X2Go Bug report logs - #258
SECURITY: x2goclient allows clipboard sniffing

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: pending, security

Fixed in version 4.0.2.1

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#258: [X2Go-User] Limiting clipboard sharing
Reply-To: Kris Ilowiecki <kril@sourcecap.ch>, 258@bugs.x2go.org
Resent-From: Kris Ilowiecki <kril@sourcecap.ch>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Tue, 28 Jan 2014 16:20:01 +0000
Resent-Message-ID: <handler.258.B258.139092579422773@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 258
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: security
Received: via spool by 258-submit@bugs.x2go.org id=B258.139092579422773
          (code B ref 258); Tue, 28 Jan 2014 16:20:01 +0000
Received: (at 258) by bugs.x2go.org; 28 Jan 2014 16:16:34 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	version=3.3.2
X-Greylist: delayed 324 seconds by postgrey-1.34 at ymir; Tue, 28 Jan 2014 17:16:33 CET
Received: from mail.sourcecap.ch (mail.sourcecap.ch [91.201.56.210])
	by ymir (Postfix) with ESMTP id AE0C65DB13
	for <258@bugs.x2go.org>; Tue, 28 Jan 2014 17:16:33 +0100 (CET)
Received: from [172.168.246.3] (kril.rem.sc.int [172.168.246.3])
	by mail.sourcecap.ch (Postfix) with ESMTPSA id 61D13320AB;
	Tue, 28 Jan 2014 17:11:09 +0100 (CET)
Message-ID: <52E7D6B8.6070208@sourcecap.ch>
Date: Tue, 28 Jan 2014 17:11:36 +0100
From: Kris Ilowiecki <kril@sourcecap.ch>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: x2go-user@lists.berlios.de
CC: 258@bugs.x2go.org
References: <52E69B93.8010904@sourcecap.ch> <20140128154910.Horde.bz7_7CdkDRplg9xdW4kZbg2@mail.das-netzwerkteam.de>
In-Reply-To: <20140128154910.Horde.bz7_7CdkDRplg9xdW4kZbg2@mail.das-netzwerkteam.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.96 at pmx4
X-Virus-Status: Clean

Hi Mike#1,

On 01/28/2014 04:49 PM, Mike Gabriel wrote:
> There should be two approaches...
>
>   1) disable clipboard server-side for all users
>   2) disable clipboard in X2Go Client / PyHoca-GUI on the client-side
>
> The first is easy. Please look at /usr/bin/x2gostartagent of x2goserver
> package and make clipboard configurable via /etc/x2go/x2goserver.conf.
> Send a patch to our BTS [1].
>

Thank you very much!
The first approach is indeed what is needed in my case.
I will have a look there.

I have been looking through the sources, and my most recent idea was
experimenting with editing /usr/bin/nxagent to run nxagent.bin
with something like "-clipboard no"

I will try the exact approach you are suggesting, though
my bash+awk aren't that good

Many thanks,
Kris

> The second approach is for us devs, I guess...
>
> The workaround provided by Mike#2 is a fine approach, but not a real
> solution to this problem.
>
> Mike#1
>
> [1] http://wiki.x2go.org/doku.php/wiki:bugs

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue Oct 28 03:17:15 2025; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.