oss-sec mailing list archives
Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Mon, 14 Mar 2011 18:09:45 -0400 (EDT)
On Mon, 14 Mar 2011, Jan Lieskovsky wrote:
this is due the following vino deficiency: [1] https://bugzilla.redhat.com/show_bug.cgi?id=553477#c0 [2] https://bugzilla.redhat.com/show_bug.cgi?id=678846 As noted in [1] Vino may incorrectly report, that relevant user desktopis reachable only over local network, when in fact it's reachable from everywhere.As this is issue slightly on the border, not sure it should receive a CVE identifier,
It should, for the reasons you gave:
it is wrongly reported to the user, they have a secure setup, when they do not have it and otherwise would perform steps to correct the settings).
There are various precedents in CVE. For example, when a browser shows a lock icon (or some other indicator of connection confidentiality/integrity) when the connection isn't actually encrypted (e.g. CVE-2010-3312, CVE-2009-1107).
Regarding UPnP warning for vino - it's a little more difficult to clearly define when a product doesn't give "enough warning" to a user, but there are precedents (e.g. CVE-2010-0497, CVE-2008-4234, CVE-2000-0277, CVE-1999-1055).
FYI, people interested in security issues related to the UI could look at CWE-445, CWE-357, and CWE-355 for starters. It doesn't seem like a very well-explored area.
- Steve
What are the thoughts of the others? Should this one get a CVE identifier or not?Upstream bug report: [3] https://bugzilla.gnome.org/show_bug.cgi?id=596190 Ubuntu bug report (IPv6 specific): [4] https://bugs.launchpad.net/ubuntu/+source/vino/+bug/344489To David King -- David, what are the upstream plans for this issue? Is there by anychance upstream patch for the bug [3] yet? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Jan Lieskovsky (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David King (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Steven M. Christey (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 15)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David King (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)