CVE-2017-8288

NameCVE-2017-8288
Descriptiongnome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnome-shell (PTS)jessie3.14.4-1~deb8u1vulnerable
stretch (security), stretch (lts), stretch3.22.3-3+deb9u1fixed
buster3.30.2-11~deb10u2fixed
bullseye (security), bullseye3.38.6-1~deb11u2fixed
bookworm (security), bookworm43.9-0+deb12u2fixed
sid, trixie47.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnome-shellsource(unstable)3.22.3-3

Notes

[jessie] - gnome-shell <no-dsa> (Minor issue)
[wheezy] - gnome-shell <no-dsa> (Minor issue)
https://bugzilla.gnome.org/show_bug.cgi?id=781728
https://github.com/GNOME/gnome-shell/commit/ff425d1db7082e2755d2a405af53861552acf2a1

Search for package or bug name: Reporting problems