Bug 8782

Summary: vino new security issue CVE-2012-4429
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: olav, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/533562/
Whiteboard: has_procedure mga2-64-OK mga2-32-ok
Source RPM: vino-3.4.1-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2013-01-22 22:35:48 CET 
RedHat has issued an advisory on January 21:
https://rhn.redhat.com/errata/RHSA-2013-0169.html

Cauldron is not affected, as this was fixed upstream.

Patched package uploaded for Mageia 2.

Patch also added in Mageia 1 SVN.

Advisory:
========================

Updated vino package fixes security vulnerability:

It was found that Vino transmitted all clipboard activity on the system
running Vino to all clients connected to port 5900, even those who had not
authenticated. A remote attacker who is able to access port 5900 on a
system running Vino could use this flaw to read clipboard data without
authenticating (CVE-2012-4429).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4429
https://rhn.redhat.com/errata/RHSA-2013-0169.html
========================

Updated packages in core/updates_testing:
========================
vino-3.4.2-1.1.mga2

from vino-3.4.2-1.1.mga2.src.rpm
Comment 1 claire robinson 2013-01-29 11:22:51 CET 
PoC: http://www.openwall.com/lists/oss-security/2012/09/13/25
Comment 2 claire robinson 2013-01-30 18:01:19 CET 
Testing mga2 64

Before
------
$ vino-preferences

Configure to accept connections with a password

$ /usr/lib64/vino-server

(vino-server:13434): EggSMClient-CRITICAL **: egg_sm_client_set_mode: assertion `global_client == NULL || global_client_mode == EGG_SM_CLIENT_MODE_DISABLED' failed
30/01/2013 16:51:16 Autoprobing TCP port in (all) network interface
30/01/2013 16:51:16 Listening IPv6://[::]:5900
30/01/2013 16:51:16 Listening IPv4://0.0.0.0:5900
30/01/2013 16:51:16 Autoprobing selected port 5900
30/01/2013 16:51:16 Advertising security type: 'TLS' (18)
30/01/2013 16:51:16 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
30/01/2013 16:51:16 Listening IPv6://[::]:5900
30/01/2013 16:51:16 Listening IPv4://0.0.0.0:5900
30/01/2013 16:51:16 Clearing securityTypes
etc..

In another terminal..
$ socat - tcp4:localhost:5900
RFB 003.007

Then copying some text displays it below this. ctrl-c in both terminals to kill socat and kill vino-server.

After
-----
# urpmi vino

installing vino-3.4.2-1.1.mga2.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########################################################################################
      1/1: vino                  ##########################################################################################
warning: undefined reference to <schema id='org.gnome.glabels.locale'/>
warning: undefined reference to <schema id='org.gnome.glabels.objects'/>
warning: undefined reference to <schema id='org.gnome.glabels.history'/>
warning: undefined reference to <schema id='org.gnome.glabels.ui'/>

Apart from the above warnings re-testing shows the vulnerability closed. No copied text displayed.

This was tested in kde which may account for the gnome warnings.

Any thoughts David?

Whiteboard: (none) => has_procedure mga2-64-OK?

Comment 3 David Walser 2013-01-30 19:15:42 CET 
I'm not a GNOME guy, but I imagine it's something not worth worrying about.

I'll CC Olav, just in case he cares to comment on it.  I haven't seen him in a while.

CC: (none) => olav

Comment 4 claire robinson 2013-01-30 23:06:38 CET 
Tested mga2 32 ok

Validating

Advisory & SRPM in comment 0

bug 8908 created for the warnings

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK? => has_procedure mga2-64-OK mga2-32-ok

Comment 5 Thomas Backlund 2013-02-06 23:01:26 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0028

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED