1
From 9c8b9f81205203db6c31068babbfb8a734acacdb Mon Sep 17 00:00:00 2001
2
From: Huzaifa Sidhpurwala <huzaifas@redhat.com>
3
Date: Mon, 17 Dec 2012 22:11:46 +0000
4
Subject: Do not leak clipboard to unauthenticated clients
6
vino_server_clipboard_cb() in vino-server.c is the callback which is
7
triggered when a clipboard copy event is fired.
9
After doing some initial checks, (1. If there are any connected clients,
10
2. If the server is on hold etc), it converts the text to UTF-8 and then
11
passes it on to rfbSendServerCutText(). Here data is pasted to each
12
client, without verifying if the client is authenticated.
14
The patch checks if the client is authenticated and only then it allows
15
the clipboard text to be sent to it.
17
Fixes bug 678434. This is a security issue, and has been assigned
19
http://www.openwall.com/lists/oss-security/2012/09/14/1
21
diff --git a/server/libvncserver/rfbserver.c b/server/libvncserver/rfbserver.c
22
index 2d143fa..7dfbff9 100644
23
--- a/server/libvncserver/rfbserver.c
24
+++ b/server/libvncserver/rfbserver.c
25
@@ -1522,7 +1522,8 @@ rfbSendBell(rfbScreenInfoPtr rfbScreen)
29
- * rfbSendServerCutText sends a ServerCutText message to all the clients.
30
+ * rfbSendServerCutText sends a ServerCutText message to all the authenticated
35
@@ -1534,6 +1535,10 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
37
iterator = rfbGetClientIterator(rfbScreen);
38
while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
39
+ /* Client is not authenticated, ignore. See GNOME bug 678434. */
40
+ if (cl->state != RFB_NORMAL)
43
sct.type = rfbServerCutText;
44
sct.length = Swap32IfLE(len);
45
if (WriteExact(cl, (char *)&sct,