Re: CVE request: information leak in vino

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2012 04:48 PM, Vincent Danen wrote:
> This one is a bit older, not sure why it hasn't been dealt with or 
> reported earlier, but just copying my text from our bug:
>
>
> It was reported that vino transmits all clipboard activity to 
> anything listening on port 5900, including to clients that have
> not authenticated.  If a user were to have vino enabled (including
> requiring authentication), a remote user could access the port and
> see anything the user added to the clipboard sent over the port.
>
> To reproduce, enable vino with password protection (i.e. execute 
> vino-preferences).  Connect to the VNC port (either locally or 
> remotely), for instance:
>
> % nc -4 odvfc17 5900 RFB 003.007 @??zsh: command not found:
> zsh:@??[vdanen@odvfc17]
>
> The above two bits of output are from copying in the GNOME
> terminal, locally, on the system running vino.
>
> The above was tested with Fedora 17's 3.4.2 version; the report 
> indicates that 2.32 on Gentoo and 2.28 on Debian are also
> vulnerable.
>
> References:
>
> https://bugs.gentoo.org/show_bug.cgi?id=434930 
> https://bugzilla.gnome.org/show_bug.cgi?id=678434 
> https://bugzilla.redhat.com/show_bug.cgi?id=857250
>
> I did a quick attempt to reproduce this with 2.13.5 but was unable
> to reproduce it, so somewhere between 2.13.5 and 2.28 this became
> a problem.  I've not dug into it further to see which version
> introduced this.
>
> There's no response in the upstream bug either, so no patches are 
> available that I can see.

Please use CVE-2012-4429  for this issue.
- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUnYPAAoJEBYNRVNeJnmTqzkQAMPQpRhb5MBRJDcwtVHTea3z
tSVWw1A5Ga8NTUNNHUtM7W5sTk18H/H6eDP/WU08J79fTn3183pXJG5++fQzmXwC
z0mKlJu9YySXVc2USgQwZFSs8s68JakabIms1UIPAOcJi7Q//gIzRticjG/iGSkq
PxS4hheI1E72cWbmXmSCpAiMFHhkYDoXyuRNMd2Jaq4WOzdohnf+EedigGYt0/6q
0RXhlX7KZGSYfR40oKc21ElbKQzCgbDzgtIQ/KOfU/1SBCBgsya9URIPywZs7idp
5rUiziMz3yOdCO4IJNI/1keQIQ6waKGLEAdfxl9G37c2vIxUxj27TYuaBcStliUh
AiCGJoIVVPlTSN7T4ChsdafGKWYZYpPyPyiFYHECZ8AHpamLJuzb/AKZD9/g3mPL
G11jWeSpk3Z2M2osNgSlPc/NDSd+oxxPEJ0QhWVdCEWM56rqeTbOwKgFnuDZwobj
6unxuIigRdEdcfUXJ1QkP2RZniiFSgdBAk9fLFBFZyNwLNUHeBaM6GViFpbpCOb7
MueTzlF7K2nXQ7e1SOJpobOqsCClmcig41bmXFoKZSGbKjkoXbPtWyLveQTXbcqm
rd/Lw8vvh87StbZmFD8nIKmmblal06Ebc83TejPxkH+pLWQjandzm3bhK5Ggv6i9
6oXoBUt0PVmDNKQDonfC
=cHAa
-----END PGP SIGNATURE-----