PublicDateAtUSN: 2020-08-11 21:15:00 UTC
Candidate: CVE-2020-17489
PublicDate: 2020-08-11 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17489
 https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1377
 https://ubuntu.com/security/notices/USN-4464-1
Description:
 An issue was discovered in certain configurations of GNOME gnome-shell
 through 3.36.4. When logging out of an account, the password box from the
 login dialog reappears with the password still visible. If the user had
 decided to have the password shown in cleartext at login time, it is then
 visible for a brief moment upon a logout. (If the password were never shown
 in cleartext, only the password length is revealed.)
Ubuntu-Description:
Notes:
 mdeslaur> per upstream bug, appears to have been introduced in 3.34
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968311
 https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N [4.3 MEDIUM]


Patches_gnome-shell:
 upstream: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/13137aad9db52223e8b62cecbd3456f4a7f66f04
upstream_gnome-shell: released (3.36.5-1)
precise/esm_gnome-shell: DNE
trusty_gnome-shell: ignored (out of standard support)
trusty/esm_gnome-shell: DNE
xenial_gnome-shell: not-affected (3.18.5-0ubuntu0.3)
bionic_gnome-shell: not-affected (3.28.4-0ubuntu18.04.3)
focal_gnome-shell: released (3.36.4-1ubuntu1~20.04.2)
devel_gnome-shell: released (3.37.91-1ubuntu1)