Description of problem: Quoting Debian bug report: With the addition of the feature to send a message to the logged in user when they return and unlock a locked session, this gives local attackers the ability to read the X selection and clipboard buffers with a middle click on the mouse and a Ctrl+V. I note that the box to leave a message doesn't have a context menu that you could paste via, but it doesn't go far enough. Additional info: http://bugzilla.gnome.org/show_bug.cgi?id=503005 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=455484
CVE identifier was requested
This was recently fixed upstream.
ah, i'm not paying close enough attention. you've already mentioned the upstream report.
Ray: Still thanks for noticing. I'd like to see this fixed by an update, but Mitre still didn't assign a CVE. By the way, does the user have possibility to disable the feature at all?
It's a compile time thing, unfortunately. The only way to disable it is to rebuild without libnotify support or turn on dialog themes and load a themed dialog that lacks the button (I think our default one lacks the button actually, so you should be able to use it until an update goes out).
What's the status of fixing this in stable releases?
this fell off my radar, i'll look into this today after some 5.2 work.
This only affects the version of Gnome in Fedora, as the current version in RHEL5 lacks the ability to leave a message for a user.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2818 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2872