Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> Hello Josh, Steve, David, vendors,
>
> this is due the following vino deficiency:
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=553477#c0
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=678846
>
> As noted in [1] Vino may incorrectly report, that relevant user
> desktop
> is reachable only over local network, when in fact it's reachable from
> everywhere.
>
> As this is issue slightly on the border, not sure it should receive a
> CVE identifier,
> so Cc-ed David Woodhouse to elaborate more on issue impact if
> necessary.
>
> Under my opinion, the trust boundary is crossed (it is wrongly
> reported to the the user, they
> have a secure setup, when they do not have it and otherwise would
> perform steps to correct the
> settings). But left the final decision for further discussion.
>
> What are the thoughts of the others? Should this one get a CVE
> identifier or not?
>
> Upstream bug report:
> [3] https://bugzilla.gnome.org/show_bug.cgi?id=596190
>
> Ubuntu bug report (IPv6 specific):
> [4] https://bugs.launchpad.net/ubuntu/+source/vino/+bug/344489
>
> To David King -- David, what are the upstream plans for this issue? Is
> there by any
> chance upstream patch for the bug [3] yet?

This strikes me as it should get two CVE ids (if someone more familiar
could chime in, I would appreciate it).

This looks like one id for vino improperly claiming that machine is only
accessible via the local network.

Another for it using uPnP to open up a router without proper warning.

Thanks.

-- 
    JB