GNOME Bugzilla – Bug 678434
Vino leaks clipboard activity to unauthenticated clients
Last modified: 2012-12-17 22:23:39 UTC
The Vino VNC server transmits all clipboard activity to viewers, including those who have not authenticated. Steps to reproduce: 1. Enable vino (with password protection). 2. Connect to the VNC server with socat or netcat or telnet. socat - tcp4:localhost:5900 3. Do not attempt to authenticate to the VNC server. 4. Copy some text. 5. Observe that the copied text is immediately echoed in the terminal window, which should not happen. This problem occurs with vino-server versions 2.32 (Gentoo) and 2.28 (Debian stable).
Appears to affect all vino versions at least up to 3.4.2 (did not test 3.5.x).
This is a security issue, it has been assigned CVE-2012-4429: http://www.openwall.com/lists/oss-security/2012/09/14/1
ping, any updates on this bug?
Quick note: This also affects the latest version of vino, upto 3.6.2.
Created attachment 231701 [details] [review] patch
Enclosed patch should fix the problem. vino_server_clipboard_cb() in vino-server.c is the callback which is triggered when a clipboard copy event is fired. After doing some initial checks, (1. If there are any connected clients, 2. If the server is on hold etc), it converts the text to UTF-8 and then passes it on to rfbSendServerCutText(). Here data is pasted to each client, without verifying if the client is authenticated. The patch checks if the client is authenticated and only then it allows the clipboard text to be sent to it.
Comment on attachment 231701 [details] [review] patch Thanks for the patch. I pushed a tidied version with the correct attribution to master and gnome-3-6 as commit 9c8b9f81205203db6c31068babbfb8a734acacdb and eb3752eed13473c4db20aedec14eb28de914abf0.