CVE-2024-36472
Published: 28 May 2024
In GNOME Shell through 45.7, a portal helper can be launched automatically (without user confirmation) based on network responses provided by an adversary (e.g., an adversary who controls the local Wi-Fi network), and subsequently loads untrusted JavaScript code, which may lead to resource consumption or other impacts depending on the JavaScript code's behavior.
Notes
| Author | Note |
|---|---|
| mdeslaur |
See 3408 MR, ideally in Ubuntu we would switch to disabling the portal helper and use the user's default browser instead of using the embedded gtkwebkit browser to improve security. Need to test properly and make sure this works with our default browsers. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
gnome-shell
Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Released
(3.36.9-0ubuntu0.20.04.4)
|
|
| jammy |
Released
(42.9-0ubuntu2.2)
|
|
| mantic |
Ignored
(end of life, was deferred [2024-07-05])
|
|
| noble |
Released
(46.0-0ubuntu6~24.04.3)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
|
|
Patches:
upstream: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3307 upstream: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3408 upstream: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/5aa89fa9e62d20c99afd2eff13901faef96244ad upstream: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/57de9ee874bff07b71dc323e54d5d721c4ded7fe upstream: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/4ab1ccf3f21b754ce4be77becf5df46084a893d8 upstream: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/14037478633c15a38a63d46af5f7d28bc00fd376 |
||