Bug 508945 - (CVE-2009-2260) CVE-2009-2260 stardict: network queries may expose sensitive information
CVE-2009-2260 stardict: network queries may expose sensitive information
Status: CLOSED RAWHIDE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://web.nvd.nist.gov/view/vuln/det...
impact=low,source=debian,reported=200...
: Security
Depends On: 543691
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-30 11:48 EDT by Tomas Hoger
Modified: 2010-01-02 16:29 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-26 13:21:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Disable network dictionaries by default (825 bytes, patch)
2009-07-03 09:31 EDT, Tomas Hoger
no flags Details | Diff
Network dictionary warning (800 bytes, patch)
2009-07-03 09:35 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2009-06-30 11:48:51 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2260 to the following vulnerability:

stardict 3.0.1, when Enable Net Dict is configured, sends the contents
of the clipboard to a dictionary server, which allows remote attackers
to obtain sensitive information by sniffing the network.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534731
http://www.securityfocus.com/archive/1/504583
Comment 1 Tomas Hoger 2009-06-30 12:13:36 EDT
I'm not too familiar with stardict, so I'm open to some suggestions regarding this "flaw".  I'm using quotes here, as this seems to be expected behaviour, probably with bad default and with not-too-safe network communication part.

Support for queries to remote stardict server is available in current Fedora stardict packages (3.0.1), and is enabled by default.  stardict in Red Hat Enterprise Linux 5 (2.4.5) does not seem to support such remote queries.

The problem is that query is done whenever user adds something to his/her X clipboard (e.g. by selecting some text using mouse).  This sends query to pre-configured stardictd server (dict.stardict.org by default), which user may not trust to receive queries for arbitrary clipboard content.  Additionally, network communication does not seem to use any encryption, so besides the server, anyone able to sniff communication can see parts of the victim's clipboard content.  However, possible attacker has no way to influence what info may be leaked via this feature.

Not enabling network dictionaries seems to be a saner default.  Clear warning about the consequences of having net dict enabled in the options window may be good too.

Caius, do you have closer relationship with upstream?  Not sure if they are already aware about this being publicly treated as security flaw.
Comment 2 Caius Chance 2009-06-30 20:00:53 EDT
Since chief dev Hu Zheng left Red Hat, I lost contact with him on the Internet very soon after. Just checked the project site on sf.net and spotted recent version updates seems.

Will send a mail to the mailing list. Hope it won't sunk among spam mails.
Comment 3 Caius Chance 2009-06-30 21:09:43 EDT
Cloned to tracker on official site:

http://sourceforge.net/tracker/?func=detail&aid=2814932&group_id=80679&atid=560632
Comment 4 Tomas Hoger 2009-07-01 12:14:51 EDT
Thank you for opening upstream bug.  I've seen their forums yesterday, overwhelmed with spam.

Nevertheless, change of the default is likely to be a one-liner change in src/conf.cpp.  I think we should disable by default, even if upstream disagrees.  Definitely a default I'd like to see in future rhel6.
Comment 5 Caius Chance 2009-07-02 19:42:21 EDT
Feel free to send me a patch I could include that anytime. :)
Comment 6 Tomas Hoger 2009-07-03 09:31:39 EDT
Created attachment 350435 [details]
Disable network dictionaries by default

This should be enough to have network dictionary disabled by default.
Comment 7 Tomas Hoger 2009-07-03 09:35:34 EDT
Created attachment 350436 [details]
Network dictionary warning

Quick idea for the warning about the risks associated with using network dictionaries.  It sure can be better worded (suggestions welcome), and may also benefit from some 'even if you don't care about requests being sniffed, think if you trust remote server that may e.g. log all your requests' part.  If something like this should be used, it also need i18n part done properly, with all required translations.
Comment 8 Vincent Danen 2009-12-02 16:23:56 EST
Upstream has not made any notes on the cloned bug report.  I think this has probably waited long enough and it would be good to apply the patch to disable network dictionaries by default.
Comment 11 Caius Chance 2009-12-26 13:21:32 EST
done - http://koji.fedoraproject.org/koji/taskinfo?taskID=1891778
Comment 12 Fedora Update System 2010-01-02 16:29:28 EST
stardict-3.0.1-20.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.