CVE request: information leak in vino

[Vincent Danen <vdanen () redhat com>]

This one is a bit older, not sure why it hasn't been dealt with or
reported earlier, but just copying my text from our bug:


It was reported that vino transmits all clipboard activity to
anything listening on port 5900, including to clients that have not
authenticated.  If a user were to have vino enabled (including requiring
authentication), a remote user could access the port and see anything
the user added to the clipboard sent over the port.

To reproduce, enable vino with password protection (i.e. execute
vino-preferences).  Connect to the VNC port (either locally or
remotely), for instance:

% nc -4 odvfc17 5900
RFB 003.007
@??zsh: command not found: zsh:@??[vdanen@odvfc17]

The above two bits of output are from copying in the GNOME terminal,
locally, on the system running vino.

The above was tested with Fedora 17's 3.4.2 version; the report
indicates that 2.32 on Gentoo and 2.28 on Debian are also vulnerable.

References:

https://bugs.gentoo.org/show_bug.cgi?id=434930
https://bugzilla.gnome.org/show_bug.cgi?id=678434
https://bugzilla.redhat.com/show_bug.cgi?id=857250

I did a quick attempt to reproduce this with 2.13.5 but was unable to
reproduce it, so somewhere between 2.13.5 and 2.28 this became a
problem.  I've not dug into it further to see which version introduced
this.

There's no response in the upstream bug either, so no patches are
available that I can see.

--
Vincent Danen / Red Hat Security Response Team