[Pkg-telepathy-maintainers] Bug#569808: empathy does not respect settings of remote desktop prefernces in gnome

Oz N nahumoz at gmail.com
Sun Feb 14 13:11:18 UTC 2010 

Package: empathy
Version: 2.28.2-3
Severity: grave
Tags: security
Justification: user security hole

Hello, 

I would like to use the feature of remote desktop sharing via the
empathy. However, allowing this via empathy enables the user on the
other side to control my mouse and keyboard. This despite the fact that
under the gnome-settings I only chose to enable only the desktop for
viewing. 
Ofcourse, I could share my desktop through gnome, and then initiate the
empathty call, but then what's the point of having this feature in
empathy, if it does not respect my preferences ?
I file this as a security issue, because I think users on the other side
should not have access to my desktop unless I enabled it specifically.
If I had a sudo session in the last moments before sharing the desktop,
it means that they inherit my root permission and can cause damage,
intentionally or not. 
If you don't think it's a security issue, feel free downgrading this
but. Also, I'm almost sure this is GNOME issue, and not Debian, but I
prefer reporting it here.

Regards, 
Oz 


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages empathy depends on:
ii  dbus-x11                 1.2.20-2        simple interprocess messaging syst
ii  libatk1.0-0              1.28.0-1        The ATK accessibility toolkit
ii  libbonobo2-0             2.24.2-1        Bonobo CORBA interfaces library
ii  libc6                    2.10.2-2        GNU C Library: Shared libraries
ii  libcairo2                1.8.8-2         The Cairo 2D vector graphics libra
ii  libchamplain-0.4-0       0.4.3-1         C library providing ClutterActor t
ii  libchamplain-gtk-0.4-0   0.4.3-1         A Gtk+ widget to display maps
ii  libclutter-1.0-0         1.0.8-1         Open GL based interactive canvas l
ii  libclutter-gtk-0.10-0    0.10.2-1        Open GL based interactive canvas l
ii  libdbus-1-3              1.2.20-2        simple interprocess messaging syst
ii  libdbus-glib-1-2         0.84-1          simple interprocess messaging syst
ii  libebook1.2-9            2.28.2-1        Client library for evolution addre
ii  libedataserver1.2-11     2.28.2-1        Utility library for evolution data
ii  libempathy-gtk28         2.28.2-3        High-level library and user-interf
ii  libempathy30             2.28.2-3        High-level library and user-interf
ii  libfontconfig1           2.8.0-2         generic font configuration library
ii  libfreetype6             2.3.11-1        FreeType 2 font engine, shared lib
ii  libgconf2-4              2.28.0-1        GNOME configuration database syste
ii  libgl1-mesa-glx [libgl1] 7.6.1-1         A free implementation of the OpenG
ii  libglib2.0-0             2.22.4-1        The GLib library of C routines
ii  libgnome-keyring0        2.28.2-1        GNOME keyring services library
ii  libgstfarsight0.10-0     0.0.17-2        Audio/Video communications framewo
ii  libgstreamer0.10-0       0.10.25-4+b1    Core GStreamer libraries and eleme
ii  libgtk2.0-0              2.18.6-1        The GTK+ graphical user interface 
ii  libnotify1 [libnotify1-g 0.4.5-1         sends desktop notifications to a n
ii  liborbit2                1:2.14.17-2     libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0            1.26.2-1        Layout and rendering of internatio
ii  libsoup2.4-1             2.29.6-1        an HTTP library implementation in 
ii  libtelepathy-farsight0   0.0.13-1        Glue library between telepathy and
ii  libtelepathy-glib0       0.10.0-1        Telepathy framework - GLib library
ii  libunique-1.0-0          1.1.6-1         Library for writing single instanc
ii  libwebkit-1.0-2          1.1.17-2        Web content engine library for Gtk
ii  libx11-6                 2:1.3.3-1       X11 client-side library
ii  libxcomposite1           1:0.4.1-1       X11 Composite extension library
ii  libxdamage1              1:1.1.2-1       X11 damaged region extension libra
ii  libxext6                 2:1.1.1-2       X11 miscellaneous extension librar
ii  libxfixes3               1:4.0.4-1       X11 miscellaneous 'fixes' extensio
ii  libxml2                  2.7.6.dfsg-2+b1 GNOME XML library

Versions of packages empathy recommends:
ii  empathy-doc                   2.28.2-3   High-level library and user-interf
ii  gvfs-backends                 1.4.3-1    userspace virtual filesystem - bac
ii  telepathy-gabble              0.8.9-1    Jabber/XMPP connection manager
ii  telepathy-salut               0.3.10-1   Link-local XMPP connection manager

Versions of packages empathy suggests:
pn  telepathy-butterfly           <none>     (no description available)
pn  telepathy-haze                <none>     (no description available)
ii  vino                          2.28.1-2.1 VNC server for GNOME

-- debconf-show failed

More information about the Pkg-telepathy-maintainers mailing list