CVE-2020-17489

NameCVE-2020-17489
DescriptionAn issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2374-1
Debian Bugs968311

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnome-shell (PTS)buster3.30.2-11~deb10u2fixed
bullseye3.38.6-1~deb11u1fixed
bookworm43.9-0+deb12u1fixed
bookworm (security)43.6-1~deb12u2fixed
sid, trixie44.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnome-shellsourcestretch3.22.3-3+deb9u1DLA-2374-1
gnome-shellsourcebuster3.30.2-11~deb10u2
gnome-shellsource(unstable)3.36.5-1968311

Notes

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997
https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1377
https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/13137aad9db52223e8b62cecbd3456f4a7f66f04

Search for package or bug name: Reporting problems