Hi Mike, thanks for triaging the issue further.
On Sat, Aug 29, 2020 at 06:08:06AM +0000, Mike Gabriel wrote: > Hi Simon, > > I just looked into CVE-2020-17489/gnome-shell for stretch and buster. It > seems that the cleartext password feature has only become available in > gnome-shell 3.36.x. > > Thus, I marked gnome-shell/buster and gnome-shell/stretch as unaffected by > CVE-2020-17489 [1]. Please correct me, if I am wrong on this. The reporter said that the issue to be visibile since 3.34 (the password length disclosed) but then got worse with 3.36 when the password visibility option was introduced leaking the clear-text password. There seem to have been several reworks around 3.33.90 with the fade out/opacitiy so this sounds plausible, but I have not found where the issue really got introduced and the logout starting missbehaving showing the information and pin-pointing the commits introducing it or enough confidence source wise where the issue started to be present. But as the contributor did some explicit testing with the versions between 3.28 and the 3.37.3 version this still seems plausible to be confirmed introduced in 3.34 only. Regards, Salvatore As a rule of thumb: for tracking vulnerabilities, we perfer to rather err on the "wrong" side saying something is affected but possibly mark it as no-dsa (when difficult to pin point where the issue got introduced) rather then be "wrong" on the other side. Thus some issues will remain be marked no-dsa when there is not enough confidence the issue is not really present.
