https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672449 and https://github.com/LibVNC/libvncserver/pull/128 have given some kind of workaround (it does not seem to correct “-localhost” option). I do not have the time to try it yet. My workaround: USE='-ipv6' emerge -1av libvncserver It strangely remove “:::5900” but allow “::1:5900” with “-localhost” option. “-no6” remove this line on my “netstat -tupl”. So with -ipv6 USE, libvncserver seems to work fine (avoid this security issue, but still accepted ipv6). Alex Xu (proxy maintainer) should be assign to this bug. Reproducible: Always Steps to Reproduce: Compile x11vnc and use it: x11vnc -localhost x11vnc -localhost -no6 etc. Actual Results: lead to the same result: tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 1339/x11vnc tcp6 0 0 :::5900 :::* LISTEN 1339/x11vnc => x11vnc accepts connection from everywhere on ipv6 interface. Expected Results: tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 1339/x11vnc tcp6 0 0 ::1:5900 :::* LISTEN 1339/x11vnc With I disable ipv6 just: tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 1339/x11vnc
one, this bug should be against x11vnc, two, as filed, it's a blatant duplicate (literally just search for "localhost"), three, the links are for totally different bugs *** This bug has been marked as a duplicate of bug 579308 ***
additionally, I would just bump it, but https://github.com/LibVNC/libvncserver/issues/122 has still been ignored, so I kinda don't want to touch the ebuild
(In reply to Alex Xu (Hello71) from comment #1) > one, this bug should be against x11vnc, two, as filed, it's a blatant > duplicate (literally just search for "localhost"), three, the links are for > totally different bugs Sorry, I have just looked open bugs… bug 579308 is closed. I didn't see it. For me, they talk abount same kind of bugs: some x11vnc option's (localhost, no6, noipv6, maybe more?) are ignored by something… It is not just about “-localhost”. Why did I choose libvncserver? 1/ Both packages are maintained by you… so it would be assign to the good person. 2/ “-no6” and “-noipv6” seems to be solved by a pull request on libvncserver ( https://github.com/LibVNC/libvncserver/pull/128 & https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672449) 3/ USE='-ipv6' on libvncserver seems to solve these option issues (my netstat -tupl are consistent with localhost/no6/noipv6 option, but I can't try it on my network). Alright, I can be wrong. Perhaps I should have created a bug for “no6” and “noipv6’. And another for “localhost“. > *** This bug has been marked as a duplicate of bug 579308 *** So… despite ”:::5900” the client can't connect (“16/04/2016 08:02:57 denying client: 2001:<snip>::1 does not match 127.0.0.1”). Not perfect, but enough to avoid an unauthorized access. (In reply to Alex Xu (Hello71) from comment #2) > additionally, I would just bump it, but > https://github.com/LibVNC/libvncserver/issues/122 has still been ignored, so > I kinda don't want to touch the ebuild Ok.
