X2Go Bug report logs - #509
Document NX/X11 security issue: clipboard sniffing

Package: wiki.x2go.org; Maintainer for wiki.x2go.org is x2go-dev@lists.x2go.org;

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: security

Full log

đź”— View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#258: [X2Go-Dev] Bug#258: Bug#258: Bug#258: Bug#258: SECURITY: x2goclient allows clipboard sniffing
Reply-To: Moritz Struebe <Moritz.Struebe@informatik.uni-erlangen.de>, 258@bugs.x2go.org
Resent-From: Moritz Struebe <Moritz.Struebe@informatik.uni-erlangen.de>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Wed, 03 Jul 2013 08:33:01 +0000
Resent-Message-ID: <handler.258.B258.137283963419142@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 258
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: security
Received: via spool by 258-submit@bugs.x2go.org id=B258.137283963419142
          (code B ref 258); Wed, 03 Jul 2013 08:33:01 +0000
Received: (at 258) by bugs.x2go.org; 3 Jul 2013 08:20:34 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED,
	T_FILL_THIS_FORM_SHORT,URIBL_BLOCKED autolearn=ham version=3.3.2
X-Greylist: delayed 399 seconds by postgrey-1.34 at ymir; Wed, 03 Jul 2013 10:20:33 CEST
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [])
	by ymir (Postfix) with ESMTPS id C54FE5DB13
	for <258@bugs.x2go.org>; Wed,  3 Jul 2013 10:20:33 +0200 (CEST)
Received: from [IPv6:2001:638:a000:4134::ffff:51] (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51])
	by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id A8DA358C6E6;
	Wed,  3 Jul 2013 10:13:53 +0200 (CEST)
Message-ID: <51D3DD41.70605@informatik.uni-erlangen.de>
Date: Wed, 03 Jul 2013 10:13:53 +0200
From: Moritz Struebe <Moritz.Struebe@informatik.uni-erlangen.de>
Organization: Uni Erlangen-Nuernberg
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Christoph Anton Mitterer <calestyo@scientia.net>, 258@bugs.x2go.org, 
References: <1372646308.18508.2.camel@heisenberg.scientia.net> <20130701114356.GP2447@cip.informatik.uni-erlangen.de> <1372682609.25918.14.camel@heisenberg.scientia.net> <20130701140132.GQ2447@cip.informatik.uni-erlangen.de> <1372728469.11367.26.camel@fermat.scientia.net> <20130702180752.6b3c8c97@warp> <1372787237.7849.101.camel@heisenberg.scientia.net>
In-Reply-To: <1372787237.7849.101.camel@heisenberg.scientia.net>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070501030000090102000703"
[Message part 1 (text/plain, inline)]

On 2013-07-02 19:47, Christoph Anton Mitterer wrote:
> I'd propose the following now:
> As this bug is now cluttered all over with two different issues
> - clipboard sniffing and the warning when it was activated
> - security measures and better documentation about what NX/X2go really
> does
> I'd close this bug, and open two new ones, one for each issue...
> referencing that old bug... so that all topics can be discussed (perhaps
> fixed) in a more simple fashion.

I think this is a good Idea. I just want to warn you that this issue
will not have an very high priority, as most/all core devs work in
scenarios where host _and_ client are trusted. None the less
contributions to the documentation are very welcome, and can be easily
contributed without coding skills. ;) - If you need pointers on getting
started feel free to ask.


Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter)
Lehrstuhl fĂĽr Informatik 4 (Verteilte Systeme und Betriebssysteme)
Friedrich-Alexander-Universität Erlangen-Nürnberg
Martensstr. 1
91058 Erlangen

Tel   : +49 9131 85-25419
Fax   : +49 9131 85-28732
eMail : struebe@informatik.uni-erlangen.de
WWW   : http://www4.informatik.uni-erlangen.de/~morty

[smime.p7s (application/pkcs7-signature, attachment)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Feb 3 13:39:53 2023; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.