Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
Summary: CVE-2009-2260 stardict: network queries may expose sensitive information Alias: CVE-2009-2260
https://bugzilla.redhat.com/show_bug.cgi?id=508945
Summary: CVE-2009-2260 stardict: network queries may expose sensitive information Product: Security Response Version: unspecified Platform: All URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-20 09-2260 OS/Version: Linux Status: NEW Status Whiteboard: impact=low?,source=debian,reported=20090626,public=200 90626 Keywords: Security Severity: medium Priority: medium Component: vulnerability AssignedTo: security-response-team@redhat.com ReportedBy: thoger@redhat.com CC: majain@redhat.com, cchance@redhat.com, zhu@redhat.com, fedora-i18n-bugs@redhat.com Estimated Hours: 0.0 Classification: Other Target Release: ---
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2260 to the following vulnerability:
stardict 3.0.1, when Enable Net Dict is configured, sends the contents of the clipboard to a dictionary server, which allows remote attackers to obtain sensitive information by sniffing the network.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534731 http://www.securityfocus.com/archive/1/504583
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|impact=low?,source=debian,r |impact=low?,source=debian,r |eported=20090626,public=200 |eported=20090626,public=200 |90626 |90626,cvss2=2.6/AV:N/AC:H/A | |u:N/C:P/I:N/A:N
--- Comment #1 from Tomas Hoger thoger@redhat.com 2009-06-30 12:13:36 EDT --- I'm not too familiar with stardict, so I'm open to some suggestions regarding this "flaw". I'm using quotes here, as this seems to be expected behaviour, probably with bad default and with not-too-safe network communication part.
Support for queries to remote stardict server is available in current Fedora stardict packages (3.0.1), and is enabled by default. stardict in Red Hat Enterprise Linux 5 (2.4.5) does not seem to support such remote queries.
The problem is that query is done whenever user adds something to his/her X clipboard (e.g. by selecting some text using mouse). This sends query to pre-configured stardictd server (dict.stardict.org by default), which user may not trust to receive queries for arbitrary clipboard content. Additionally, network communication does not seem to use any encryption, so besides the server, anyone able to sniff communication can see parts of the victim's clipboard content. However, possible attacker has no way to influence what info may be leaked via this feature.
Not enabling network dictionaries seems to be a saner default. Clear warning about the consequences of having net dict enabled in the options window may be good too.
Caius, do you have closer relationship with upstream? Not sure if they are already aware about this being publicly treated as security flaw.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
--- Comment #2 from Caius 'kaio' Chance cchance@redhat.com 2009-06-30 20:00:53 EDT --- Since chief dev Hu Zheng left Red Hat, I lost contact with him on the Internet very soon after. Just checked the project site on sf.net and spotted recent version updates seems.
Will send a mail to the mailing list. Hope it won't sunk among spam mails.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
--- Comment #3 from Caius 'kaio' Chance cchance@redhat.com 2009-06-30 21:09:43 EDT --- Cloned to tracker on official site:
http://sourceforge.net/tracker/?func=detail&aid=2814932&group_id=806...
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|impact=low?,source=debian,r |impact=low,source=debian,re |eported=20090626,public=200 |ported=20090626,public=2009 |90626,cvss2=2.6/AV:N/AC:H/A |0626,cvss2=2.6/AV:N/AC:H/Au |u:N/C:P/I:N/A:N |:N/C:P/I:N/A:N
--- Comment #4 from Tomas Hoger thoger@redhat.com 2009-07-01 12:14:51 EDT --- Thank you for opening upstream bug. I've seen their forums yesterday, overwhelmed with spam.
Nevertheless, change of the default is likely to be a one-liner change in src/conf.cpp. I think we should disable by default, even if upstream disagrees. Definitely a default I'd like to see in future rhel6.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
--- Comment #5 from Caius 'kaio' Chance cchance@redhat.com 2009-07-02 19:42:21 EDT --- Feel free to send me a patch I could include that anytime. :)
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
--- Comment #6 from Tomas Hoger thoger@redhat.com 2009-07-03 09:31:39 EDT --- Created an attachment (id=350435) --> (https://bugzilla.redhat.com/attachment.cgi?id=350435) Disable network dictionaries by default
This should be enough to have network dictionary disabled by default.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
--- Comment #7 from Tomas Hoger thoger@redhat.com 2009-07-03 09:35:34 EDT --- Created an attachment (id=350436) --> (https://bugzilla.redhat.com/attachment.cgi?id=350436) Network dictionary warning
Quick idea for the warning about the risks associated with using network dictionaries. It sure can be better worded (suggestions welcome), and may also benefit from some 'even if you don't care about requests being sniffed, think if you trust remote server that may e.g. log all your requests' part. If something like this should be used, it also need i18n part done properly, with all required translations.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
Vincent Danen vdanen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |vdanen@redhat.com
--- Comment #8 from Vincent Danen vdanen@redhat.com 2009-12-02 16:23:56 EDT --- Upstream has not made any notes on the cloned bug report. I think this has probably waited long enough and it would be good to apply the patch to disable network dictionaries by default.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
Caius 'kaio' Chance cchance@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |RAWHIDE
--- Comment #11 from Caius 'kaio' Chance cchance@redhat.com 2009-12-26 13:21:32 EDT --- done - http://koji.fedoraproject.org/koji/taskinfo?taskID=1891778
i18n-bugs@lists.fedoraproject.org