Bug 8782 - vino new security issue CVE-2012-4429
: vino new security issue CVE-2012-4429
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/533562/
: has_procedure mga2-64-OK mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-22 22:35 CET by David Walser
Modified: 2013-02-06 23:01 CET (History)
3 users (show)

See Also:
Source RPM: vino-3.4.1-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-01-22 22:35:48 CET
RedHat has issued an advisory on January 21:
https://rhn.redhat.com/errata/RHSA-2013-0169.html

Cauldron is not affected, as this was fixed upstream.

Patched package uploaded for Mageia 2.

Patch also added in Mageia 1 SVN.

Advisory:
========================

Updated vino package fixes security vulnerability:

It was found that Vino transmitted all clipboard activity on the system
running Vino to all clients connected to port 5900, even those who had not
authenticated. A remote attacker who is able to access port 5900 on a
system running Vino could use this flaw to read clipboard data without
authenticating (CVE-2012-4429).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4429
https://rhn.redhat.com/errata/RHSA-2013-0169.html
========================

Updated packages in core/updates_testing:
========================
vino-3.4.2-1.1.mga2

from vino-3.4.2-1.1.mga2.src.rpm
Comment 1 claire robinson 2013-01-29 11:22:51 CET
PoC: http://www.openwall.com/lists/oss-security/2012/09/13/25
Comment 2 claire robinson 2013-01-30 18:01:19 CET
Testing mga2 64

Before
------
$ vino-preferences

Configure to accept connections with a password

$ /usr/lib64/vino-server

(vino-server:13434): EggSMClient-CRITICAL **: egg_sm_client_set_mode: assertion `global_client == NULL || global_client_mode == EGG_SM_CLIENT_MODE_DISABLED' failed
30/01/2013 16:51:16 Autoprobing TCP port in (all) network interface
30/01/2013 16:51:16 Listening IPv6://[::]:5900
30/01/2013 16:51:16 Listening IPv4://0.0.0.0:5900
30/01/2013 16:51:16 Autoprobing selected port 5900
30/01/2013 16:51:16 Advertising security type: 'TLS' (18)
30/01/2013 16:51:16 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
30/01/2013 16:51:16 Listening IPv6://[::]:5900
30/01/2013 16:51:16 Listening IPv4://0.0.0.0:5900
30/01/2013 16:51:16 Clearing securityTypes
etc..

In another terminal..
$ socat - tcp4:localhost:5900
RFB 003.007

Then copying some text displays it below this. ctrl-c in both terminals to kill socat and kill vino-server.

After
-----
# urpmi vino

installing vino-3.4.2-1.1.mga2.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...                     ##########################################################################################
      1/1: vino                  ##########################################################################################
warning: undefined reference to <schema id='org.gnome.glabels.locale'/>
warning: undefined reference to <schema id='org.gnome.glabels.objects'/>
warning: undefined reference to <schema id='org.gnome.glabels.history'/>
warning: undefined reference to <schema id='org.gnome.glabels.ui'/>

Apart from the above warnings re-testing shows the vulnerability closed. No copied text displayed.

This was tested in kde which may account for the gnome warnings.

Any thoughts David?
Comment 3 David Walser 2013-01-30 19:15:42 CET
I'm not a GNOME guy, but I imagine it's something not worth worrying about.

I'll CC Olav, just in case he cares to comment on it.  I haven't seen him in a while.
Comment 4 claire robinson 2013-01-30 23:06:38 CET
Tested mga2 32 ok

Validating

Advisory & SRPM in comment 0

bug 8908 created for the warnings

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 5 Thomas Backlund 2013-02-06 23:01:26 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0028

Note You need to log in before you can comment on or make changes to this bug.