|
From: | Michael Tokarev |
Subject: | Re: [PATCH] ui: reject extended clipboard message if not activated |
Date: | Wed, 17 Jan 2024 15:10:30 +0300 |
User-agent: | Mozilla Thunderbird |
15.01.2024 12:51, Daniel P. Berrangé wrote:
The extended clipboard message protocol requires that the client activate the extension by requesting a psuedo encoding. If this is not done, then any extended clipboard messages from the client should be considered invalid and the client dropped. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- The need for fix was identified as part of investigation for CVE-2023-6683. This does NOT, however, fix that CVE as it only addresses one of the problem codepaths that can trigger that CVE.
This might be a good pick for -stable too, in addition to the actual CVE-2023-6683 fix (adding -stable). /mjt
[Prev in Thread] | Current Thread | [Next in Thread] |