Bug#980071: gnome-shell: Using suspend in the gnome-shell power off/log out menu does log out and suspend in the wrong order

[A Ozbay]

Package: gnome-shell
Version: 3.38.2-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: ago_debian...@protonmail.com, Debian Security Team 
<t...@security.debian.org>

When I use the suspend option in the power off/log out menu, gnome-shell first 
logs me off, as if I clicked log off instead. Then, when I enter my password on 
this screen, my computer enters suspend mode. Upon resuming my pc from suspend, 
I am logged into my user account without a password prompt. 

This enables a person with physical access to the machine in a suspended state 
to log into my account without any password required whatsoever which is a 
grave security issue.



-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.4 (SMP w/24 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-shell depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.38.0-1
ii  evolution-data-server                        3.38.2-2
ii  gir1.2-accountsservice-1.0                   0.6.55-3
ii  gir1.2-atspi-2.0                             2.38.0-2
ii  gir1.2-freedesktop                           1.66.1-1+b1
ii  gir1.2-gcr-3                                 3.38.0-1
ii  gir1.2-gdesktopenums-3.0                     3.38.0-2
ii  gir1.2-gdm-1.0                               3.38.2.1-1
ii  gir1.2-geoclue-2.0                           2.5.7-2
ii  gir1.2-glib-2.0                              1.66.1-1+b1
ii  gir1.2-gnomebluetooth-1.0                    3.34.3-2
ii  gir1.2-gnomedesktop-3.0                      3.38.2-1
ii  gir1.2-gstreamer-1.0                         1.18.2-1
ii  gir1.2-gtk-3.0                               3.24.24-1
ii  gir1.2-gweather-3.0                          3.36.1-1
ii  gir1.2-ibus-1.0                              1.5.23-2
ii  gir1.2-mutter-7                              3.38.2-1
ii  gir1.2-nm-1.0                                1.28.0-2+b1
ii  gir1.2-nma-1.0                               1.8.30-1
ii  gir1.2-pango-1.0                             1.46.2-3
ii  gir1.2-polkit-1.0                            0.105-29
ii  gir1.2-rsvg-2.0                              2.50.2+dfsg-1
ii  gir1.2-soup-2.4                              2.72.0-2
ii  gir1.2-upowerglib-1.0                        0.99.11-2
ii  gjs                                          1.66.1-1
ii  gnome-backgrounds                            3.38.0-1
ii  gnome-settings-daemon                        3.38.1-2
ii  gnome-shell-common                           3.38.2-1
ii  gsettings-desktop-schemas                    3.38.0-2
ii  gstreamer1.0-pipewire                        0.3.15-1
ii  libatk-bridge2.0-0                           2.38.0-1
ii  libatk1.0-0                                  2.36.0-2
ii  libc6                                        2.31-9
ii  libcairo2                                    1.16.0-5
ii  libecal-2.0-1                                3.38.2-2
ii  libedataserver-1.2-25                        3.38.2-2
ii  libgcr-base-3-1                              3.38.0-1
ii  libgdk-pixbuf-2.0-0                          2.42.2+dfsg-1
ii  libgirepository-1.0-1                        1.66.1-1+b1
ii  libgjs0g                                     1.66.1-1
ii  libgles2                                     1.3.2-1
ii  libglib2.0-0                                 2.66.4-1
ii  libglib2.0-bin                               2.66.4-1
ii  libgnome-autoar-0-0                          0.2.4-2
ii  libgnome-desktop-3-19                        3.38.2-1
ii  libgraphene-1.0-0                            1.10.2-1
ii  libgtk-3-0                                   3.24.24-1
ii  libical3                                     3.0.8-2
ii  libjson-glib-1.0-0                           1.6.0-2
ii  libmutter-7-0                                3.38.2-1
ii  libnm0                                       1.28.0-2+b1
ii  libpango-1.0-0                               1.46.2-3
ii  libpangocairo-1.0-0                          1.46.2-3
ii  libpolkit-agent-1-0                          0.105-29
ii  libpolkit-gobject-1-0                        0.105-29
ii  libpulse-mainloop-glib0                      14.0-2
ii  libpulse0                                    14.0-2
ii  libsecret-1-0                                0.20.4-1
ii  libsystemd0                                  247.2-4
ii  libwayland-server0                           1.18.0-2~exp1.1
ii  libx11-6                                     2:1.6.12-1
ii  libxfixes3                                   1:5.0.3-2
ii  python3                                      3.9.1-1

Versions of packages gnome-shell recommends:
ii  bolt                  0.9-1
ii  chrome-gnome-shell    10.1-5
ii  gdm3                  3.38.2.1-1
ii  gkbd-capplet          3.26.1-1
ii  gnome-control-center  1:3.38.2-2
ii  gnome-menus           3.36.0-1
ii  gnome-user-docs       3.38.2-1
ii  ibus                  1.5.23-2
ii  iio-sensor-proxy      3.0-1
ii  switcheroo-control    2.1-1
ii  unzip                 6.0-25

Versions of packages gnome-shell suggests:
pn  gir1.2-telepathyglib-0.12   <none>
pn  gir1.2-telepathylogger-0.2  <none>

Versions of packages gnome-session depends on:
ii  gnome-session-bin      3.38.0-3
ii  gnome-session-common   3.38.0-3
ii  gnome-settings-daemon  3.38.1-2

Versions of packages gnome-session suggests:
ii  desktop-base   10.0.3
ii  gnome-keyring  3.36.0-1

Versions of packages gnome-settings-daemon depends on:
ii  gnome-settings-daemon-common  3.38.1-2
ii  gsettings-desktop-schemas     3.38.0-2
ii  libasound2                    1.2.4-1.1
ii  libc6                         2.31-9
ii  libcairo2                     1.16.0-5
ii  libcanberra-gtk3-0            0.30-7
ii  libcanberra0                  0.30-7
ii  libcolord2                    1.4.4-2
ii  libcups2                      2.3.3op1-5
ii  libfontconfig1                2.13.1-4.2
ii  libgcr-base-3-1               3.38.0-1
ii  libgdk-pixbuf-2.0-0           2.42.2+dfsg-1
ii  libgdk-pixbuf2.0-0            2.40.2-2
ii  libgeoclue-2-0                2.5.7-2
ii  libgeocode-glib0              3.26.2-2
ii  libglib2.0-0                  2.66.4-1
ii  libgnome-desktop-3-19         3.38.2-1
ii  libgtk-3-0                    3.24.24-1
ii  libgudev-1.0-0                234-1
ii  libgweather-3-16              3.36.1-1
ii  liblcms2-2                    2.9-4+b1
ii  libmm-glib0                   1.14.8-0.1
ii  libnm0                        1.28.0-2+b1
ii  libnotify4                    0.7.9-2
ii  libnspr4                      2:4.29-1
ii  libnss3                       2:3.60-1
ii  libpam-systemd [logind]       247.2-4
ii  libpango-1.0-0                1.46.2-3
ii  libpangocairo-1.0-0           1.46.2-3
ii  libpolkit-gobject-1-0         0.105-29
ii  libpulse-mainloop-glib0       14.0-2
ii  libpulse0                     14.0-2
ii  libupower-glib3               0.99.11-2
ii  libwacom2                     1.7-1
ii  libwayland-client0            1.18.0-2~exp1.1
ii  libx11-6                      2:1.6.12-1
ii  libxext6                      2:1.3.3-1.1
ii  libxi6                        2:1.7.10-1

Versions of packages gnome-settings-daemon recommends:
ii  iio-sensor-proxy   3.0-1
ii  pulseaudio         14.0-2
ii  x11-xserver-utils  7.7+8

Versions of packages gnome-settings-daemon suggests:
pn  usbguard  <none>

Versions of packages libgjs0g depends on:
ii  libc6                  2.31-9
ii  libcairo-gobject2      1.16.0-5
ii  libcairo2              1.16.0-5
ii  libffi7                3.3-5
ii  libgcc-s1              10.2.1-3
ii  libgirepository-1.0-1  1.66.1-1+b1
ii  libglib2.0-0           2.66.4-1
ii  libmozjs-78-0          78.4.0-2
ii  libreadline8           8.1-1
ii  libstdc++6             10.2.1-3
ii  libx11-6               2:1.6.12-1

Versions of packages gnome-shell is related to:
ii  libegl-mesa0 [libegl-vendor]  20.3.2-1
ii  libgl1-mesa-dri               20.3.2-1
ii  libglx-mesa0 [libglx-vendor]  20.3.2-1

-- no debconf information