Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 434930 (CVE-2012-4429)

Summary: <net-misc/vino-2.32.2-r1: leaks clipboard activity to unauthenticated clients (CVE-2012-4429)
Product: Gentoo Security Reporter: nandhp <nandhp>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Description Flags
emerge --info vino none

Description nandhp 2012-09-13 17:05:48 UTC
Created attachment 323696 [details]
emerge --info vino

The Vino VNC server transmits all clipboard activity to viewers, including
those who have not authenticated.

Steps to reproduce:

1. Enable vino (with password protection).
2. Connect to the VNC server with socat or netcat or telnet.
   socat - tcp4:localhost:5900
3. Do not attempt to authenticate to the VNC server.
4. Copy some text.
5. Observe that the copied text is immediately echoed in the terminal window,
which should not happen.

This problem occurs with vino-server versions 2.32 (Gentoo) and 2.28 (Debian


I reported this bug to the GNOME Bugzilla on 20 June 2012, but no action has been taken on this issue.

I am using net-misc/vino-2.32.2:0 on amd64.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-14 00:14:55 UTC
Thank you for the report, nandhp.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-14 05:56:31 UTC
Affects all vino versions in the tree, including 3.4.2 :(
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-10-01 21:35:52 UTC
CVE-2012-4429 (
  Vino 2.28, 2.32, 3.4.2, and earlier allows remote attackers to read
  clipboard activity by listening on TCP port 5900.
Comment 4 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-12-18 08:49:20 UTC
Patched in 2.32.2-r1, 3.4.2-r1, and 3.6.2-r1.

2.32.2-r1 should be stabilized.

>*vino-3.6.2-r1 (18 Dec 2012)
>*vino-3.4.2-r1 (18 Dec 2012)
>*vino-2.32.2-r1 (18 Dec 2012)
>  18 Dec 2012; Alexandre Rostovtsev <> vino-2.32.2.ebuild,
>  +vino-2.32.2-r1.ebuild, -vino-3.2.2.ebuild, vino-3.4.2.ebuild,
>  +vino-3.4.2-r1.ebuild, +vino-3.6.2-r1.ebuild,
>  +files/vino-3.6.2-clipboard-leak.patch:
>  Version bump for gnome-3.6 (and drop keywords due to libsecret dependency,
>  bug #447426). Fix clipboard leak to unauthenticated clients (bug #434930,
>  CVE-2012-4429, thanks to nandhp). Update homepage and license. Drop old.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-29 15:29:10 UTC
Thanks, Alexandre.

Arches, please test and mark stable =net-misc/vino-2.32.2-r1
Comment 6 Agostino Sarubbo gentoo-dev 2012-12-29 18:04:54 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-29 18:05:21 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-31 09:20:27 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-12-31 23:30:29 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-01-01 08:25:08 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-01-04 13:21:05 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-01-04 21:15:17 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-01-07 22:25:03 UTC
alpha stable
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-15 21:39:32 UTC
GLSA vote: no.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2013-04-01 14:32:01 UTC
NO too, closing.