Bug 1446088 (CVE-2017-8288)

Summary: CVE-2017-8288 gnome-shell: Mishandling extensions that fail to reload
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fmuellner, otaylor
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:11:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1446091    
Bug Blocks:    

Description Adam Mariš 2017-04-27 08:57:11 UTC 
gnome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js.

Upstream patch:

https://github.com/GNOME/gnome-shell/commit/ff425d1db7082e2755d2a405af53861552acf2a1
Comment 1 Adam Mariš 2017-04-27 08:57:57 UTC 
Created gnome-shell tracking bugs for this issue:

Affects: fedora-all [bug 1446091]
Comment 2 Andrej Nemec 2017-04-27 14:12:48 UTC 
References:

http://seclists.org/oss-sec/2017/q2/136