diff -Nru vino-3.4.2/debian/changelog vino-3.4.2/debian/changelog --- vino-3.4.2/debian/changelog 2012-06-21 16:00:12.000000000 +0000 +++ vino-3.4.2/debian/changelog 2013-01-18 16:27:01.000000000 +0000 @@ -1,3 +1,12 @@ +vino (3.4.2-0ubuntu1.2) precise-security; urgency=low + + * SECURITY UPDATE: clipboard leak to unauthenticated clients + - debian/patches/CVE-2012-4429.patch: make sure client is authenticated + in server/libvncserver/rfbserver.c. + - CVE-2012-4429 + + -- Marc Deslauriers Fri, 18 Jan 2013 11:26:51 -0500 + vino (3.4.2-0ubuntu1.1) precise-proposed; urgency=low * debian/patches/disable_webservices_check.patch: really disable the diff -Nru vino-3.4.2/debian/control vino-3.4.2/debian/control --- vino-3.4.2/debian/control 2012-06-21 16:00:23.000000000 +0000 +++ vino-3.4.2/debian/control 2013-01-18 16:28:09.000000000 +0000 @@ -8,7 +8,7 @@ Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian GNOME Maintainers -Uploaders: Debian GNOME Maintainers , Jeremy Bicha +Uploaders: Debian GNOME Maintainers Build-Depends: cdbs (>= 0.4.41), debhelper (>= 8), gnome-common, diff -Nru vino-3.4.2/debian/patches/CVE-2012-4429.patch vino-3.4.2/debian/patches/CVE-2012-4429.patch --- vino-3.4.2/debian/patches/CVE-2012-4429.patch 1970-01-01 00:00:00.000000000 +0000 +++ vino-3.4.2/debian/patches/CVE-2012-4429.patch 2013-01-18 16:26:43.000000000 +0000 @@ -0,0 +1,45 @@ +From 9c8b9f81205203db6c31068babbfb8a734acacdb Mon Sep 17 00:00:00 2001 +From: Huzaifa Sidhpurwala +Date: Mon, 17 Dec 2012 22:11:46 +0000 +Subject: Do not leak clipboard to unauthenticated clients + +vino_server_clipboard_cb() in vino-server.c is the callback which is +triggered when a clipboard copy event is fired. + +After doing some initial checks, (1. If there are any connected clients, +2. If the server is on hold etc), it converts the text to UTF-8 and then +passes it on to rfbSendServerCutText(). Here data is pasted to each +client, without verifying if the client is authenticated. + +The patch checks if the client is authenticated and only then it allows +the clipboard text to be sent to it. + +Fixes bug 678434. This is a security issue, and has been assigned +CVE-2012-4429: +http://www.openwall.com/lists/oss-security/2012/09/14/1 +--- +Index: vino-3.4.2/server/libvncserver/rfbserver.c +=================================================================== +--- vino-3.4.2.orig/server/libvncserver/rfbserver.c 2011-05-07 06:57:29.000000000 -0400 ++++ vino-3.4.2/server/libvncserver/rfbserver.c 2013-01-18 11:26:41.623262684 -0500 +@@ -1519,7 +1519,8 @@ + + + /* +- * rfbSendServerCutText sends a ServerCutText message to all the clients. ++ * rfbSendServerCutText sends a ServerCutText message to all the authenticated ++ * clients. + */ + + void +@@ -1531,6 +1532,10 @@ + + iterator = rfbGetClientIterator(rfbScreen); + while ((cl = rfbClientIteratorNext(iterator)) != NULL) { ++ /* Client is not authenticated, ignore. See GNOME bug 678434. */ ++ if (cl->state != RFB_NORMAL) ++ continue; ++ + sct.type = rfbServerCutText; + sct.length = Swap32IfLE(len); + if (WriteExact(cl, (char *)&sct, diff -Nru vino-3.4.2/debian/patches/series vino-3.4.2/debian/patches/series --- vino-3.4.2/debian/patches/series 2012-06-21 15:58:00.000000000 +0000 +++ vino-3.4.2/debian/patches/series 2013-01-18 16:26:40.000000000 +0000 @@ -6,3 +6,4 @@ 12_app-indicators-only.patch nodisplay_autostart.patch disable_webservices_check.patch +CVE-2012-4429.patch