Draft: [bookworm] Backport upstream fixes for CVE-2023-43090 (!75) · Merge requests · GNOME / gnome-shell

Simon McVittie requested to merge debian/bookworm-security into debian/bookworm Sep 17, 2023

This was fixed in 43.9 upstream, but 43.7, .8, .9 contain many other unrelated bug fixes which seem like too much code churn to be on the critical path for a security fix.

Closes: #1052067

I can reproduce the security issue by following the steps in https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/6990#note_1840101, and I confirm that with this change I can no longer reproduce it.

Marked as draft because the security team has not yet given permission to upload, or decided whether this is going to get a security advisory. If they don't want to issue an advisory for this, then this change will need to be retargeted for stable-proposed-updates.

/cc @carnil

Draft: [bookworm] Backport upstream fixes for CVE-2023-43090

Merge request reports