On Sun, 17 Sep 2023 at 18:17:56 +0100, Simon McVittie wrote:
> I can upload this to security-master if wanted, or the security
> team or other GNOME team members are welcome to sponsor it
> or upload their own version if they would like to take my
> response time off the critical path. Unsigned packages are in
> https://people.debian.org/~smcv/bug1052067/, diff attached.
Sigh, diff really attached now. I'm sorry, I should be more careful not
to waste your time.
smcv
diffstat for gnome-shell-43.6 gnome-shell-43.6
debian/changelog | 8 +
debian/patches/screenshot-Do-not-wrongly-enable-window-button.patch | 71 ++++++++++
debian/patches/screenshot-Only-handle-mode-switch-shortcut-when-supporte.patch | 35 ++++
debian/patches/series | 2
js/ui/screenshot.js | 22 +--
5 files changed, 130 insertions(+), 8 deletions(-)
diff -Nru gnome-shell-43.6/debian/changelog gnome-shell-43.6/debian/changelog
--- gnome-shell-43.6/debian/changelog 2023-06-11 00:08:43.000000000 +0100
+++ gnome-shell-43.6/debian/changelog 2023-09-17 17:18:49.000000000 +0100
@@ -1,3 +1,11 @@
+gnome-shell (43.6-1~deb12u2) bookworm-security; urgency=high
+
+ * Team upload
+ * Avoid exposing window previews on lock screen via keyboard shortcuts
+ (Closes: #1052067, CVE-2023-43090, gnome-shell#6990)
+
+ -- Simon McVittie <[email protected]> Sun, 17 Sep 2023 17:18:49 +0100
+
gnome-shell (43.6-1~deb12u1) bookworm; urgency=medium
* Rebuild for bookworm
diff -Nru gnome-shell-43.6/debian/patches/screenshot-Do-not-wrongly-enable-window-button.patch gnome-shell-43.6/debian/patches/screenshot-Do-not-wrongly-enable-window-button.patch
--- gnome-shell-43.6/debian/patches/screenshot-Do-not-wrongly-enable-window-button.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnome-shell-43.6/debian/patches/screenshot-Do-not-wrongly-enable-window-button.patch 2023-09-17 17:18:49.000000000 +0100
@@ -0,0 +1,71 @@
+From: =?utf-8?q?Florian_M=C3=BCllner?= <[email protected]>
+Date: Thu, 7 Sep 2023 17:59:03 +0200
+Subject: screenshot: Do not wrongly enable window button
+
+The window button is disabled when
+ - there are no windows
+ - we are in screen-recording mode
+ - the session mode doesn't allow windows
+
+However the last condition is only taken into account when
+opening the dialog, but not when switching from recording-
+to screenshot mode.
+
+Address this by updating the button's sensitivity in a separate
+function, so the different conditions are considered consistently.
+
+(cherry picked from commit 521525948eed85cc27c0796a0b9569d161df81ba)
+
+Bug: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990
+CVE: CVE-2023-43090
+Origin: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2944
+Applied-upstream: 43.9, commit:9d81bbb8b60aa11082a8e7017995e0bc4745e506
+Bug-Debian: https://bugs.debian.org/1052067
+---
+ js/ui/screenshot.js | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/js/ui/screenshot.js b/js/ui/screenshot.js
+index 4d9e42e..84830b2 100644
+--- a/js/ui/screenshot.js
++++ b/js/ui/screenshot.js
+@@ -1370,6 +1370,16 @@ var ScreenshotUI = GObject.registerClass({
+ this._castButton.reactive = Main.sessionMode.allowScreencast;
+ }
+
++ _syncWindowButtonSensitivity() {
++ const windows =
++ this._windowSelectors.flatMap(selector => selector.windows());
++
++ this._windowButton.reactive =
++ Main.sessionMode.hasWindows &&
++ windows.length > 0 &&
++ !this._castButton.checked;
++ }
++
+ _refreshButtonLayout() {
+ const buttonLayout = Meta.prefs_get_button_layout();
+
+@@ -1486,10 +1496,7 @@ var ScreenshotUI = GObject.registerClass({
+ });
+ }
+
+- this._windowButton.reactive =
+- Main.sessionMode.hasWindows &&
+- windows.length > 0 &&
+- !this._castButton.checked;
++ this._syncWindowButtonSensitivity();
+ if (!this._windowButton.reactive)
+ this._selectionButton.checked = true;
+
+@@ -1732,9 +1739,7 @@ var ScreenshotUI = GObject.registerClass({
+
+ this._captureButton.remove_style_pseudo_class('cast');
+
+- const windows =
+- this._windowSelectors.flatMap(selector => selector.windows());
+- this._windowButton.reactive = windows.length > 0;
++ this._syncWindowButtonSensitivity();
+ }
+ }
+
diff -Nru gnome-shell-43.6/debian/patches/screenshot-Only-handle-mode-switch-shortcut-when-supporte.patch gnome-shell-43.6/debian/patches/screenshot-Only-handle-mode-switch-shortcut-when-supporte.patch
--- gnome-shell-43.6/debian/patches/screenshot-Only-handle-mode-switch-shortcut-when-supporte.patch 1970-01-01 01:00:00.000000000 +0100
+++ gnome-shell-43.6/debian/patches/screenshot-Only-handle-mode-switch-shortcut-when-supporte.patch 2023-09-17 17:18:49.000000000 +0100
@@ -0,0 +1,35 @@
+From: =?utf-8?q?Florian_M=C3=BCllner?= <[email protected]>
+Date: Thu, 7 Sep 2023 18:00:21 +0200
+Subject: screenshot: Only handle mode-switch shortcut when supported
+
+We currently handle the 'v' key to switch between recording- and
+screenshot mode regardless of whether screen recordings are
+supported.
+
+This is clearly wrong, don't do that.
+
+(cherry picked from commit 671df28a509ae208e158976f0855d91fdbea16a1)
+
+Bug: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990
+CVE: CVE-2023-43090
+Origin: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/2944
+Applied-upstream: 43.9, commit:673e78457257243d408c85285eb8324f7954e395
+Bug-Debian: https://bugs.debian.org/1052067
+---
+ js/ui/screenshot.js | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/js/ui/screenshot.js b/js/ui/screenshot.js
+index 84830b2..5139052 100644
+--- a/js/ui/screenshot.js
++++ b/js/ui/screenshot.js
+@@ -2001,7 +2001,8 @@ var ScreenshotUI = GObject.registerClass({
+ return Clutter.EVENT_STOP;
+ }
+
+- if (symbol === Clutter.KEY_v || symbol === Clutter.KEY_V) {
++ if (this._castButton.reactive &&
++ (symbol === Clutter.KEY_v || symbol === Clutter.KEY_V)) {
+ this._castButton.checked = !this._castButton.checked;
+ return Clutter.EVENT_STOP;
+ }
diff -Nru gnome-shell-43.6/debian/patches/series gnome-shell-43.6/debian/patches/series
--- gnome-shell-43.6/debian/patches/series 2023-06-11 00:08:43.000000000 +0100
+++ gnome-shell-43.6/debian/patches/series 2023-09-17 17:18:49.000000000 +0100
@@ -1,2 +1,4 @@
+screenshot-Do-not-wrongly-enable-window-button.patch
+screenshot-Only-handle-mode-switch-shortcut-when-supporte.patch
debian/gnome-shell-extension-prefs-Give-Debian-specific-advice.patch
debian/Revert-build-Port-to-gcr4.patch
diff -Nru gnome-shell-43.6/js/ui/screenshot.js gnome-shell-43.6/js/ui/screenshot.js
--- gnome-shell-43.6/js/ui/screenshot.js 2023-06-03 11:50:05.000000000 +0100
+++ gnome-shell-43.6/js/ui/screenshot.js 2023-09-17 18:19:32.000000000 +0100
@@ -1370,6 +1370,16 @@
this._castButton.reactive = Main.sessionMode.allowScreencast;
}
+ _syncWindowButtonSensitivity() {
+ const windows =
+ this._windowSelectors.flatMap(selector => selector.windows());
+
+ this._windowButton.reactive =
+ Main.sessionMode.hasWindows &&
+ windows.length > 0 &&
+ !this._castButton.checked;
+ }
+
_refreshButtonLayout() {
const buttonLayout = Meta.prefs_get_button_layout();
@@ -1486,10 +1496,7 @@
});
}
- this._windowButton.reactive =
- Main.sessionMode.hasWindows &&
- windows.length > 0 &&
- !this._castButton.checked;
+ this._syncWindowButtonSensitivity();
if (!this._windowButton.reactive)
this._selectionButton.checked = true;
@@ -1732,9 +1739,7 @@
this._captureButton.remove_style_pseudo_class('cast');
- const windows =
- this._windowSelectors.flatMap(selector => selector.windows());
- this._windowButton.reactive = windows.length > 0;
+ this._syncWindowButtonSensitivity();
}
}
@@ -1996,7 +2001,8 @@
return Clutter.EVENT_STOP;
}
- if (symbol === Clutter.KEY_v || symbol === Clutter.KEY_V) {
+ if (this._castButton.reactive &&
+ (symbol === Clutter.KEY_v || symbol === Clutter.KEY_V)) {
this._castButton.checked = !this._castButton.checked;
return Clutter.EVENT_STOP;
}
