CVE-2024-5148: limit session handover to appropriate user

Bug #2066306 reported by Jeremy Bícha
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-remote-desktop (Ubuntu)
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned

Bug Description

There is a new gnome-remote-desktop release in the stable 46.x branch.

I suggest that we simply update Ubuntu 24.04 LTS from 46.1 to 46.2 since there are other hardening improvements in the release.

Other Ubuntu releases were not affected by the specific issue that was assigned the CVE since it is unique to the new "Remote Login" feature introduced in gnome-remote-desktop 46.

Other Info
----------
There is a significant existing regression in systems that were upgraded to Ubuntu 24.04 LTS but as of today we haven't finished the fix: LP: #2063333 (This issue has nothing to do with the security fix or with gnome-remote-desktop 46.2.)

That fix might need to be handled with a regular SRU later.

Tags: noble

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-remote-desktop - 46.2-1

---------------
gnome-remote-desktop (46.2-1) experimental; urgency=medium

  * SECURITY UPDATE: New upstream release (LP: #2066306)
    - CVE-2024-5148 Limit login screen->user session handover access
      to appropriate user. This issue only affected the 46 series.
    - Various security hardening improvements
    - Potential crasher fix
    - Improved disconnection messages
    - Broader client compatibility support

 -- Jeremy Bícha <email address hidden> Tue, 21 May 2024 16:38:36 -0400

Changed in gnome-remote-desktop (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-remote-desktop - 46.2-1~ubuntu24.04.2

---------------
gnome-remote-desktop (46.2-1~ubuntu24.04.2) noble-security; urgency=medium

  * debian/rules: ignore failing tests on armhf and riscv64.

gnome-remote-desktop (46.2-1~ubuntu24.04.1) noble; urgency=medium

  * No-change backport to noble

gnome-remote-desktop (46.2-1) experimental; urgency=medium

  * SECURITY UPDATE: New upstream release (LP: #2066306)
    - CVE-2024-5148 Limit login screen->user session handover access
      to appropriate user. This issue only affected the 46 series.
    - Various security hardening improvements
    - Potential crasher fix
    - Improved disconnection messages
    - Broader client compatibility support

gnome-remote-desktop (46.1-4) experimental; urgency=medium

  * Run dh_installtmpfiles, then dh_installsysfiles, then dh_installtmpfiles
    (LP: #2063333)

gnome-remote-desktop (46.1-3) experimental; urgency=medium

  * Ensure that dh_installtmpfiles is run before dh_installsysusers
    (LP: #2063333)
  * Temporarily ignore build test failures on Debian

gnome-remote-desktop (46.1-2) experimental; urgency=medium

  * Opt into Salsa CI
  * Simplify running dh_auto_test
  * Run dh_installsysusers & dh_installtmpfiles (Closes: #1070119)
    (LP: #2063333)

 -- Marc Deslauriers <email address hidden> Thu, 23 May 2024 07:50:49 -0400

Changed in gnome-remote-desktop (Ubuntu Noble):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.