Created attachment 323696 [details]
emerge --info vino
The Vino VNC server transmits all clipboard activity to viewers, including
those who have not authenticated.
Steps to reproduce:
1. Enable vino (with password protection).
2. Connect to the VNC server with socat or netcat or telnet.
socat - tcp4:localhost:5900
3. Do not attempt to authenticate to the VNC server.
4. Copy some text.
5. Observe that the copied text is immediately echoed in the terminal window,
which should not happen.
This problem occurs with vino-server versions 2.32 (Gentoo) and 2.28 (Debian
I reported this bug to the GNOME Bugzilla on 20 June 2012, but no action has been taken on this issue.
I am using net-misc/vino-2.32.2:0 on amd64.
Thank you for the report, nandhp.
Affects all vino versions in the tree, including 3.4.2 :(
Vino 2.28, 2.32, 3.4.2, and earlier allows remote attackers to read
clipboard activity by listening on TCP port 5900.
Patched in 2.32.2-r1, 3.4.2-r1, and 3.6.2-r1.
2.32.2-r1 should be stabilized.
>*vino-3.6.2-r1 (18 Dec 2012)
>*vino-3.4.2-r1 (18 Dec 2012)
>*vino-2.32.2-r1 (18 Dec 2012)
> 18 Dec 2012; Alexandre Rostovtsev <email@example.com> vino-2.32.2.ebuild,
> +vino-2.32.2-r1.ebuild, -vino-3.2.2.ebuild, vino-3.4.2.ebuild,
> +vino-3.4.2-r1.ebuild, +vino-3.6.2-r1.ebuild,
> Version bump for gnome-3.6 (and drop keywords due to libsecret dependency,
> bug #447426). Fix clipboard leak to unauthenticated clients (bug #434930,
> CVE-2012-4429, thanks to nandhp). Update homepage and license. Drop old.
Arches, please test and mark stable =net-misc/vino-2.32.2-r1
GLSA vote: no.
NO too, closing.