search

fvwmorg / fvwm3

FVWM version 3 -- the successor to fvwm2
Other
488 stars 75 forks source link

FvwmButtons listens for incoming TCP connections #1029

Closed vladrich closed 1 month ago

vladrich commented 1 month ago

Hello,

I cannot find a dedicated security contact, so I am posting this here.

FvwmButtons listens for incoming TCP connections from any host, which is a major security risk.

# netstat -ltpv 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:38221           0.0.0.0:*               LISTEN      15701/FvwmButtons   
tcp6       0      0 [::]:42179              [::]:*                  LISTEN      15701/FvwmButtons

Running on Linux x86_64.

As far as I can see, the port is opened here: https://github.com/fvwmorg/fvwm3/blob/5d6c0457f6385bc9537b62ea9fe5f4a83ee89a33/libs/fsm.c#L1046

Others seem to be mitigating the problem by limiting communication to UNIX sockets via calling _IceTransNoListen ("tcp")

Can FVWM do the same?

Thanks, V.

ThomasAdam commented 1 month ago

Hi @vladrich

This is a very old bug.

Open a PR to fix this, please.

vladrich commented 1 month ago

I've tried with #1030 now. Please check carefully - I am not fluent at C programming. Thanks!