oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere

From: Josh Bressers <bressers () redhat com>
Date: Tue, 15 Mar 2011 17:10:22 -0400 (EDT)
----- Original Message -----

Hello Josh, Steve, David, vendors,

this is due the following vino deficiency:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=553477#c0
[2] https://bugzilla.redhat.com/show_bug.cgi?id=678846

As noted in [1] Vino may incorrectly report, that relevant user desktop
is reachable only over local network, when in fact it's reachable from
everywhere.

As this is issue slightly on the border, not sure it should receive a CVE
identifier, so Cc-ed David Woodhouse to elaborate more on issue impact if
necessary.

Under my opinion, the trust boundary is crossed (it is wrongly reported
to the the user, they have a secure setup, when they do not have it and
otherwise would perform steps to correct the settings). But left the
final decision for further discussion.

What are the thoughts of the others? Should this one get a CVE identifier
or not?

Upstream bug report:
[3] https://bugzilla.gnome.org/show_bug.cgi?id=596190

Ubuntu bug report (IPv6 specific):
[4] https://bugs.launchpad.net/ubuntu/+source/vino/+bug/344489



The above bugs talk about two flaws. Based on discussions I'm giving them
both CVE ids.

Issue #1

Vino incorrectly tells users their desktop is only reachable over the local
network.

https://bugzilla.gnome.org/show_bug.cgi?id=596190
https://bugs.launchpad.net/ubuntu/+source/vino/+bug/344489

Use CVE-2011-1164

Issue #2

Vino can open ports via uPnP without alerting the user.
https://bugzilla.redhat.com/show_bug.cgi?id=678846

Use CVE-2011-1165

Thanks.

-- 
    JB
Previous By Date Next
Previous By Thread Next

Current thread: