CVE-2020-17489

NameCVE-2020-17489
DescriptionAn issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2374-1
NVD severitylow
Debian Bugs968311

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnome-shell (PTS)stretch3.22.3-3vulnerable
stretch (security)3.22.3-3+deb9u1fixed
buster3.30.2-11~deb10u2fixed
bullseye3.36.6-1fixed
sid3.38.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnome-shellsourcestretch3.22.3-3+deb9u1DLA-2374-1
gnome-shellsourcebuster3.30.2-11~deb10u2
gnome-shellsource(unstable)3.36.5-1968311

Notes

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997
https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1377
https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/13137aad9db52223e8b62cecbd3456f4a7f66f04

Search for package or bug name: Reporting problems