Bug #1886592 “Add support for VMware Horizon SSO to gnome-shell” : Bionic (18.04) : Bugs : gnome-shell package : Ubuntu

Matthew Ruffell (mruffell) on 2020-07-06

Changed in gnome-shell (Ubuntu Bionic):
status:	New → In Progress
Changed in gnome-shell (Ubuntu Focal):
status:	New → In Progress
Changed in gnome-shell (Ubuntu Groovy):
status:	New → In Progress
Changed in gnome-shell (Ubuntu Eoan):
status:	New → Won't Fix
Changed in gnome-shell (Ubuntu Bionic):
assignee:	nobody → Matthew Ruffell (mruffell)
Changed in gnome-shell (Ubuntu Focal):
assignee:	nobody → Matthew Ruffell (mruffell)
Changed in gnome-shell (Ubuntu Groovy):
assignee:	nobody → Matthew Ruffell (mruffell)
tags:	added: sts

Daniel van Vugt (vanvugt) on 2020-07-07

Changed in gnome-shell (Ubuntu Groovy):
status:	In Progress → Fix Committed
tags:	added: bionic fixed-in-3.37.3 fixed-upstream focal groovy
Changed in gnome-shell (Ubuntu Bionic):
importance:	Undecided → Wishlist
Changed in gnome-shell (Ubuntu Focal):
importance:	Undecided → Wishlist
Changed in gnome-shell (Ubuntu Groovy):
importance:	Undecided → Wishlist

Revision history for this message

Marco Trevisan (Treviño) (3v1n0) wrote on 2020-07-17:

#1

Is this something we need to get backported to focal?

As I don't think could be included in upstream's gnome-3-36 branch, so we'll have to carry the patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-09-11:

#2

Download full text (4.6 KiB)

This bug was fixed in the package gnome-shell - 3.37.91-1ubuntu1

---------------
gnome-shell (3.37.91-1ubuntu1) groovy; urgency=medium

  * Merge with debian, including new upstream release, remaining changes:
    - Replace gnome-backgrounds dep with ubuntu-wallpapers and Suggests
      gnome-themes-standard-data, gnome-backgrounds
    - Add some Recommends:
      + ubuntu-session (| gnome-session) to have the ubuntu session available
      + xserver-xorg-legacy
      + yaru-theme-gnome-shell for the default ubuntu theming
    - Update debian/gbp.conf with Ubuntu settings
    - gnome-shell-common.prerm: Remove deprecated ubuntu theme alternative
    - ubuntu/desktop_detect.patch:
      + add caching for desktop detection to avoid querying the current
        desktop env variable as iterate through the list each time. For the
        time of the Shell process, we can expect this env variable to stay
        stable.
    - ubuntu/smarter_alt_tab.patch:
      + quick alt-tab (without showing up the switcher) switch only between
        the last window of the last 2 applications to be focused instead of
        raising all windows of those apps.
    - ubuntu/lightdm-user-switching.patch:
      + Allow user switching when using LightDM.
    - ubuntu/lock_on_suspend.patch
      + Respect Ubuntu's lock-on-suspend setting.
    - ubuntu/background_login.patch
      + Change default background color as we modified the default GDM color
        for our ubuntu session.
    - ubuntu/gdm_alternatives.patch
      + Add support for GDM3 theme alternatives
    - optional-hot-corner.patch
      + enable patch proposed by upstream developer already in package (but
        not in series) to add a settings for optional hot corner activation.
    - main-show-an-error-message-on-gnome-shell-crash.patch,
      global-make-possible-to-set-debug-flags-dynamically.patch,
      main-increase-the-granularity-of-backtraces-in-SHELL_DEBU.patch,
      main-add-backtrace-crashes-all-and-backtrace-all.patch,
      sessionMode-add-support-for-debugFlags-parameter.patch:
      + Improve debug JS tracing for crash reports
    - st-scroll-view-Handle-the-case-where-scrollbars-are-NULL.patch:
      + Fix crash on theme changes
    - ubuntu/search-call-XUbuntuCancel-method-on-providers-when-no-dat.patch:
      + stop searches when requested from UI
    - magnifier-Show-cursor-when-magnifier-is-enabled-and-scale.patch:
      + Show monitor scaled cursor when magnifier is enabled
    - Break gnome-shell-extension-desktop-icons (<< 19.01.3+git20190814)
  * debian/patches: Refreshed
  * debian/control:
    - Set breaks on upcoming core extensions. This update is going to break
      them, so we need extensions updates before migra
    - Set breaks on upcoming yaru theme.
      There are not big deals using the current yaru, but better to wait for a
      suynced one.

gnome-shell (3.37.91-1) experimental; urgency=medium

  * New upstream release:
    - Inhibit remote access when disabled by session mode
    - Remove Frequent view from app picker
    - Allow rearranging items in app picker
    - Add support for parental controls filtering
    - Support pre-authenticated logins in vmware...

This bug was fixed in the package gnome-shell - 3.37.91-1ubuntu1

---------------
gnome-shell (3.37.91-1ubuntu1) groovy; urgency=medium

* Merge with debian, including new upstream release, remaining changes:
    - Replace gnome-backgrounds dep with ubuntu-wallpapers and Suggests
      gnome-themes-standard-data, gnome-backgrounds
    - Add some Recommends:
      + ubuntu-session (| gnome-session) to have the ubuntu session available
      + xserver-xorg-legacy
      + yaru-theme-gnome-shell for the default ubuntu theming
    - Update debian/gbp.conf with Ubuntu settings
    - gnome-shell-common.prerm: Remove deprecated ubuntu theme alternative
    - ubuntu/desktop_detect.patch:
      + add caching for desktop detection to avoid querying the current
        desktop env variable as iterate through the list each time. For the
        time of the Shell process, we can expect this env variable to stay
        stable.
    - ubuntu/smarter_alt_tab.patch:
      + quick alt-tab (without showing up the switcher) switch only between
        the last window of the last 2 applications to be focused instead of
        raising all windows of those apps.
    - ubuntu/lightdm-user-switching.patch:
      + Allow user switching when using LightDM.
    - ubuntu/lock_on_suspend.patch
      + Respect Ubuntu's lock-on-suspend setting.
    - ubuntu/background_login.patch
      + Change default background color as we modified the default GDM color
        for our ubuntu session.
    - ubuntu/gdm_alternatives.patch
      + Add support for GDM3 theme alternatives
    - optional-hot-corner.patch
      + enable patch proposed by upstream developer already in package (but
        not in series) to add a settings for optional hot corner activation.
    - main-show-an-error-message-on-gnome-shell-crash.patch,
      global-make-possible-to-set-debug-flags-dynamically.patch,
      main-increase-the-granularity-of-backtraces-in-SHELL_DEBU.patch,
      main-add-backtrace-crashes-all-and-backtrace-all.patch,
      sessionMode-add-support-for-debugFlags-parameter.patch:
      + Improve debug JS tracing for crash reports
    - st-scroll-view-Handle-the-case-where-scrollbars-are-NULL.patch:
      + Fix crash on theme changes
    - ubuntu/search-call-XUbuntuCancel-method-on-providers-when-no-dat.patch:
      + stop searches when requested from UI
    - magnifier-Show-cursor-when-magnifier-is-enabled-and-scale.patch:
      + Show monitor scaled cursor when magnifier is enabled
    - Break gnome-shell-extension-desktop-icons (<< 19.01.3+git20190814)
  * debian/patches: Refreshed
  * debian/control:
    - Set breaks on upcoming core extensions. This update is going to break
      them, so we need extensions updates before migra
    - Set breaks on upcoming yaru theme.
      There are not big deals using the current yaru, but better to wait for a
      suynced one.

gnome-shell (3.37.91-1) experimental; urgency=medium

* New upstream release:
    - Inhibit remote access when disabled by session mode
    - Remove Frequent view from app picker
    - Allow rearranging items in app picker
    - Add support for parental controls filtering
    - Support pre-authenticated logins in vmware environments (LP: #1886592)
    - Update microphone icon on input volume changes
    - Support prepending workspace with horizontal layouts
    - Move calendar events out of notifications list
    - Expose actor tree in looking glass
    - Add support for "PrefersNonDefaultGPU" desktop key
    - Move screencasting into a separate service (needs pipewire)
    - Default to not installing updates on low battery
    - Refactor and clean up app picker pagination (LP: #1873725)
    - Misc fixes and memory improvements
  * debian/control:
    - Depend on debhelper-compat = 13
    - Remove useless dependency on mutter (the binary)
    - Test depend on gir1.2-upowerglib-1.0
    - Update build dependencies to match upstream
    - Remove leading space in gnome-shell-extension-prefs description
  * debian/patches: Drop them all
  * debian/rules:
    - Don't manually set --fail-missing (included in dh 13)
    - Remove uneeded test environment variables overrides (included in dh 13)
  * debian/sources/lintian-override:
    - Override some desktop files related warnings
  * debian/gbp.conf: Point to upstream/latest
  * debian/watch: Monitor unstable versions

gnome-shell (3.36.5-1) unstable; urgency=medium

* Team upload
  * New upstream release
    - Fix password briefly showing on login dialog during logout if it
      was previously made visible (CVE-2020-17489, Closes: #968311)
  * Drop most patches, applied upstream

-- Marco Trevisan (Treviño) <marco@ubuntu.com>  Thu, 27 Aug 2020 23:14:01 +0200

Changed in gnome-shell (Ubuntu Groovy):
status:	Fix Committed → Fix Released

Matthew Ruffell (mruffell) on 2020-10-18

description:

updated

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-10-19:

#3

gnome-shell debdiff for Focal Edit (18.7 KiB, text/plain)

Attached is a debdiff for gnome-shell for Focal with the required patches to implement VMware Horizon SSO support.

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2020-10-19:

#4

gnome-shell debdiff for Bionic Edit (18.9 KiB, text/plain)

Attached is a debdiff for Bionic which implements support for VMware Horizon SSO in gnome-shell.

Marco Trevisan (Treviño) (3v1n0) on 2020-12-15

Changed in gnome-shell (Ubuntu Focal):
status:	In Progress → Fix Committed

Revision history for this message

Brian Murray (brian-murray) wrote on 2020-12-15: Please test proposed package

#5

Hello Matthew, or anyone else affected,

Accepted gnome-shell into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnome-shell/3.36.7-0ubuntu0.20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags:

added: verification-needed verification-needed-focal

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2020-12-22:

#6

Hello Matthew, or anyone else affected,

Accepted gnome-shell into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gnome-shell/3.28.4-0ubuntu18.04.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gnome-shell (Ubuntu Bionic):
status:	In Progress → Fix Committed
tags:	added: verification-needed-bionic

Mathew Hodson (mhodson) on 2021-01-22

Changed in gnome-shell (Ubuntu Eoan):
importance:	Undecided → Wishlist

Revision history for this message

Amr Ibrahim (amribrahim1987) wrote on 2021-01-26:

#7

Please verify the fix in focal-proposed.

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-03-22:

#8

Download full text (9.9 KiB)

Performing verification for gnome-shell in Focal.

During this verification I will explain how VMware Horizon SSO works, and will prove that the gnome-shell in -proposed is equivalent to the custom gnome-shell package distributed by VMware.

I will begin by walking through the SSO workflow, based around the custom gnome-shell package distributed by VMware.

Firstly, start with a fresh Focal Desktop VM, all up to date.

Visit the VMware website, specifically this link:

https://my.vmware.com/en/web/vmware/evalcenter?p=horizon-eval-8

Sign up for a VMware account and reach the VMware Horizon 8 evaluation download page. The next step is to locate the "Linux Agent x86_64". The file is named

VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz

If you have difficulty in obtaining this file and want to reproduce, please message me.

Download and copy to the Focal VM.

$ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/
$ ssh ubuntu@target
$ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz
$ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770

Next, install the VMware Horizon Linux Agent by following the instructions at:

https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html

$ sudo apt install libpam-pkcs11
$ sudo apt install libnss3-tools
$ sudo apt install open-vm-tools
$ sudo ./install_viewagent.sh -T yes

Now, this will install a custom patched gnome-shell library, which contains the following patches:

https://paste.ubuntu.com/p/q4fkNrqHQT/

You can find this, and more in the VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770/sso directory.

Reboot the VM.

When it comes back up, run "ps aux". You will see:

oot 1410 0.0 0.1 345920 10840 ? Sl 15:09 0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon
root 1411 2.1 0.1 77128 9208 ? Sl 15:09 0:00 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer
root 1463 0.0 0.0 107056 6812 ? Sl 15:09 0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13
root 1477 1.4 0.7 1129928 61244 ? Sl 15:09 0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resour
root 1530 0.0 0.1 177392 9172 ? Sl 15:09 0:00 gdm-session-worker [pam/gdm-launch-environment]
gdm 1535 0.0 0.0 5300 1108 ? Ss 15:09 0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart
gdm 1536 0.2 0.0 7556 4672 ? S 15:09 0:00 dbus-daemon --nofork --print-address 4 --session
gdm 1537 0.3 0.2 568700 16920 ? Sl 15:09 0:00 /usr/libexec/gnome-session-binary --systemd --autostart /usr/share/gdm/greeter/autostart

Now, the SSO desktop for the VDI is on xorg display :100, and all of this is launched by /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon.

The dbus-run-session runs a bunch of autostart scripts in /usr/share/gdm/greeter/autostart, one of which starts up SsoDBusNotify.py.

Now, when /usr/lib/vmware/viewage...

Performing verification for gnome-shell in Focal.

During this verification I will explain how VMware Horizon SSO works, and will prove that the gnome-shell in -proposed is equivalent to the custom gnome-shell package distributed by VMware.

I will begin by walking through the SSO workflow, based around the custom gnome-shell package distributed by VMware.

Firstly, start with a fresh Focal Desktop VM, all up to date.

Visit the VMware website, specifically this link:

https://my.vmware.com/en/web/vmware/evalcenter?p=horizon-eval-8

Sign up for a VMware account and reach the VMware Horizon 8 evaluation download page. The next step is to locate the "Linux Agent x86_64". The file is named

VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz

If you have difficulty in obtaining this file and want to reproduce, please message me.

Download and copy to the Focal VM.

$ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/
$ ssh ubuntu@target
$ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz
$ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770

Next, install the VMware Horizon Linux Agent by following the instructions at:

https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html

$ sudo apt install libpam-pkcs11
$ sudo apt install libnss3-tools
$ sudo apt install open-vm-tools
$ sudo ./install_viewagent.sh -T yes

Now, this will install a custom patched gnome-shell library, which contains the following patches:

https://paste.ubuntu.com/p/q4fkNrqHQT/

You can find this, and more in the VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770/sso directory.

Reboot the VM.

When it comes back up, run "ps aux". You will see:

oot        1410  0.0  0.1 345920 10840 ?        Sl   15:09   0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon
root        1411  2.1  0.1  77128  9208 ?        Sl   15:09   0:00 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer
root        1463  0.0  0.0 107056  6812 ?        Sl   15:09   0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13
root        1477  1.4  0.7 1129928 61244 ?       Sl   15:09   0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resour
root        1530  0.0  0.1 177392  9172 ?        Sl   15:09   0:00 gdm-session-worker [pam/gdm-launch-environment]
gdm         1535  0.0  0.0   5300  1108 ?        Ss   15:09   0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart
gdm         1536  0.2  0.0   7556  4672 ?        S    15:09   0:00 dbus-daemon --nofork --print-address 4 --session
gdm         1537  0.3  0.2 568700 16920 ?        Sl   15:09   0:00 /usr/libexec/gnome-session-binary --systemd --autostart /usr/share/gdm/greeter/autostart

Now, the SSO desktop for the VDI is on xorg display :100, and all of this is launched by /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon.

The dbus-run-session runs a bunch of autostart scripts in /usr/share/gdm/greeter/autostart, one of which starts up SsoDBusNotify.py.

Now, when /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py runs, it reads in a SSO token generated by desktopDaemon from stdin, and then makes sure the display matches what xorg is running on, and then sends a UserAuthenticated signal to DBUS on '/org/vmware/viewagent/Credentials' and 'org.vmware.viewagent.Credentials'.

Lets do this manually, since we are in KVM and not on an actual VMware Horizon cluster.

Execute:

$ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100

When asked, input the token: "12345DISPLAY:100".

The custom gnome-shell distributed by VMware listens on org.vmware.viewagent.Credentials.D100 (yes, that is a per-display dbus address) which then checks to see if the token is any good, and passes it to PAM for processing.

PAM then calls the module gdm-vmwcred, which then talks to the SSSD and krb5 PAM modules to authenticate against an AD server. But in our repro environment, this won't work.

But the main thing is, if you check:

/var/log/auth.log:
Mar 22 15:14:45 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials

and

/var/log/vmware/pam_vmw_log:
2021:03:22 15:14:45 : Authentication begins
2021:03:22 15:14:45 : SSOChannel_AcquireUserCredentials called.
2021:03:22 15:14:45 : VMWARE Token is invaild.
2021:03:22 15:14:45 : Failed to acquire user's credentials
2021:03:22 15:14:45 : Authentication ends

We see gnome-shell does infact call PAM.

On vanilla installs of gnome-shell, i.e. gnome-shell 3.36.4-1ubuntu1~20.04.2 and earlier, if you attempted to do this, gnome-shell would not talk to PAM as it does not understand the per-display dbus logic.

Now, on the customer environment, SSO works fine with the custom gnome-shell library, as they are correctly configured for SSSD / krb5 to their AD server.

Now, let's repeat the process, but this time, we are going to use the new gnome-shell package in -proposed.

Start with a clean Focal Desktop VM.

Copy the VMware Horizon Linux agent over.

$ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/
$ ssh ubuntu@target
$ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz
$ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770

Next, install the VMware Horizon Linux Agent by following the instructions at:

https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html

$ sudo apt install libpam-pkcs11
$ sudo apt install libnss3-tools
$ sudo apt install open-vm-tools

Now, this step is VERY VERY VERY important.

Install the viewagent with the additional flag "-G yes":

$ sudo ./install_viewagent.sh -G yes -T yes

The "-G yes" flag tells the installer to not overwrite gnome-shell, and to instead switch to upstream SSO patch support mode.

Then enable -proposed, and install gnome-shell version 3.36.7-0ubuntu0.20.04.1

$ cat << EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed main universe
EOF
$ sudo apt update
$ sudo apt install gnome-shell gnome-shell-common 
$ sudo apt-cache policy gnome-shell | grep Installed
Installed: 3.36.7-0ubuntu0.20.04.1

Reboot.

$ sudo reboot

Now, when the system comes up, again verify the following processes:

root        1440  0.0  0.1 345920 10928 ?        Sl   15:27   0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon
root        1442  2.2  0.1  77128  9032 ?        Sl   15:27   0:00 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer
root        1473  0.0  0.0 107056  6736 ?        Sl   15:27   0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13
root        1482  0.8  0.7 1129924 60924 ?       Sl   15:27   0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resour
root        1534  0.0  0.1 177392  9136 ?        Sl   15:27   0:00 gdm-session-worker [pam/gdm-launch-environment]
gdm         1539  0.0  0.0   5300  1108 ?        Ss   15:27   0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart
gdm         1540  0.1  0.0   7524  4572 ?        S    15:27   0:00 dbus-daemon --nofork --print-address 4 --session
gdm         1541  0.2  0.2 494964 17008 ?        Sl   15:27   0:00 /usr/libexec/gnome-session-binary --systemd --autostart /usr/share/gdm/greeter/autostart

This time, since we used the special "-G yes" flag when installing the Horizon Agent, we get an additional process, SsoDispatcher.py:

gdm         1784  0.1  0.2  47504 19504 ?        S    15:27   0:00 /usr/bin/python3 /usr/lib/vmware/viewagent/sso/SsoDispatcher.py

This is executed from /usr/share/gdm/greeter/autostart/vmware-sso-dispatcher.desktop file called by dbus-run-session.

Now, what SsoDispatcher.py does is listen on the per-display dbus credientals interface org.vmware.viewagent.Credentials.D100, if it sees a UserAuthenticated signal, it forwards it to the new dbus interface that the upstream gnome-shell patches listen on, which is org.vmware.viewagent.Credentials.

So SsoDispatcher.py acts as a bridge between old VMware implementation, and what is implemented in the gnome-shell packages in -proposed.

Now, if we issue the call to SsoDBusNotify.py:

$ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100

When asked, input the token: "12345DISPLAY:100".

SsoDbusNotify.py sends the token to SsoDispatcher.py which sends the token to gnome-shell, which then forwards the token to PAM for processing.

Again, if we check the logs:

/var/log/auth.log
Mar 22 15:33:22 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials

and also in

/var/log/vmware/pam_vmw_log:
2021:03:22 15:33:22 : Authentication begins
2021:03:22 15:33:22 : SSOChannel_AcquireUserCredentials called.
2021:03:22 15:33:22 : VMWARE Token is invaild.
2021:03:22 15:33:22 : Failed to acquire user's credentials
2021:03:22 15:33:22 : Authentication ends

Thus, gnome-shell correctly received the token and passed it to PAM for processing.

We have tested this pretty in depth on the customers actual VMware Horizon environment, and it took us a lot of time, but we can see that the gnome-shell package in -proposed works, and properly authenticates with PAM and SSO functions as intended.

I can't share any logs from the customer's environment showing PAM working, sorry. But it does.

We have tested against the following VMware Horizon Linux Agents:

VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz
VMware-horizonagent-linux-x86_64-7.13.0-17123958.tar.gz
VMware-horizonagent-linux-x86_64-7.13.0-16944161.tar.gz

All work. The customer is finally ready and happy to sign off on the packages in -proposed.

I am happy to sign off and mark the gnome-shell version 3.36.7-0ubuntu0.20.04.1 as verified.

If you have any questions on the above verification, please contact me, or Marco.

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2021-03-22:

#9

Download full text (10.2 KiB)

Performing verification for gnome-shell in Bionic.

During this verification I will explain how VMware Horizon SSO works, and will prove that the gnome-shell in -proposed is equivalent to the custom gnome-shell package distributed by VMware.

I will begin by walking through the SSO workflow, based around the custom gnome-shell package distributed by VMware.

Firstly, start with a fresh Focal Desktop VM, all up to date.

Visit the VMware website, specifically this link:

https://my.vmware.com/en/web/vmware/evalcenter?p=horizon-eval-8

Sign up for a VMware account and reach the VMware Horizon 8 evaluation download page. The next step is to locate the "Linux Agent x86_64". The file is named

VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz

If you have difficulty in obtaining this file and want to reproduce, please message me.

Download and copy to the Focal VM.

$ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/
$ ssh ubuntu@target
$ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz
$ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770

Next, install the VMware Horizon Linux Agent by following the instructions at:

https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html

$ sudo apt install libpam-pkcs11
$ sudo apt install libnss3-tools
$ sudo apt install open-vm-tools
$ sudo apt install python python-dbus python-gobject
$ sudo ./install_viewagent.sh -T yes

Now, this will install a custom patched gnome-shell library, which contains the following patches:

https://paste.ubuntu.com/p/q4fkNrqHQT/

You can find this, and more in the VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770/sso directory.

Reboot the VM.

When it comes back up, run "ps aux". You will see:

root 1406 0.0 0.0 4904 2020 ? S 15:53 0:00 /bin/sh /usr/lib/vmware/viewagent/bin/GetMachineId.sh
root 1447 0.0 0.2 404328 10968 ? Sl 15:53 0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon
root 1449 2.2 0.2 102060 9060 ? Sl 15:53 0:02 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer
root 1479 0.0 0.1 139968 6528 ? Sl 15:53 0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13
root 1488 0.2 1.4 611572 56464 ? Sl 15:53 0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resource
root 1532 0.0 0.2 258560 8088 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment]
gdm 1535 0.0 0.0 25464 1528 ? Ss 15:53 0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart
gdm 1536 0.0 0.1 50244 4528 ? S 15:53 0:00 dbus-daemon --nofork --print-address 4 --session
gdm 1537 0.0 0.3 551880 13892 ? Sl 15:53 0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart

Now, the SSO desktop for the VDI is on xorg display :100, and all of this is launched by /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon.

The dbu...

Performing verification for gnome-shell in Bionic.

During this verification I will explain how VMware Horizon SSO works, and will prove that the gnome-shell in -proposed is equivalent to the custom gnome-shell package distributed by VMware.

I will begin by walking through the SSO workflow, based around the custom gnome-shell package distributed by VMware.

Firstly, start with a fresh Focal Desktop VM, all up to date.

Visit the VMware website, specifically this link:

https://my.vmware.com/en/web/vmware/evalcenter?p=horizon-eval-8

Sign up for a VMware account and reach the VMware Horizon 8 evaluation download page. The next step is to locate the "Linux Agent x86_64". The file is named

VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz

If you have difficulty in obtaining this file and want to reproduce, please message me.

Download and copy to the Focal VM.

$ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/
$ ssh ubuntu@target
$ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz
$ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770

Next, install the VMware Horizon Linux Agent by following the instructions at:

https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html

$ sudo apt install libpam-pkcs11
$ sudo apt install libnss3-tools
$ sudo apt install open-vm-tools
$ sudo apt install python python-dbus python-gobject
$ sudo ./install_viewagent.sh -T yes

Now, this will install a custom patched gnome-shell library, which contains the following patches:

https://paste.ubuntu.com/p/q4fkNrqHQT/

You can find this, and more in the VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770/sso directory.

Reboot the VM.

When it comes back up, run "ps aux". You will see:

root      1406  0.0  0.0   4904  2020 ?        S    15:53   0:00 /bin/sh /usr/lib/vmware/viewagent/bin/GetMachineId.sh
root      1447  0.0  0.2 404328 10968 ?        Sl   15:53   0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon
root      1449  2.2  0.2 102060  9060 ?        Sl   15:53   0:02 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer
root      1479  0.0  0.1 139968  6528 ?        Sl   15:53   0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13
root      1488  0.2  1.4 611572 56464 ?        Sl   15:53   0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resource
root      1532  0.0  0.2 258560  8088 ?        Sl   15:53   0:00 gdm-session-worker [pam/gdm-launch-environment]
gdm       1535  0.0  0.0  25464  1528 ?        Ss   15:53   0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart
gdm       1536  0.0  0.1  50244  4528 ?        S    15:53   0:00 dbus-daemon --nofork --print-address 4 --session
gdm       1537  0.0  0.3 551880 13892 ?        Sl   15:53   0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart

Now, the SSO desktop for the VDI is on xorg display :100, and all of this is launched by /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon.

The dbus-run-session runs a bunch of autostart scripts in /usr/share/gdm/greeter/autostart, one of which starts up SsoDBusNotify.py.

Now, when /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py runs, it reads in a SSO token generated by desktopDaemon from stdin, and then makes sure the display matches what xorg is running on, and then sends a UserAuthenticated signal to DBUS on '/org/vmware/viewagent/Credentials' and 'org.vmware.viewagent.Credentials'.

Lets do this manually, since we are in KVM and not on an actual VMware Horizon cluster.

Execute:

$ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100

When asked, input the token: "12345DISPLAY:100".

The custom gnome-shell distributed by VMware listens on org.vmware.viewagent.Credentials.D100 (yes, that is a per-display dbus address) which then checks to see if the token is any good, and passes it to PAM for processing.

PAM then calls the module gdm-vmwcred, which then talks to the SSSD and krb5 PAM modules to authenticate against an AD server. But in our repro environment, this won't work.

But the main thing is, if you check:

/var/log/auth.log:
Mar 22 15:55:51 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials

and

/var/log/vmware/pam_vmw_log:
2021:03:22 15:55:51 : Authentication begins
2021:03:22 15:55:51 : SSOChannel_AcquireUserCredentials called.
2021:03:22 15:55:51 : VMWARE Token is invaild.
2021:03:22 15:55:51 : Failed to acquire user's credentials
2021:03:22 15:55:51 : Authentication ends

We see gnome-shell does infact call PAM.

On vanilla installs of gnome-shell, i.e. gnome-shell 3.28.4-0ubuntu18.04.3 and earlier, if you attempted to do this, gnome-shell would not talk to PAM as it does not understand the per-display dbus logic.

Now, on the customer environment, SSO works fine with the custom gnome-shell library, as they are correctly configured for SSSD / krb5 to their AD server.

Now, let's repeat the process, but this time, we are going to use the new gnome-shell package in -proposed.

Start with a clean Focal Desktop VM.

Copy the VMware Horizon Linux agent over.

$ scp VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz ubuntu@target:~/
$ ssh ubuntu@target
$ tar -xf VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz
$ cd VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770

Next, install the VMware Horizon Linux Agent by following the instructions at:

https://docs.vmware.com/en/VMware-Horizon-7/7.13/linux-desktops-setup/GUID-B4111821-34F2-465B-B290-FC2070EFCB5A.html

$ sudo apt install libpam-pkcs11
$ sudo apt install libnss3-tools
$ sudo apt install open-vm-tools
$ sudo apt install python python-dbus python-gobject

Now, this step is VERY VERY VERY important.

Install the viewagent with the additional flag "-G yes":

$ sudo ./install_viewagent.sh -G yes -T yes

The "-G yes" flag tells the installer to not overwrite gnome-shell, and to instead switch to upstream SSO patch support mode.

Then enable -proposed, and install gnome-shell version

$ cat << EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed main universe
EOF
$ sudo apt update
$ sudo apt install gnome-shell gnome-shell-common 
$ sudo apt-cache policy gnome-shell | grep Installed
Installed: 3.28.4-0ubuntu18.04.7

Reboot.

$ sudo reboot

Now, when the system comes up, again verify the following processes:

root      1412  0.0  0.0   4904  2004 ?        S    16:06   0:00 /bin/sh /usr/lib/vmware/viewagent/bin/GetMachineId.sh
root      1448  0.0  0.2 404380 10792 ?        Sl   16:06   0:00 /usr/lib/vmware/viewagent/DesktopDaemon/desktopDaemon
root      1449  2.1  0.2 102060  8556 ?        Sl   16:06   0:00 /usr/lib/vmware/viewagent/VMwareBlastServer/BlastServer
root      1473  0.0  0.1 139968  6628 ?        Sl   16:06   0:00 desktopWorker -x /usr/lib/vmware/viewagent/bin/StartXServer.sh -d :100 -s 1 -p 13
root      1488  0.8  1.4 611808 57228 ?        Sl   16:06   0:00 /usr/lib/xorg/Xorg :100 -auth /var/vmware/viewagent/xauth/.xauth:100 -once -query 127.0.0.1 -config /usr/lib/vmware/viewagent/resource
root      1534  0.0  0.2 258560  8212 ?        Sl   16:06   0:00 gdm-session-worker [pam/gdm-launch-environment]
gdm       1537  0.0  0.0  25464  1528 ?        Ss   16:06   0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart
gdm       1538  0.2  0.1  50212  4364 ?        S    16:06   0:00 dbus-daemon --nofork --print-address 4 --session
gdm       1539  0.2  0.3 625616 13916 ?        Sl   16:06   0:00 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart

This time, since we used the special "-G yes" flag when installing the Horizon Agent, we get an additional process, SsoDispatcher.py:

gdm       1712  0.1  0.3  72856 12992 ?        S    16:06   0:00 /usr/bin/python /usr/lib/vmware/viewagent/sso/SsoDispatcher.py

This is executed from /usr/share/gdm/greeter/autostart/vmware-sso-dispatcher.desktop file called by dbus-run-session.

Now, what SsoDispatcher.py does is listen on the per-display dbus credientals interface org.vmware.viewagent.Credentials.D100, if it sees a UserAuthenticated signal, it forwards it to the new dbus interface that the upstream gnome-shell patches listen on, which is org.vmware.viewagent.Credentials.

So SsoDispatcher.py acts as a bridge between old VMware implementation, and what is implemented in the gnome-shell packages in -proposed.

Now, if we issue the call to SsoDBusNotify.py:

$ sudo /usr/lib/vmware/viewagent/bin/SsoDBusNotify.py -t sso -d :100

When asked, input the token: "12345DISPLAY:100".

SsoDbusNotify.py sends the token to SsoDispatcher.py which sends the token to gnome-shell, which then forwards the token to PAM for processing.

Again, if we check the logs:

/var/log/auth.log
Mar 22 16:07:07 ubuntu gdm-vmwcred]: pam_vmw_cred(gdm-vmwcred:auth): Failed to acquire user's credentials

and also in

/var/log/vmware/pam_vmw_log
2021:03:22 16:07:07 : Authentication begins
2021:03:22 16:07:07 : SSOChannel_AcquireUserCredentials called.
2021:03:22 16:07:07 : VMWARE Token is invaild.
2021:03:22 16:07:07 : Failed to acquire user's credentials
2021:03:22 16:07:07 : Authentication ends

Thus, gnome-shell correctly received the token and passed it to PAM for processing.

We have tested this pretty in depth on the customers actual VMware Horizon environment, and it took us a lot of time, but we can see that the gnome-shell package in -proposed works, and properly authenticates with PAM and SSO functions as intended.

I can't share any logs from the customer's environment showing PAM working, sorry. But it does.

We have tested against the following VMware Horizon Linux Agents:

VMware-horizonagent-linux-x86_64-2012-8.1.0-17336770.tar.gz
VMware-horizonagent-linux-x86_64-7.13.0-17123958.tar.gz
VMware-horizonagent-linux-x86_64-7.13.0-16944161.tar.gz

All work. The customer is finally ready and happy to sign off on the packages in -proposed.

I am happy to sign off and mark the gnome-shell version 3.28.4-0ubuntu18.04.7 as verified.

If you have any questions on the above verification, please contact me, or Marco.

tags:

added: verification-done-bionic
removed: verification-needed verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-03-25:

#10

This bug was fixed in the package gnome-shell - 3.36.7-0ubuntu0.20.04.1

---------------
gnome-shell (3.36.7-0ubuntu0.20.04.1) focal; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * New upstream release (LP: #1903764)
    - Fix potential stack overflow in libcroco
    - Fix system action search regressions
    - Fix week number alignment when using font-scaling
    - Misc. bug fixes and cleanups
  * debian/patches:
    - Refresh
    - Handle screenshot failures gracefully (LP: #1908187)

  [ Matthew Ruffell ]
  * authPrompt-Properly-get-oVirt-service-name.patch,
    authPrompt-set-value-of-beginRequestType-to-DONT_PROVIDE_.patch,
    gdm-Introduce-vmware-credential-manager-for-pre-authentic.patch,
    gdm-Refactor-oVirt-to-a-generic-CredentialManager-interfa.patch:
    - Enable support for VMware Horizon SSO to ensure compatibility
      with the Horizon Agent (LP: #1886592)

gnome-shell (3.36.6-1ubuntu0.20.04.1) focal; urgency=medium

* Merge with debian, containing new stable release (LP: #1896334)
* debian/patches: Refresh, drop merged CVE-2020-17489.patch

gnome-shell (3.36.6-1) unstable; urgency=medium

* Team upload

* New upstream release

gnome-shell (3.36.5-1) unstable; urgency=medium

  * Team upload
  * New upstream release
    - Fix password briefly showing on login dialog during logout if it
      was previously made visible (CVE-2020-17489, Closes: #968311)
  * Drop most patches, applied upstream

-- Marco Trevisan (Treviño) <email address hidden> Tue, 15 Dec 2020 05:54:44 +0100

Changed in gnome-shell (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2021-03-25: Update Released

#11

The verification of the Stable Release Update for gnome-shell has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-04-08:

#12

This bug was fixed in the package gnome-shell - 3.28.4-0ubuntu18.04.7

---------------
gnome-shell (3.28.4-0ubuntu18.04.7) bionic; urgency=medium

  [ Matthew Ruffell ]
  * d/p/authPrompt-Properly-get-oVirt-service-name.patch,
    d/p/authPrompt-set-value-of-beginRequestType-to-DONT_PROVIDE_.patch,
    d/p/gdm-Introduce-vmware-credential-manager-for-pre-authentic.patch,
    d/p/gdm-Refactor-oVirt-to-a-generic-CredentialManager-interfa.patch:
    - Enable support for VMware Horizon SSO to ensure compatibility
      with the Horizon Agent (LP: #1886592)

[ Marco Trevisan (Treviño) ]
* debian/patches: Rename VMWare OVirt patches to use Gbp-Pq format

gnome-shell (3.28.4-0ubuntu18.04.6) bionic; urgency=medium

  - d/p/util-cache-local-GTimeZone.patch
    d/p/ShellAppCache-add-cache-to-help-keep-I-O-off-main-thread.patch,
    d/p/appDisplay-use-ShellAppCache-to-translate-folder-names.patch,
    d/p/appDisplay-use-ShellAppCache-to-access-GAppInfo.patch,
    d/p/Revert-appDisplay-use-ShellAppCache-to-access-GAppInfo.patch,
    d/p/Revert-appDisplay-use-ShellAppCache-to-translate-folder-n.patch,
    d/p/Revert-ShellAppCache-add-cache-to-help-keep-I-O-off-main-.patch,
    d/p/Revert-util-cache-local-GTimeZone.patch:
    + Include all the upstream patches to fix notification freezes
      (LP: #1838152).
  - d/p/series: Reorder so that upstream fixes come first

gnome-shell (3.28.4-0ubuntu18.04.5) bionic; urgency=medium

  * d/p/keyboardManager_apply-added-input-sources-instantly.patch:
    - Renamed to keyboardManager-Avoid-idempotent-calls-to-meta_backend_se.patch
    - Fixed DEP-3 tagging, and update them as per upstream cherry-pick
  * d/p/shell-global-Make-saving-of-persistent-state-asynchronous.patch:
    - Make saving of persistent state asynchronous (LP: #1838152)

gnome-shell (3.28.4-0ubuntu18.04.4) bionic; urgency=medium

  * d/p/keyboardManager_apply-added-input-sources-instantly.patch:
    - Make added input sources work instantly without relogin/reboot
      or other tricks (LP: #1890875).

-- Marco Trevisan (Treviño) <email address hidden> Wed, 16 Dec 2020 01:24:41 +0100

This bug was fixed in the package gnome-shell - 3.28.4-0ubuntu18.04.7

---------------
gnome-shell (3.28.4-0ubuntu18.04.7) bionic; urgency=medium

[ Matthew Ruffell ]
  * d/p/authPrompt-Properly-get-oVirt-service-name.patch,
    d/p/authPrompt-set-value-of-beginRequestType-to-DONT_PROVIDE_.patch,
    d/p/gdm-Introduce-vmware-credential-manager-for-pre-authentic.patch,
    d/p/gdm-Refactor-oVirt-to-a-generic-CredentialManager-interfa.patch:
    - Enable support for VMware Horizon SSO to ensure compatibility
      with the Horizon Agent (LP: #1886592)

[ Marco Trevisan (Treviño) ]
  * debian/patches: Rename VMWare OVirt patches to use Gbp-Pq format

gnome-shell (3.28.4-0ubuntu18.04.6) bionic; urgency=medium

- d/p/util-cache-local-GTimeZone.patch
    d/p/ShellAppCache-add-cache-to-help-keep-I-O-off-main-thread.patch,
    d/p/appDisplay-use-ShellAppCache-to-translate-folder-names.patch,
    d/p/appDisplay-use-ShellAppCache-to-access-GAppInfo.patch,
    d/p/Revert-appDisplay-use-ShellAppCache-to-access-GAppInfo.patch,
    d/p/Revert-appDisplay-use-ShellAppCache-to-translate-folder-n.patch,
    d/p/Revert-ShellAppCache-add-cache-to-help-keep-I-O-off-main-.patch,
    d/p/Revert-util-cache-local-GTimeZone.patch:
    + Include all the upstream patches to fix notification freezes
      (LP: #1838152).
  - d/p/series: Reorder so that upstream fixes come first

gnome-shell (3.28.4-0ubuntu18.04.5) bionic; urgency=medium

* d/p/keyboardManager_apply-added-input-sources-instantly.patch:
    - Renamed to keyboardManager-Avoid-idempotent-calls-to-meta_backend_se.patch
    - Fixed DEP-3 tagging, and update them as per upstream cherry-pick
  * d/p/shell-global-Make-saving-of-persistent-state-asynchronous.patch:
    - Make saving of persistent state asynchronous (LP: #1838152)

gnome-shell (3.28.4-0ubuntu18.04.4) bionic; urgency=medium

* d/p/keyboardManager_apply-added-input-sources-instantly.patch:
    - Make added input sources work instantly without relogin/reboot
      or other tricks (LP: #1890875).

-- Marco Trevisan (Treviño) <marco@ubuntu.com>  Wed, 16 Dec 2020 01:24:41 +0100

Changed in gnome-shell (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2022-10-29

Changed in gnome-shell:
status:	Unknown → Fix Released

Ubuntu
gnome-shell package

Add support for VMware Horizon SSO to gnome-shell

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

	Status	Importance	Assigned to
GNOME Shell	Fix Released	Unknown	auto-gitlab.gnome.org-gnome-gnome-shell-- #1983
gnome-shell (Ubuntu)	Fix Released	Wishlist	Matthew Ruffell
Bionic	Fix Released	Wishlist	Matthew Ruffell
Eoan	Won't Fix	Wishlist	Unassigned
Focal	Fix Released	Wishlist	Matthew Ruffell
Groovy	Fix Released	Wishlist	Matthew Ruffell

Ubuntugnome-shell package

Add support for VMware Horizon SSO to gnome-shell

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
gnome-shell package