Red Hat Bugzilla – Bug 508945
CVE-2009-2260 stardict: network queries may expose sensitive information
Last modified: 2010-01-02 16:29:28 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2260 to the following vulnerability:
stardict 3.0.1, when Enable Net Dict is configured, sends the contents
of the clipboard to a dictionary server, which allows remote attackers
to obtain sensitive information by sniffing the network.
I'm not too familiar with stardict, so I'm open to some suggestions regarding this "flaw". I'm using quotes here, as this seems to be expected behaviour, probably with bad default and with not-too-safe network communication part.
Support for queries to remote stardict server is available in current Fedora stardict packages (3.0.1), and is enabled by default. stardict in Red Hat Enterprise Linux 5 (2.4.5) does not seem to support such remote queries.
The problem is that query is done whenever user adds something to his/her X clipboard (e.g. by selecting some text using mouse). This sends query to pre-configured stardictd server (dict.stardict.org by default), which user may not trust to receive queries for arbitrary clipboard content. Additionally, network communication does not seem to use any encryption, so besides the server, anyone able to sniff communication can see parts of the victim's clipboard content. However, possible attacker has no way to influence what info may be leaked via this feature.
Not enabling network dictionaries seems to be a saner default. Clear warning about the consequences of having net dict enabled in the options window may be good too.
Caius, do you have closer relationship with upstream? Not sure if they are already aware about this being publicly treated as security flaw.
Since chief dev Hu Zheng left Red Hat, I lost contact with him on the Internet very soon after. Just checked the project site on sf.net and spotted recent version updates seems.
Will send a mail to the mailing list. Hope it won't sunk among spam mails.
Cloned to tracker on official site:
Thank you for opening upstream bug. I've seen their forums yesterday, overwhelmed with spam.
Nevertheless, change of the default is likely to be a one-liner change in src/conf.cpp. I think we should disable by default, even if upstream disagrees. Definitely a default I'd like to see in future rhel6.
Feel free to send me a patch I could include that anytime. :)
Created attachment 350435 [details]
Disable network dictionaries by default
This should be enough to have network dictionary disabled by default.
Created attachment 350436 [details]
Network dictionary warning
Quick idea for the warning about the risks associated with using network dictionaries. It sure can be better worded (suggestions welcome), and may also benefit from some 'even if you don't care about requests being sniffed, think if you trust remote server that may e.g. log all your requests' part. If something like this should be used, it also need i18n part done properly, with all required translations.
Upstream has not made any notes on the cloned bug report. I think this has probably waited long enough and it would be good to apply the patch to disable network dictionaries by default.
done - http://koji.fedoraproject.org/koji/taskinfo?taskID=1891778
stardict-3.0.1-20.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.