[Fedora-i18n-bugs] [Bug 508945] CVE-2009-2260 stardict: network queries may expose sensitive information

bugzilla at redhat.com bugzilla at redhat.com
Tue Jun 30 16:13:37 UTC 2009 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=508945


Tomas Hoger <thoger at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Status Whiteboard|impact=low?,source=debian,r |impact=low?,source=debian,r
                   |eported=20090626,public=200 |eported=20090626,public=200
                   |90626                       |90626,cvss2=2.6/AV:N/AC:H/A
                   |                            |u:N/C:P/I:N/A:N




--- Comment #1 from Tomas Hoger <thoger at redhat.com>  2009-06-30 12:13:36 EDT ---
I'm not too familiar with stardict, so I'm open to some suggestions regarding
this "flaw".  I'm using quotes here, as this seems to be expected behaviour,
probably with bad default and with not-too-safe network communication part.

Support for queries to remote stardict server is available in current Fedora
stardict packages (3.0.1), and is enabled by default.  stardict in Red Hat
Enterprise Linux 5 (2.4.5) does not seem to support such remote queries.

The problem is that query is done whenever user adds something to his/her X
clipboard (e.g. by selecting some text using mouse).  This sends query to
pre-configured stardictd server (dict.stardict.org by default), which user may
not trust to receive queries for arbitrary clipboard content.  Additionally,
network communication does not seem to use any encryption, so besides the
server, anyone able to sniff communication can see parts of the victim's
clipboard content.  However, possible attacker has no way to influence what
info may be leaked via this feature.

Not enabling network dictionaries seems to be a saner default.  Clear warning
about the consequences of having net dict enabled in the options window may be
good too.

Caius, do you have closer relationship with upstream?  Not sure if they are
already aware about this being publicly treated as security flaw.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the Fedora-i18n-bugs mailing list