Fwd: vino: vnc-http not obeying network-interface bind address

Jonathan McCrohan jmccrohan at gmail.com
Sun Oct 30 20:55:06 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I submitted this bug report to Debian security team but I have not heard
back,
nor received a bug report acknowledgement.

I'm just forwarding this to the vino maintainers in case the report got
lost.

Regards,
Jonathan

- -------- Original Message --------
Subject: vino: vnc-http not obeying network-interface bind address
Date: Tue, 25 Oct 2011 17:16:35 +0100
From: Jonathan McCrohan <jmccrohan at gmail.com>
To: team at security.debian.org

Package: vino
Version: 3.2.1-1
Severity: grave
Tags: upstream security
Justification: user security hole

Vino does not respect the network-interface dconf variable.

After setting network-interface to 'lo', the vnc service binds to port 5900
on localhost as expected, but the vnc-http service continues to bind to all
interfaces on port 5800.

root at host:/# lsof -i -n -P | grep vino
vino-serv 10214    user   15u  IPv4 13649142      0t0  TCP
127.0.0.1:5900 (LISTEN)
vino-serv 10214    user   16u  IPv6 13649143      0t0  TCP [::1]:5900
(LISTEN)
vino-serv 10214    user   17u  IPv6 13649136      0t0  TCP *:5800 (LISTEN)


- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages vino depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.7.5-3
ii  libavahi-client3                             0.6.30-5
ii  libavahi-common3                             0.6.30-5
ii  libavahi-glib1                               0.6.30-5
ii  libc6                                        2.13-21
ii  libcairo2                                    1.10.2-6.1
ii  libdbus-glib-1-2                             0.98-1
ii  libgcrypt11                                  1.5.0-3
ii  libglib2.0-0                                 2.28.8-1
ii  libgnome-keyring0                            3.2.0-3
ii  libgnutls26                                  2.12.12-1
ii  libgtk-3-0                                   3.0.12-2
ii  libice6                                      2:1.0.7-2
ii  libjpeg8                                     8c-2
ii  libnotify4                                   0.7.4-1
ii  libsm6                                       2:1.2.0-2
ii  libsoup2.4-1                                 2.36.0-1
ii  libtelepathy-glib0                           0.16.0-1
ii  libx11-6                                     2:1.4.4-2
ii  libxdamage1                                  1:1.1.3-2
ii  libxext6                                     2:1.3.0-3
ii  libxfixes3                                   1:5.0-4
ii  libxtst6                                     2:1.2.0-4
ii  zlib1g                                       1:1.2.3.4.dfsg-3

Versions of packages vino recommends:
ii  gvfs  1.8.2-2

Versions of packages vino suggests:
ii  gnome-user-guide  3.2.1-1
ii  vinagre           3.2.1-1

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOrbmqAAoJEJ6XA7Whh53bah0H/iDTuPpPjV82o31kHzN979Ef
p4KDNM1bfGLXOr6AE8DPpk0niQMo4tpNHK3XxVvErih3DRI4ZcwgG5pDtpcz8DNt
royUfaP9K+vwplYIbZYnX7syBNeWYaT1oaQE2BH8xrrQvG72WbJA/QYqk7nWOOyv
uROOJLtlN8F5S92TLSdNeU4lIgXUiHc2tHaCVihp2PC7/EYJlX6EyJkYbaq9ORzM
RDDpBcRR9YSm9PCprtKtdNO2POm5Ulhw91RKHInslUlB5E4vDnYHjtP1SOQBPbrS
tK16Z53qCZRsrFAwwA9fKlzOdvD80uCnFG4fsGzxlLxX2R6D9/8/KkUkdf4fabQ=
=g6OD
-----END PGP SIGNATURE-----

More information about the pkg-gnome-maintainers mailing list