CVE-2017-8288

NameCVE-2017-8288
Descriptiongnome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnome-shell (PTS)jessie3.14.4-1~deb8u1vulnerable
stretch3.22.3-3fixed
buster3.30.2-9fixed
bullseye, sid3.30.2-11fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnome-shellsource(unstable)3.22.3-3medium

Notes

[jessie] - gnome-shell <no-dsa> (Minor issue)
[wheezy] - gnome-shell <no-dsa> (Minor issue)
https://bugzilla.gnome.org/show_bug.cgi?id=781728
https://github.com/GNOME/gnome-shell/commit/ff425d1db7082e2755d2a405af53861552acf2a1

Search for package or bug name: Reporting problems