| Summary: | x11-misc/x11vnc: option -localhost fails to restrict ipv6 access | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | minor | CC: | alex_y_xu, proxy-maint, sebastien.picavet |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://bugs.debian.org/672435 https://bugzilla.redhat.com/show_bug.cgi?id=1323602 |
||
| Whiteboard: | B3 [upstream] | ||
| Package list: | Runtime testing required: | --- | |
Is this a standardised message input ? Where does it say this requires a version bump ? $ x11vnc -localhost & < ... > $ ss -plA inet sport = 5900 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 32 127.0.0.1:5900 *:* tcp LISTEN 0 32 :::5900 :::* $ vncviewer '[2001:<snip>::1]' TigerVNC Viewer 64-bit v1.6.0 Built on: 2016-04-16 08:08 Copyright (C) 1999-2015 TigerVNC Team and many others (see README.txt) See http://www.tigervnc.org for information on TigerVNC. Sat Apr 16 08:18:29 2016 CConn: connected to host 2001:<snip>::1 port 5900 16/04/2016 08:18:29 Got connection from client 2001:<snip>::1 16/04/2016 08:18:29 other clients: 16/04/2016 08:18:29 Normal socket connection 16/04/2016 08:18:29 denying client: 2001:<snip>::1 does not match 127.0.0.1 16/04/2016 08:18:29 Client 2001:<snip>::1 gone 16/04/2016 08:18:29 Statistics events Transmit/ RawEquiv ( saved) 16/04/2016 08:18:29 TOTALS : 0 | 0/ 0 ( 0.0%) 16/04/2016 08:18:29 Statistics events Received/ RawEquiv ( saved) 16/04/2016 08:18:29 TOTALS : 0 | 0/ 0 ( 0.0%) CConn: End of stream $ socat -d -d tcp-connect:'[2001:<snip>::1]':5900 - 2016/04/16 08:02:57 socat[1447] N opening connection to AF=10 [2001:<snip>:0001]:5900 2016/04/16 08:02:57 socat[1447] N successfully connected from local address AF=10 [2001:<snip>:0001]:49560 2016/04/16 08:02:57 socat[1447] N reading from and writing to stdio 2016/04/16 08:02:57 socat[1447] N starting data transfer loop with FDs [5,5] and [0,1] 16/04/2016 08:02:57 Got connection from client 2001:<snip>::1 16/04/2016 08:02:57 other clients: 16/04/2016 08:02:57 Normal socket connection 16/04/2016 08:02:57 denying client: 2001:<snip>::1 does not match 127.0.0.1 16/04/2016 08:02:57 Client 2001:<snip>::1 gone 16/04/2016 08:02:57 Statistics events Transmit/ RawEquiv ( saved) 16/04/2016 08:02:57 TOTALS : 0 | 0/ 0 ( 0.0%) 16/04/2016 08:02:57 RFB 003.008 Statistics events Received/ RawEquiv ( saved) 16/04/2016 08:02:57 TOTALS : 0 | 0/ 0 ( 0.0%) 2016/04/16 08:02:57 socat[1447] N socket 1 (fd 5) is at EOF 2016/04/16 08:02:58 socat[1447] N exiting with status 0 $ vncviewer '[::1]' TigerVNC Viewer 64-bit v1.6.0 Built on: 2016-04-16 08:08 Copyright (C) 1999-2015 TigerVNC Team and many others (see README.txt) See http://www.tigervnc.org for information on TigerVNC. Sat Apr 16 08:25:31 2016 CConn: connected to host ::1 port 5900 16/04/2016 08:25:31 Got connection from client ::1 16/04/2016 08:25:31 other clients: 16/04/2016 08:25:31 Normal socket connection 16/04/2016 08:25:31 check_access: client addr ::1 is local. < ... > *** Bug 603036 has been marked as a duplicate of this bug. *** |
From ${URL} : When starting the x11vnc with -localhost specified, it fail to restrict IPv6 accessibility to localhost. This is in conflict with the manual, which states: -localhost [...] IPv6: if IPv6 is supported, this option automatically implies the IPv6 loopback address '::1' as well. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.