Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere

["Steven M. Christey" <coley () rcf-smtp mitre org>]

On Mon, 14 Mar 2011, Jan Lieskovsky wrote:

>  this is due the following vino deficiency:
>  [1] https://bugzilla.redhat.com/show_bug.cgi?id=553477#c0
>  [2] https://bugzilla.redhat.com/show_bug.cgi?id=678846
>
> As noted in [1] Vino may incorrectly report, that relevant user desktop
> is reachable only over local network, when in fact it's reachable from 
> everywhere.
>
> As this is issue slightly on the border, not sure it should receive a 
> CVE identifier,

It should, for the reasons you gave:

> it is wrongly reported to the user, they have a secure setup, when they 
> do not have it and otherwise would perform steps to correct the 
> settings).

There are various precedents in CVE.  For example, when a browser shows a 
lock icon (or some other indicator of connection 
confidentiality/integrity) when the connection isn't actually encrypted 
(e.g. CVE-2010-3312, CVE-2009-1107).


Regarding UPnP warning for vino - it's a little more difficult to clearly 
define when a product doesn't give "enough warning" to a user, but there 
are precedents (e.g. CVE-2010-0497, CVE-2008-4234, CVE-2000-0277, 
CVE-1999-1055).

FYI, people interested in security issues related to the UI could look at 
CWE-445, CWE-357, and CWE-355 for starters.  It doesn't seem like a very 
well-explored area.

- Steve



> What are the thoughts of the others? Should this one get a CVE identifier or 
> not?
>
> Upstream bug report:
> [3] https://bugzilla.gnome.org/show_bug.cgi?id=596190
>
> Ubuntu bug report (IPv6 specific):
> [4] https://bugs.launchpad.net/ubuntu/+source/vino/+bug/344489
>
> To David King -- David, what are the upstream plans for this issue? Is there 
> by any
> chance upstream patch for the bug [3] yet?
>
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team