Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=508945
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|impact=low?,source=debian,r |impact=low?,source=debian,r |eported=20090626,public=200 |eported=20090626,public=200 |90626 |90626,cvss2=2.6/AV:N/AC:H/A | |u:N/C:P/I:N/A:N
--- Comment #1 from Tomas Hoger thoger@redhat.com 2009-06-30 12:13:36 EDT --- I'm not too familiar with stardict, so I'm open to some suggestions regarding this "flaw". I'm using quotes here, as this seems to be expected behaviour, probably with bad default and with not-too-safe network communication part.
Support for queries to remote stardict server is available in current Fedora stardict packages (3.0.1), and is enabled by default. stardict in Red Hat Enterprise Linux 5 (2.4.5) does not seem to support such remote queries.
The problem is that query is done whenever user adds something to his/her X clipboard (e.g. by selecting some text using mouse). This sends query to pre-configured stardictd server (dict.stardict.org by default), which user may not trust to receive queries for arbitrary clipboard content. Additionally, network communication does not seem to use any encryption, so besides the server, anyone able to sniff communication can see parts of the victim's clipboard content. However, possible attacker has no way to influence what info may be leaked via this feature.
Not enabling network dictionaries seems to be a saner default. Clear warning about the consequences of having net dict enabled in the options window may be good too.
Caius, do you have closer relationship with upstream? Not sure if they are already aware about this being publicly treated as security flaw.