Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 434930 (CVE-2012-4429)

Summary: <net-misc/vino-2.32.2-r1: leaks clipboard activity to unauthenticated clients (CVE-2012-4429)
Product: Gentoo Security Reporter: nandhp <nandhp>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.gnome.org/show_bug.cgi?id=678434
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
emerge --info vino none

Description nandhp 2012-09-13 17:05:48 UTC 
Created attachment 323696 [details]
emerge --info vino

The Vino VNC server transmits all clipboard activity to viewers, including
those who have not authenticated.

Steps to reproduce:

1. Enable vino (with password protection).
2. Connect to the VNC server with socat or netcat or telnet.
   socat - tcp4:localhost:5900
3. Do not attempt to authenticate to the VNC server.
4. Copy some text.
5. Observe that the copied text is immediately echoed in the terminal window,
which should not happen.

This problem occurs with vino-server versions 2.32 (Gentoo) and 2.28 (Debian
stable).

====

I reported this bug to the GNOME Bugzilla on 20 June 2012, but no action has been taken on this issue.

https://bugzilla.gnome.org/show_bug.cgi?id=678434

I am using net-misc/vino-2.32.2:0 on amd64.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-14 00:14:55 UTC 
Thank you for the report, nandhp.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-09-14 05:56:31 UTC 
Affects all vino versions in the tree, including 3.4.2 :(
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-10-01 21:35:52 UTC 
CVE-2012-4429 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4429):
  Vino 2.28, 2.32, 3.4.2, and earlier allows remote attackers to read
  clipboard activity by listening on TCP port 5900.
Comment 4 Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-12-18 08:49:20 UTC 
Patched in 2.32.2-r1, 3.4.2-r1, and 3.6.2-r1.

2.32.2-r1 should be stabilized.

>*vino-3.6.2-r1 (18 Dec 2012)
>*vino-3.4.2-r1 (18 Dec 2012)
>*vino-2.32.2-r1 (18 Dec 2012)
>
>  18 Dec 2012; Alexandre Rostovtsev <tetromino@gentoo.org> vino-2.32.2.ebuild,
>  +vino-2.32.2-r1.ebuild, -vino-3.2.2.ebuild, vino-3.4.2.ebuild,
>  +vino-3.4.2-r1.ebuild, +vino-3.6.2-r1.ebuild,
>  +files/vino-3.6.2-clipboard-leak.patch:
>  Version bump for gnome-3.6 (and drop keywords due to libsecret dependency,
>  bug #447426). Fix clipboard leak to unauthenticated clients (bug #434930,
>  CVE-2012-4429, thanks to nandhp). Update homepage and license. Drop old.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-29 15:29:10 UTC 
Thanks, Alexandre.

Arches, please test and mark stable =net-misc/vino-2.32.2-r1
Comment 6 Agostino Sarubbo gentoo-dev 2012-12-29 18:04:54 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-29 18:05:21 UTC 
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-31 09:20:27 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-12-31 23:30:29 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-01-01 08:25:08 UTC 
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-01-04 13:21:05 UTC 
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-01-04 21:15:17 UTC 
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-01-07 22:25:03 UTC 
alpha stable
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-15 21:39:32 UTC 
GLSA vote: no.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2013-04-01 14:32:01 UTC 
NO too, closing.