X2Go Bug report logs - #506
Globally allow server-side disabling of the clipboard

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: pending, security

Fixed in version 4.0.1.16

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 1 Jul 2013 02:46:32 +0000
From calestyo@scientia.net  Mon Jul  1 04:46:32 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED
	autolearn=ham version=3.3.2
X-Greylist: delayed 469 seconds by postgrey-1.34 at ymir; Mon, 01 Jul 2013 04:46:32 CEST
Received: from mailgw01.dd24.net (mailgw01.dd24.net [193.46.215.41])
	by ymir (Postfix) with ESMTPS id 319B85DA79
	for <submit@bugs.x2go.org>; Mon,  1 Jul 2013 04:46:32 +0200 (CEST)
Received: from localhost (amavis01.dd24.net [192.168.1.111])
	by mailgw01.dd24.net (Postfix) with ESMTP id C88377CC194
	for <submit@bugs.x2go.org>; Mon,  1 Jul 2013 02:38:43 +0000 (GMT)
X-Virus-Scanned: domaindiscount24.com mail filter gateway
Received: from mailgw01.dd24.net ([192.168.1.191])
	by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10191)
	with ESMTP id ZbrxJaRO-CAr for <submit@bugs.x2go.org>;
	Mon,  1 Jul 2013 02:38:39 +0000 (GMT)
Received: from [192.168.0.102] (host-188-174-220-133.customer.m-online.net [188.174.220.133])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mailgw01.dd24.net (Postfix) with ESMTPSA id E155A7CC16C
	for <submit@bugs.x2go.org>; Mon,  1 Jul 2013 02:38:38 +0000 (GMT)
Message-ID: <1372646308.18508.2.camel@heisenberg.scientia.net>
Subject: SECURITY:  x2goclient allows clipboard sniffing
From: Christoph Anton Mitterer <calestyo@scientia.net>
To: submit@bugs.x2go.org
Date: Mon, 01 Jul 2013 04:38:28 +0200
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit

Package: x2goclient
Severity: grave
Tags: security

Hi.

From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588


It seems that per default (and I even found no way to disable it)
x2goclient (and perhaps other
related tools?) transmit the content of the clipboard to the remote
host.

As this may easily contain passwords or other sensitive information,
this is a extremely
critical hole.


Cheers,
Chris.

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 13:54:48 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.