CVE-2024-36472

Publication date 28 May 2024

Last updated 15 August 2024


Ubuntu priority

In GNOME Shell through 45.7, a portal helper can be launched automatically (without user confirmation) based on network responses provided by an adversary (e.g., an adversary who controls the local Wi-Fi network), and subsequently loads untrusted JavaScript code, which may lead to resource consumption or other impacts depending on the JavaScript code's behavior.

Read the notes from the security team

Status

Package Ubuntu Release Status
gnome-shell 24.04 LTS noble
Fixed 46.0-0ubuntu6~24.04.3
23.10 mantic Ignored end of life, was deferred [2024-07-05]
22.04 LTS jammy
Fixed 42.9-0ubuntu2.2
20.04 LTS focal
Fixed 3.36.9-0ubuntu0.20.04.4
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected

Notes


mdeslaur

See 3408 MR, ideally in Ubuntu we would switch to disabling the portal helper and use the user's default browser instead of using the embedded gtkwebkit browser to improve security. Need to test properly and make sure this works with our default browsers.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
gnome-shell

References

Related Ubuntu Security Notices (USN)

    • USN-6963-1
    • GNOME Shell vulnerability
    • 15 August 2024

Other references