X2Go Bug report logs - #258
SECURITY: x2goclient allows clipboard sniffing

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: pending, security

Fixed in version 4.0.2.1

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #35 received at 258@bugs.x2go.org (full text, mbox, reply):

Received: (at 258) by bugs.x2go.org; 2 Jul 2013 08:01:35 +0000
From nable.maininbox@googlemail.com  Tue Jul  2 10:01:34 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_BLOCKED,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-bk0-f49.google.com (mail-bk0-f49.google.com [209.85.214.49])
	by ymir (Postfix) with ESMTPS id C2BD95DA79
	for <258@bugs.x2go.org>; Tue,  2 Jul 2013 10:01:34 +0200 (CEST)
Received: by mail-bk0-f49.google.com with SMTP id mz10so2104416bkb.8
        for <258@bugs.x2go.org>; Tue, 02 Jul 2013 01:01:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=x1lU4PCUzL7sk58vQbp3HtoUdCXWj2uvN5mrDMowh/U=;
        b=iNK4WCUxrMbZghyg7pFIZ3Ly9mYf93o1c6tVUnhriL+h1B/DacBHAPfy5d2sFowNrB
         BUVwjT69pqMiqbbmiLFiQCnnFIYcvrPaZycrs40YsIFnkLX+xHttMlXwRZkzaP8sYN1t
         hCazZY5EvKGl/Z2igShTP3sp0xFQqN1qyNDyoShAG6Zf4n/XkMwD0HW6MUonHPBpjryS
         VV7RqScRZGPfyUhSwCdI7M656WuFcBJaG1t2ktlSemydQhM7KYeipA+TOtKowBi2csE6
         CBNNEWM5G4gclATKd5oYxW3VP/7GxjQ/AGDFlZpQSDVhYhtbJW37lFAg6lrz1xobNBgy
         TEVw==
MIME-Version: 1.0
X-Received: by 10.204.227.81 with SMTP id iz17mr3550115bkb.157.1372752094358;
 Tue, 02 Jul 2013 01:01:34 -0700 (PDT)
Received: by 10.204.235.194 with HTTP; Tue, 2 Jul 2013 01:01:34 -0700 (PDT)
In-Reply-To: <CALxOYEas=OViucXEo50PfORCjcyxfdzNrCiNz7=rNJkohsmQYw@mail.gmail.com>
References: <1372646308.18508.2.camel@heisenberg.scientia.net>
	<20130701114356.GP2447@cip.informatik.uni-erlangen.de>
	<1372682609.25918.14.camel@heisenberg.scientia.net>
	<20130701140132.GQ2447@cip.informatik.uni-erlangen.de>
	<1372728469.11367.26.camel@fermat.scientia.net>
	<CALxOYEas=OViucXEo50PfORCjcyxfdzNrCiNz7=rNJkohsmQYw@mail.gmail.com>
Date: Tue, 2 Jul 2013 12:01:34 +0400
Message-ID: <CALxOYEZF=mZODbx60G2J=v+xBTLeQyc02AF-nxmvG1LEo2+msw@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#258: Bug#258: Bug#258: Bug#258: SECURITY:
 x2goclient allows clipboard sniffing
From: Nable 80 <nable.maininbox@googlemail.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org, x2go-dev@lists.berlios.de
Content-Type: text/plain; charset=ISO-8859-1
Sorry, quickfix:
s/implicitly/explicitely/

2013/7/2, Nable 80 <nable.maininbox@googlemail.com>:
> Hi, Chris.
>
>> So it directly goes into the local X server?
>> Wow... that's awful... like a security nightmare...
> Then, you don't use ssh -X/-Y, do you?
>
>> And people don't see x2go (or VNC, or rdp) like a direct access
>> to their X server (as in plain X forwarding with xauth and that like).
> Why do you think so? Because they have it in window and didn't specify
> any option that exactly means 'turn on X11 forwarding'?
> After all, I think that it's not a grave issue as most people use X11
> forwarding for rather trusted hosts (or just don't care).
>
> One additional note: it's possible to turn on clipboard forwarding in
> RDP and VNC (and it's a very useful thing) but AFAIR in most clients
> _one have to specify it implicitly_ (and sometimes there's a separate
> option that allows some restricted clipboard access, for example:
> copying from remote to local but not vise versa). May be someone will
> make a patch to implement such options in X2Go.
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev
>


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sat Nov 23 12:17:26 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.