Bug 1320263 (CVE-2016-3066)
Summary: | CVE-2016-3066 spice-gtk: hijacks clipboard and sends contents to remote servers | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | alon, bancfc, berrange, carnil, cfergeau, dblechte, erik-fedora, fidencio, fziglio, hdegoede, intrigeri, ivan+redhat, marcandre.lureau, orion, rbalakri, rh-spice-bugs, rjones, sandmann, virt-maint |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-20 14:37:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1320264, 1320265 | ||
Bug Blocks: | 1320267 |
Description
Kurt Seifried
2016-03-22 17:06:16 UTC
Acknowledgments: Name: Daniel P. Berrange (Red Hat) Created spice-gtk tracking bugs for this issue: Affects: fedora-all [bug 1320265] Created mingw-spice-gtk tracking bugs for this issue: Affects: fedora-all [bug 1320264] The original description of this bug is not entirely accurate. Under normal use, at least with a Linux guest, the spice-gtk widget will only tell the guest that there is clipboard data, and in which formats / mime-types this data is available, it will not request the data from the clipboard, nor send it, without the guest requesting the data (in a specific format). Now a malicious guest could request this data immediately so there definitely is something to be concerned here about. But normally the guest will not request it (unless perhaps it is say running a clipboard manager?). So in theory the guest should only request the actual clipboard contents on CTRL+v (or a paste menu click), which can only happen when the spice-gtk widget has focus, so things can potentially be improved by not allowing the guest to request the clipboard contents when spice-gtk does not have focus. Such a fix may need to be configurable since this may very well break e.g. clipboard managers in the guest. Note that this can not only be turned off client-side as noticed in the original description, but in case people are worried about a leak the other direction, it can also be disabled server (host) side for a specific vm. This can be tackled by implementing a "secure clipboard" scheme as proposed here some time ago: https://lists.freedesktop.org/archives/spice-devel/2015-April/019617.html This is very bad, especially because clipboard sharing is unconditionally enabled with no warning. It's easy to think that guests can't read the host clipboard because one never enabled it (where?), or because spice-vdagent isn't installed (yet... until the guest is compromised). VMware Workstation doesn't allow guests to see new host clipboard data until the guest window is focused, which may be a good compromise that doesn't require learning secure-clipboard shortcuts. It also forbids a guest->host clipboard change unless the guest window is focused. Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |