Description of problem:
Quoting Debian bug report:
With the addition of the feature to send a message to the logged in user
when they return and unlock a locked session, this gives local attackers
the ability to read the X selection and clipboard buffers with a middle
click on the mouse and a Ctrl+V. I note that the box to leave a message
doesn't have a context menu that you could paste via, but it doesn't go
CVE identifier was requested
This was recently fixed upstream.
ah, i'm not paying close enough attention. you've already mentioned the upstream
Ray: Still thanks for noticing. I'd like to see this fixed by an update, but
Mitre still didn't assign a CVE. By the way, does the user have possibility to
disable the feature at all?
It's a compile time thing, unfortunately. The only way to disable it is to
rebuild without libnotify support or turn on dialog themes and load a themed
dialog that lacks the button (I think our default one lacks the button actually,
so you should be able to use it until an update goes out).
What's the status of fixing this in stable releases?
this fell off my radar, i'll look into this today after some 5.2 work.
This only affects the version of Gnome in Fedora, as the current version in
RHEL5 lacks the ability to leave a message for a user.
This issue was addressed in: