From unknown Thu Mar 28 10:29:07 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#258: [X2Go-Dev] Bug#258: Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing Reply-To: Moritz Struebe , 258@bugs.x2go.org Resent-From: Moritz Struebe Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Wed, 03 Jul 2013 08:33:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 258 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: security Received: via spool by 258-submit@bugs.x2go.org id=B258.137283963419142 (code B ref 258); Wed, 03 Jul 2013 08:33:01 +0000 Received: (at 258) by bugs.x2go.org; 3 Jul 2013 08:20:34 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, T_FILL_THIS_FORM_SHORT,URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 399 seconds by postgrey-1.34 at ymir; Wed, 03 Jul 2013 10:20:33 CEST Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) by ymir (Postfix) with ESMTPS id C54FE5DB13 for <258@bugs.x2go.org>; Wed, 3 Jul 2013 10:20:33 +0200 (CEST) Received: from [IPv6:2001:638:a000:4134::ffff:51] (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id A8DA358C6E6; Wed, 3 Jul 2013 10:13:53 +0200 (CEST) Message-ID: <51D3DD41.70605@informatik.uni-erlangen.de> Date: Wed, 03 Jul 2013 10:13:53 +0200 From: Moritz Struebe Organization: Uni Erlangen-Nuernberg User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Christoph Anton Mitterer , 258@bugs.x2go.org, x2go-dev@lists.berlios.de References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> <1372728469.11367.26.camel@fermat.scientia.net> <20130702180752.6b3c8c97@warp> <1372787237.7849.101.camel@heisenberg.scientia.net> In-Reply-To: <1372787237.7849.101.camel@heisenberg.scientia.net> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070501030000090102000703" Dies ist eine kryptografisch unterzeichnete Nachricht im MIME-Format. --------------ms070501030000090102000703 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hey. On 2013-07-02 19:47, Christoph Anton Mitterer wrote: > I'd propose the following now: > As this bug is now cluttered all over with two different issues > - clipboard sniffing and the warning when it was activated > - security measures and better documentation about what NX/X2go really > does > > I'd close this bug, and open two new ones, one for each issue... > referencing that old bug... so that all topics can be discussed (perhap= s > fixed) in a more simple fashion. I think this is a good Idea. I just want to warn you that this issue will not have an very high priority, as most/all core devs work in scenarios where host _and_ client are trusted. None the less contributions to the documentation are very welcome, and can be easily contributed without coding skills. ;) - If you need pointers on getting started feel free to ask. Morty --=20 Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl f=FCr Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universit=E4t Erlangen-N=FCrnberg Martensstr. 1 91058 Erlangen Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty --------------ms070501030000090102000703 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Kryptografische Unterschrift MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPITCC BCEwggMJoAMCAQICAgDHMA0GCSqGSIb3DQEBBQUAMHExCzAJBgNVBAYTAkRFMRwwGgYDVQQK ExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3QgQ2VudGVy MSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0wNjEyMTkxMDI5MDBa Fw0xOTA2MzAyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVyZWluMRAw DgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwgLSBHMDEw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9YuluTO2U 1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2QRdDtoAB6 fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/BCaL2a869 080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7PbD8URwoqD oZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs6qcLmPkh nSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjgdkwgdYwcAYDVR0fBGkwZzBloGOgYYZfaHR0cDov L3BraS50ZWxlc2VjLmRlL2NnaS1iaW4vc2VydmljZS9hZl9Eb3dubG9hZEFSTC5jcmw/LWNy bF9mb3JtYXQ9WF81MDkmLWlzc3Vlcj1EVF9ST09UX0NBXzIwHQYDVR0OBBYEFEm3xs/oPR9/ 6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJei0XbAqzK50zMA4GA1UdDwEB /wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMA0GCSqGSIb3DQEBBQUAA4IBAQA74Vp3wEgX 3KkY7IGvWonwvSiSpspZGBJw7Cjy565/lizn8l0ZMfYTK3S9vYCyufdnyTmieTvhERHua3iR M347XyYndVNljjNj7s9zw7CSI0khUHUjoR8Y4pSFPT8z6XcgjaK95qGFKUD2P3MyWA0Ja6ba hWzAP7uNZmRWJE6uDT8yNQFb6YyC2XJZT7GGhfF0hVblw/hc843uR7NTBXDn5U2KaYMo4RMJ hp5eyOpYHgwf+aTUWgRo/Sg+iwK2WLX2oSw3VwBnqyNojWOl75lrXP1LVvarQIc01BGSbOyH xQoLBzNytG8MHVQs2FHHzL8w00Ny8TK/jM5JY6gA9/IcMIIFNzCCBB+gAwIBAgIECr6fXjAN BgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZOLVZlcmVpbjEQMA4G A1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xvYmFsIC0gRzAxMB4X DTA3MDcxOTA4MzMxOVoXDTE5MDYzMDAwMDAwMFowgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI EwZCYXllcm4xETAPBgNVBAcTCEVybGFuZ2VuMSgwJgYDVQQKEx9Vbml2ZXJzaXRhZXQgRXJs YW5nZW4tTnVlcm5iZXJnMQ0wCwYDVQQLEwRSUlpFMQ8wDQYDVQQDEwZGQVUtQ0ExJjAkBgkq hkiG9w0BCQEWF2NhQHJyemUudW5pLWVybGFuZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAt4zo7dRsCRRgHOL7iMEQXwWSXMbFa8Acei7z6I0pxFUxT18yK4n+fgq4 f/cCDMaWjKJ4KWY6p78qUiFZRG0zCw6YPesxyVen2KUbt4hTvS4TzZrPULDs3ZXej22Ug+UM frVlcrxcJA7Tm7/O5uotER46J1xX6KuW6vnjyG7L6JREwa6jAaAfW2b2XVffvfleqS+QXCdT NSSEWIAHC1qPEhnTbaAwIltrlFeP4tJm/7rsw9OpCZ2gx/dZKzzOkzznj5FJI81uKcoOjgoB GR9o2ROJvfoc8x8xO7lWIFHlMi5En+AAe1XdgL5RxyOmP/LhdQ34Siqyo4OUWxW/33goCQID AQABo4IBuTCCAbUwEgYDVR0TAQH/BAgwBgEB/wIBATALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE FPRz8/rGQrPGXGnAWL50OPlhK45iMB8GA1UdIwQYMBaAFEm3xs/oPR9/6kR7Eyn38QpwPt5k MCIGA1UdEQQbMBmBF2NhQHJyemUudW5pLWVybGFuZ2VuLmRlMIGIBgNVHR8EgYAwfjA9oDug OYY3aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIvY3JsL2NhY3Js LmNybDA9oDugOYY3aHR0cDovL2NkcDIucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1jYS9wdWIv Y3JsL2NhY3JsLmNybDCBogYIKwYBBQUHAQEEgZUwgZIwRwYIKwYBBQUHMAKGO2h0dHA6Ly9j ZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MEcG CCsGAQUFBzAChjtodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9j YWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAQEARMHGwyEK31G2lGZ8MeYwocnQ MBLi0JIQdP5XtbPJ7cd3IoKhl0XU1+ZpCzN35kgrwmpjHpar73uSrmjcZEjZKxGzis70osCX wCmDGrzk4oLggiRxkXjpMZoGBAeIUwOppw9P73Gm13yjbDjjHlCwOxSMq4nmc8kw6eMvK5my nO+0as8Iq6BndmKM8CfMQdaR4DFMWnF/c5FTQQxfcp14PIhvPkEY8KXIwHXSyhpTbQaUnkAP LKagH+e8HPRti6uHDZfqQkwyZoKApwg4Klq851LKSvNNQGUSkUOnlYg+NcaLpjiRBZ2n+GTS Y02WFwXTAH66k/Nclhmq9IeWkW3iZjCCBb0wggSloAMCAQICBxL4KPF3HOUwDQYJKoZIhvcN AQEFBQAwgaMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcTCEVybGFu Z2VuMSgwJgYDVQQKEx9Vbml2ZXJzaXRhZXQgRXJsYW5nZW4tTnVlcm5iZXJnMQ0wCwYDVQQL EwRSUlpFMQ8wDQYDVQQDEwZGQVUtQ0ExJjAkBgkqhkiG9w0BCQEWF2NhQHJyemUudW5pLWVy bGFuZ2VuLmRlMB4XDTExMTIwMjEwNDEzOFoXDTE0MTIwMTEwNDEzOFowfDELMAkGA1UEBhMC REUxKDAmBgNVBAoTH1VuaXZlcnNpdGFldCBFcmxhbmdlbi1OdWVybmJlcmcxKjAoBgNVBAsT IURlcGFydG1lbnQgb2YgQ29tcHV0ZXIgU2NpZW5jZSA0IDEXMBUGA1UEAxMOTW9yaXR6IFN0 cnVlYmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfzPZGUhN/6df7oXojpNRT SyvDGmg/fhiOeAxQnN+DX9bLSMQtKs/xqrFhubYtEgcb94ontUuGrsGFxJERfJtuK1OeqyMB /Rne6GiSjH88Ut6nmykynS+2GeDsB6xgYn7CTIcZP6pC95zxK0qn+XSzaoMTiV1jcc3uxRLV UlvlAn4W8Z2rIvocTnLnIX6rk6nopjmfQQ1JeLOKOC8ztkZDhXvCg5vkZ38okkD9GEB118VE xZdulknZJCyrdNBBNsJgy9DnMqPzsQXjmZQP0aTMx0wWVfy5xxrT4qM+FKDIBY6RG4n+pfnO Af35Yc8aL6+XtYyKH67Y+gfk1vnEGa+/AgMBAAGjggIaMIICFjAJBgNVHRMEAjAAMAsGA1Ud DwQEAwIF4DApBgNVHSUEIjAgBggrBgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIwHQYD VR0OBBYEFMLK3xJsufrPkUH99qzwp1lh2GNLMB8GA1UdIwQYMBaAFPRz8/rGQrPGXGnAWL50 OPlhK45iMDQGA1UdEQQtMCuBKU1vcml0ei5TdHJ1ZWJlQGluZm9ybWF0aWsudW5pLWVybGFu Z2VuLmRlMIGfBgNVHR8EgZcwgZQwSKBGoESGQmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvdW5p LWVybGFuZ2VuLW51ZXJuYmVyZy1jYS9wdWIvY3JsL2NhY3JsLmNybDBIoEagRIZCaHR0cDov L2NkcDIucGNhLmRmbi5kZS91bmktZXJsYW5nZW4tbnVlcm5iZXJnLWNhL3B1Yi9jcmwvY2Fj cmwuY3JsMIG4BggrBgEFBQcBAQSBqzCBqDBSBggrBgEFBQcwAoZGaHR0cDovL2NkcDEucGNh LmRmbi5kZS91bmktZXJsYW5nZW4tbnVlcm5iZXJnLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNy dDBSBggrBgEFBQcwAoZGaHR0cDovL2NkcDIucGNhLmRmbi5kZS91bmktZXJsYW5nZW4tbnVl cm5iZXJnLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAkhCt 8To6NRpOL/p31V5rKM8LWWyBrWW9ppyJaeFHeqmAiPPC+HMpO/364s14VTT637s2/zYMgbbl pU6AfY9c1uAmjK/PoF21R2r7PIebtCDU8ScFYaJ121L0MsvTPq8mPRUp0vm8pFMO6I4+FQnh YElXD5Avw/R7SO45cR82iZbI/jDDxaGehTZwflULM/6GZU6LcjbRI5OkEs/C5FksP67WwneO COD5RL8PB2Ta/ur9+m/9A6tvOACRLjXFjl080e6xSAs9bSJdrHQQ3d2PencaSCb5XVm1K/pO nTR6YicTk39CG6zbq/zdyzL1tK4oBg2BdTOgg0d8ZYlwGU084jGCBC4wggQqAgEBMIGvMIGj MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMREwDwYDVQQHEwhFcmxhbmdlbjEoMCYG A1UEChMfVW5pdmVyc2l0YWV0IEVybGFuZ2VuLU51ZXJuYmVyZzENMAsGA1UECxMEUlJaRTEP MA0GA1UEAxMGRkFVLUNBMSYwJAYJKoZIhvcNAQkBFhdjYUBycnplLnVuaS1lcmxhbmdlbi5k ZQIHEvgo8Xcc5TAJBgUrDgMCGgUAoIICUzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0xMzA3MDMwODEzNTNaMCMGCSqGSIb3DQEJBDEWBBR+2wKDQQ3UqqZG 5MDLaCRytCdkrTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIw CgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G CCqGSIb3DQMCAgEoMIHABgkrBgEEAYI3EAQxgbIwga8wgaMxCzAJBgNVBAYTAkRFMQ8wDQYD VQQIEwZCYXllcm4xETAPBgNVBAcTCEVybGFuZ2VuMSgwJgYDVQQKEx9Vbml2ZXJzaXRhZXQg RXJsYW5nZW4tTnVlcm5iZXJnMQ0wCwYDVQQLEwRSUlpFMQ8wDQYDVQQDEwZGQVUtQ0ExJjAk BgkqhkiG9w0BCQEWF2NhQHJyemUudW5pLWVybGFuZ2VuLmRlAgcS+CjxdxzlMIHCBgsqhkiG 9w0BCRACCzGBsqCBrzCBozELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UE BxMIRXJsYW5nZW4xKDAmBgNVBAoTH1VuaXZlcnNpdGFldCBFcmxhbmdlbi1OdWVybmJlcmcx DTALBgNVBAsTBFJSWkUxDzANBgNVBAMTBkZBVS1DQTEmMCQGCSqGSIb3DQEJARYXY2FAcnJ6 ZS51bmktZXJsYW5nZW4uZGUCBxL4KPF3HOUwDQYJKoZIhvcNAQEBBQAEggEALRWTotq8syyb b2lSSy1SRSwwLi8r8Fkf8tfEWD1Rt1sb/qvGpkrlnhaDR/Eiz6hwZ05fQBkNammP1DYVslwJ Q8nD5rOqGGjiuI4FGptpr/VyW/nmipYFVi4IKzmn9jGC8BQLn/mvZbHxcq//qI0xxQTFuFgM TJT+yB5GNsqwJoGMkIv6vyj3HEZA1P+LA2tYwXQ4wa4XU4f33p6S9C6RJVsxfBPXumFLcyqj 75dEfoNv81opo99BmIAVvivQIGTudsXJfnW3TLlgAjPLnvuTr+WlNH3+ymWkQBdmS0Mv/VFA 0eQb+6krmPCjMUvfP1TEvWo7YkH06OWMLMhxs+aYYQAAAAAAAA== --------------ms070501030000090102000703--