Package: empathy Version: 2.28.2-3 Severity: grave Tags: security Justification: user security hole
Hello, I would like to use the feature of remote desktop sharing via the empathy. However, allowing this via empathy enables the user on the other side to control my mouse and keyboard. This despite the fact that under the gnome-settings I only chose to enable only the desktop for viewing. Ofcourse, I could share my desktop through gnome, and then initiate the empathty call, but then what's the point of having this feature in empathy, if it does not respect my preferences ? I file this as a security issue, because I think users on the other side should not have access to my desktop unless I enabled it specifically. If I had a sudo session in the last moments before sharing the desktop, it means that they inherit my root permission and can cause damage, intentionally or not. If you don't think it's a security issue, feel free downgrading this but. Also, I'm almost sure this is GNOME issue, and not Debian, but I prefer reporting it here. Regards, Oz -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages empathy depends on: ii dbus-x11 1.2.20-2 simple interprocess messaging syst ii libatk1.0-0 1.28.0-1 The ATK accessibility toolkit ii libbonobo2-0 2.24.2-1 Bonobo CORBA interfaces library ii libc6 2.10.2-2 GNU C Library: Shared libraries ii libcairo2 1.8.8-2 The Cairo 2D vector graphics libra ii libchamplain-0.4-0 0.4.3-1 C library providing ClutterActor t ii libchamplain-gtk-0.4-0 0.4.3-1 A Gtk+ widget to display maps ii libclutter-1.0-0 1.0.8-1 Open GL based interactive canvas l ii libclutter-gtk-0.10-0 0.10.2-1 Open GL based interactive canvas l ii libdbus-1-3 1.2.20-2 simple interprocess messaging syst ii libdbus-glib-1-2 0.84-1 simple interprocess messaging syst ii libebook1.2-9 2.28.2-1 Client library for evolution addre ii libedataserver1.2-11 2.28.2-1 Utility library for evolution data ii libempathy-gtk28 2.28.2-3 High-level library and user-interf ii libempathy30 2.28.2-3 High-level library and user-interf ii libfontconfig1 2.8.0-2 generic font configuration library ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib ii libgconf2-4 2.28.0-1 GNOME configuration database syste ii libgl1-mesa-glx [libgl1] 7.6.1-1 A free implementation of the OpenG ii libglib2.0-0 2.22.4-1 The GLib library of C routines ii libgnome-keyring0 2.28.2-1 GNOME keyring services library ii libgstfarsight0.10-0 0.0.17-2 Audio/Video communications framewo ii libgstreamer0.10-0 0.10.25-4+b1 Core GStreamer libraries and eleme ii libgtk2.0-0 2.18.6-1 The GTK+ graphical user interface ii libnotify1 [libnotify1-g 0.4.5-1 sends desktop notifications to a n ii liborbit2 1:2.14.17-2 libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.26.2-1 Layout and rendering of internatio ii libsoup2.4-1 2.29.6-1 an HTTP library implementation in ii libtelepathy-farsight0 0.0.13-1 Glue library between telepathy and ii libtelepathy-glib0 0.10.0-1 Telepathy framework - GLib library ii libunique-1.0-0 1.1.6-1 Library for writing single instanc ii libwebkit-1.0-2 1.1.17-2 Web content engine library for Gtk ii libx11-6 2:1.3.3-1 X11 client-side library ii libxcomposite1 1:0.4.1-1 X11 Composite extension library ii libxdamage1 1:1.1.2-1 X11 damaged region extension libra ii libxext6 2:1.1.1-2 X11 miscellaneous extension librar ii libxfixes3 1:4.0.4-1 X11 miscellaneous 'fixes' extensio ii libxml2 2.7.6.dfsg-2+b1 GNOME XML library Versions of packages empathy recommends: ii empathy-doc 2.28.2-3 High-level library and user-interf ii gvfs-backends 1.4.3-1 userspace virtual filesystem - bac ii telepathy-gabble 0.8.9-1 Jabber/XMPP connection manager ii telepathy-salut 0.3.10-1 Link-local XMPP connection manager Versions of packages empathy suggests: pn telepathy-butterfly <none> (no description available) pn telepathy-haze <none> (no description available) ii vino 2.28.1-2.1 VNC server for GNOME -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100214131118.32086.40794.report...@localhost
