X2Go Bug report logs - #258
SECURITY: x2goclient allows clipboard sniffing

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: pending, security

Fixed in version 4.0.2.1

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#258: SECURITY:  x2goclient allows clipboard sniffing
Reply-To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org
Resent-From: Christoph Anton Mitterer <calestyo@scientia.net>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Mon, 01 Jul 2013 02:48:02 +0000
Resent-Message-ID: <handler.258.B.137264679210712@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 258
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: security
Received: via spool by submit@bugs.x2go.org id=B.137264679210712
          (code B); Mon, 01 Jul 2013 02:48:02 +0000
Received: (at submit) by bugs.x2go.org; 1 Jul 2013 02:46:32 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED
	autolearn=ham version=3.3.2
X-Greylist: delayed 469 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 04:46:32 CEST
Received: from mailgw01.dd24.net (mailgw01.dd24.net [193.46.215.41])
	by ymir (Postfix) with ESMTPS id 319B85DA79
	for <submit@bugs.x2go.org>; Mon,  1 Jul 2013 04:46:32 +0200 (CEST)
Received: from localhost (amavis01.dd24.net [192.168.1.111])
	by mailgw01.dd24.net (Postfix) with ESMTP id C88377CC194
	for <submit@bugs.x2go.org>; Mon,  1 Jul 2013 02:38:43 +0000 (GMT)
X-Virus-Scanned: domaindiscount24.com mail filter gateway
Received: from mailgw01.dd24.net ([192.168.1.191])
	by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10191)
	with ESMTP id ZbrxJaRO-CAr for <submit@bugs.x2go.org>;
	Mon,  1 Jul 2013 02:38:39 +0000 (GMT)
Received: from [192.168.0.102] (host-188-174-220-133.customer.m-online.net [188.174.220.133])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mailgw01.dd24.net (Postfix) with ESMTPSA id E155A7CC16C
	for <submit@bugs.x2go.org>; Mon,  1 Jul 2013 02:38:38 +0000 (GMT)
Message-ID: <1372646308.18508.2.camel@heisenberg.scientia.net>
From: Christoph Anton Mitterer <calestyo@scientia.net>
To: submit@bugs.x2go.org
Date: Mon, 01 Jul 2013 04:38:28 +0200
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Package: x2goclient
Severity: grave
Tags: security

Hi.

From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588


It seems that per default (and I even found no way to disable it)
x2goclient (and perhaps other
related tools?) transmit the content of the clipboard to the remote
host.

As this may easily contain passwords or other sensitive information,
this is a extremely
critical hole.


Cheers,
Chris.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sat Nov 23 12:19:49 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.