oss-sec mailing list archives
Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere
From: David Woodhouse <dwmw2 () infradead org>
Date: Wed, 16 Mar 2011 10:47:37 +0000
On Tue, 2011-03-15 at 17:10 -0400, Josh Bressers wrote:
Issue #2 Vino can open ports via uPnP without alerting the user. https://bugzilla.redhat.com/show_bug.cgi?id=678846 Use CVE-2011-1165
I strongly disagree that this is CVE-worthy, or even a bug. That's what uPnP is *for*. Opening a port with uPnP, in a NAT-afflicted situation, is identical to binding to and listening on INADDR_ANY when you have real network connectivity. It's the moral equivalent to automatically using SOCKS to make outbound connections, if you're afflicted with a network that needs that. There *is* an option to disable this feature, if the user really wants to. And of course it should be clearly indicated that the service is available to the public; but *that* is what CVE-2011-1164 is for. There is also some merit in arguing that connections from outside the local network should not be permitted without a password. But again, there's nothing specific to uPnP in that. -- David Woodhouse Open Source Technology Centre David.Woodhouse () intel com Intel Corporation
Current thread:
- CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Jan Lieskovsky (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David King (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Steven M. Christey (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 15)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David King (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)