CVE-2023-43090: avoid exposing window previews on lock screen via keyboard
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNOME Shell |
Fix Released
|
Unknown
|
|||
gnome-shell (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jammy |
Invalid
|
Undecided
|
Unassigned | ||
Lunar |
Fix Released
|
High
|
Marc Deslauriers | ||
Mantic |
Fix Released
|
High
|
Unassigned |
Bug Description
Security Impact
---------------
Open windows can be viewed from the lock screen without unlocking the screen.
Test Case
---------
From upstream
This is the broken case and should not happen:
- Lock screen (e.g. Super+L)
- Press PrtScn to open screenshot tool
- Press V twice to toggle the screenshot tool from picture mode to video mode and then back to picture mode. (First bug: it should not be possible to enter video mode when the UI element is insensitive.)
- Enter the window selection mode by clicking or pressing W
- Now all of the user's windows may be viewed despite the session being locked.
Initial Testing Done
-------
I built the package locally. I installed the updated packages on Ubuntu 23.04 and was no longer able to reproduce the failure case.
Other Info
----------
I was unable to duplicate the failure with Ubuntu 22.04 LTS.
GNOME Shell 42 (included in 22.04 LTS) was the first GNOME release with an embedded screenshot tool; previously it used gnome-screenshot. So older versions are definitely not affected. GNOME Shell 42 reached End of Life earlier this year, but it does not appear to be affected by this issue.
This issue has been fixed for Ubuntu 23.10 with GNOME Shell 45.0
CVE References
information type: | Public → Public Security |
Changed in gnome-shell (Ubuntu Lunar): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in gnome-shell (Ubuntu Jammy): | |
status: | New → Invalid |
Changed in gnome-shell: | |
status: | Unknown → Fix Released |
gnome-shell (44.3-0ubuntu2) lunar-security; urgency=medium
* SECURITY UPDATE: Avoid exposing window previews on lock screen
via keyboard shortcuts (CVE-2023-43090, LP: #2036746, gnome-shell#6990)
-- Jeremy Bícha <email address hidden> Wed, 20 Sep 2023 08:32:31 -0400