oss-sec mailing list archives

Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere

From: David Woodhouse <dwmw2 () infradead org>
Date: Mon, 14 Mar 2011 21:07:49 +0000

On Mon, 2011-03-14 at 16:59 -0400, Josh Bressers wrote:

This looks like one id for vino improperly claiming that machine is only
accessible via the local network.

Another for it using uPnP to open up a router without proper warning.


I'd concur with the former, but not the latter. Issuing a CVE for that
kind of thing just encourages the people who mistakenly view NAT as a
form of security. uPnP is just one of the *many* reasons that viewpoint
is wrong.

If you wouldn't issue a CVE for vino listening with socket() and bind()
system calls, then you shouldn't issue a CVE for it using uPnP to listen
either. uPnP is just the normal way to work around broken networking.

As far as I'm concerned there is only one issue here; the misreporting
that only local access is possible when in fact it's not.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse () intel com                              Intel Corporation

Current thread:

CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Jan Lieskovsky (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David King (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 14)
  - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Steven M. Christey (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 15)
  - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
    - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David King (Mar 16)
    - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
    - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 16)
    - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Ludwig Nussel (Mar 16)