Closed vladrich closed 1 month ago
Hello,
I cannot find a dedicated security contact, so I am posting this here.
FvwmButtons listens for incoming TCP connections from any host, which is a major security risk.
# netstat -ltpv Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:38221 0.0.0.0:* LISTEN 15701/FvwmButtons tcp6 0 0 [::]:42179 [::]:* LISTEN 15701/FvwmButtons
Running on Linux x86_64.
Linux x86_64
As far as I can see, the port is opened here: https://github.com/fvwmorg/fvwm3/blob/5d6c0457f6385bc9537b62ea9fe5f4a83ee89a33/libs/fsm.c#L1046
Others seem to be mitigating the problem by limiting communication to UNIX sockets via calling _IceTransNoListen ("tcp")
_IceTransNoListen ("tcp")
Can FVWM do the same?
Thanks, V.
Hi @vladrich
This is a very old bug.
Open a PR to fix this, please.
I've tried with #1030 now. Please check carefully - I am not fluent at C programming. Thanks!
Hello,
I cannot find a dedicated security contact, so I am posting this here.
FvwmButtons listens for incoming TCP connections from any host, which is a major security risk.
Running on
Linux x86_64
.As far as I can see, the port is opened here: https://github.com/fvwmorg/fvwm3/blob/5d6c0457f6385bc9537b62ea9fe5f4a83ee89a33/libs/fsm.c#L1046
Others seem to be mitigating the problem by limiting communication to UNIX sockets via calling
_IceTransNoListen ("tcp")
Can FVWM do the same?
Thanks, V.