Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1300136870.5865.3.camel@macbook.infradead.org>
Date: Mon, 14 Mar 2011 21:07:49 +0000
From: David Woodhouse <dwmw2@...radead.org>
To: Josh Bressers <bressers@...hat.com>
Cc: oss-security@...ts.openwall.com, David King <amigadave@...gadave.com>, 
 Mark McLoughlin <mark@...net.ie>, "Steven M. Christey"
 <coley@...us.mitre.org>
Subject: Re: CVE Request / Discussion -- vino -- reports the
 desktop being reachable only over the local network, when reachable from
 everywhere

On Mon, 2011-03-14 at 16:59 -0400, Josh Bressers wrote:
> This looks like one id for vino improperly claiming that machine is only
> accessible via the local network.
> 
> Another for it using uPnP to open up a router without proper warning.

I'd concur with the former, but not the latter. Issuing a CVE for that
kind of thing just encourages the people who mistakenly view NAT as a
form of security. uPnP is just one of the *many* reasons that viewpoint
is wrong.

If you wouldn't issue a CVE for vino listening with socket() and bind()
system calls, then you shouldn't issue a CVE for it using uPnP to listen
either. uPnP is just the normal way to work around broken networking.

As far as I'm concerned there is only one issue here; the misreporting
that only local access is possible when in fact it's not.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@...el.com                              Intel Corporation

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.