On Sat, Apr 02, 2016 at 08:43:34PM +0200, Thomas Braun wrote:
> tags 672435 security
> thanks
>
> On Fri, 11 May 2012 11:12:46 +0900 Ryo IGARASHI <rigar...@gmail.com> wrote:
> > Today I found that the option -localhost does not restrict ipv6 access to
> > ::1(localhost).
> > Looking at the -localhost option section of 'man x11vnc', the ipv6 access
> > seems to
> > be restricted to ::1 (loopback) as well. However, the output of 'netstat
> > -ln' shows:
> >
> > $ netstat -ln
> > Proto Recv-Q Send-Q Local Address Foreign Address State
> > ...
> > tcp6 0 0 :::5900 :::* LISTEN
> > ...
>
> I've just verified that bug with the current version in jessie.
>
> x11vnc -localhost -create
>
> netstat -lntp | grep 5900
>
> tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN
> -
> tcp6 0 0 :::5900 :::* LISTEN
> -
>
> The manpage states
>
> -localhost
> [...]
> IPv6: if IPv6 is supported, this option automatically implies the IPv6
> loopback address '::1' as well.
>
> This bug should be treated as a SECURITY relevant bug. Offering VNC services
> on the network interface while claiming that it is only accessible via
> loopback is really bad.
In the absence of a proper code fix, this could at least be properly documented
for the upcoming stretch release?
Cheers,
Moritz
