| Name | CVE-2020-17489 |
| Description | An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.) |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2374-1 |
| Debian Bugs | 968311 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| gnome-shell (PTS) | jessie | 3.14.4-1~deb8u1 | vulnerable |
| stretch (security), stretch (lts), stretch | 3.22.3-3+deb9u1 | fixed | |
| buster | 3.30.2-11~deb10u2 | fixed | |
| bullseye (security), bullseye | 3.38.6-1~deb11u2 | fixed | |
| bookworm (security), bookworm | 43.9-0+deb12u2 | fixed | |
| sid, trixie | 47.1-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| gnome-shell | source | jessie | (unfixed) | end-of-life | ||
| gnome-shell | source | stretch | 3.22.3-3+deb9u1 | DLA-2374-1 | ||
| gnome-shell | source | buster | 3.30.2-11~deb10u2 | |||
| gnome-shell | source | (unstable) | 3.36.5-1 | 968311 |
https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997
https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1377
https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/13137aad9db52223e8b62cecbd3456f4a7f66f04