with before.
+
+Fixes: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997
+
+[sunweaver] Rebased against gnome-shell 3.30.2.
+
+---
+ js/gdm/loginDialog.js | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/js/gdm/loginDialog.js
++++ b/js/gdm/loginDialog.js
+@@ -923,6 +923,9 @@
+         if (this.actor.opacity == 255 && this._authPrompt.verificationStatus == AuthPrompt.AuthPromptStatus.NOT_VERIFYING)
+             return;
+ 
++        if (this._authPrompt.verificationStatus != AuthPrompt.AuthPromptStatus.NOT_VERIFYING)
++            this._authPrompt.reset();
++
+         Tweener.addTween(this.actor,
+                          { opacity: 255,
+                            time: _FADE_ANIMATION_TIME,
+@@ -936,10 +939,6 @@
+                                }
+                            },
+                            onUpdateScope: this,
+-                           onComplete() {
+-                               if (this._authPrompt.verificationStatus != AuthPrompt.AuthPromptStatus.NOT_VERIFYING)
+-                                   this._authPrompt.reset();
+-                           },
+                            onCompleteScope: this });
+     },
+ 
diff -Nru gnome-shell-3.30.2/debian/patches/series gnome-shell-3.30.2/debian/patches/series
--- gnome-shell-3.30.2/debian/patches/series	2019-08-18 19:50:59.000000000 +0100
+++ gnome-shell-3.30.2/debian/patches/series	2020-09-13 11:22:32.000000000 +0100
@@ -27,3 +27,4 @@
 ShellApp-Use-g_signal_connect_object-for-window-signals.patch
 tweener-Save-handlers-on-target-and-remove-them-on-destro.patch
 workaround_crasher_fractional_scaling.patch
+loginDialog-Reset-auth-prompt-on-vt-switch-before-fade-in_CVE-2020-17489.patch

--- End Message ---

--- Begin Message ---

• To: 947464-done@bugs.debian.org, 949826-done@bugs.debian.org, 953614-done@bugs.debian.org, 961843-done@bugs.debian.org, 965334-done@bugs.debian.org, 967995-done@bugs.debian.org, 967996-done@bugs.debian.org, 968037-done@bugs.debian.org, 968296-done@bugs.debian.org, 968502-done@bugs.debian.org, 968515-done@bugs.debian.org, 968548-done@bugs.debian.org, 968723-done@bugs.debian.org, 968846-done@bugs.debian.org, 969066-done@bugs.debian.org, 969163-done@bugs.debian.org, 969172-done@bugs.debian.org, 969190-done@bugs.debian.org, 969272-done@bugs.debian.org, 969348-done@bugs.debian.org, 969349-done@bugs.debian.org, 969366-done@bugs.debian.org, 969369-done@bugs.debian.org, 969706-done@bugs.debian.org, 969912-done@bugs.debian.org, 970096-done@bugs.debian.org, 970098-done@bugs.debian.org, 970132-done@bugs.debian.org, 970239-done@bugs.debian.org, 970241-done@bugs.debian.org, 970296-done@bugs.debian.org, 970307-done@bugs.debian.org, 970311-done@bugs.debian.org, 970349-done@bugs.debian.org, 970387-done@bugs.debian.org, 970424-done@bugs.debian.org, 970427-done@bugs.debian.org, 970549-done@bugs.debian.org, 970563-done@bugs.debian.org, 970564-done@bugs.debian.org, 970569-done@bugs.debian.org, 970583-done@bugs.debian.org, 970584-done@bugs.debian.org
• Subject: Closing bugs for fixes included in 10.6 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 26 Sep 2020 11:36:30 +0100
• Message-id: <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---