FvwmButtons listens for incoming TCP connections #1029

vladrich · 2024-05-29T16:27:28Z

Hello,

I cannot find a dedicated security contact, so I am posting this here.

FvwmButtons listens for incoming TCP connections from any host, which is a major security risk.

# netstat -ltpv 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:38221           0.0.0.0:*               LISTEN      15701/FvwmButtons   
tcp6       0      0 [::]:42179              [::]:*                  LISTEN      15701/FvwmButtons

Running on Linux x86_64.

As far as I can see, the port is opened here:

fvwm3/libs/fsm.c

Line 1046 in 5d6c045

if (!FIceListenForConnections (

Others seem to be mitigating the problem by limiting communication to UNIX sockets via calling _IceTransNoListen ("tcp")

Can FVWM do the same?

Thanks,
V.

The text was updated successfully, but these errors were encountered:

ThomasAdam · 2024-05-29T16:39:48Z

Hi @vladrich

This is a very old bug.

Open a PR to fix this, please.

vladrich · 2024-05-29T19:31:18Z

I've tried with #1030 now. Please check carefully - I am not fluent at C programming. Thanks!

vladrich added the type:bug Something's broken! label May 29, 2024

vladrich mentioned this issue May 29, 2024

FvwmButtons: stop listening for incoming TCP connections #1030

Merged

ThomasAdam closed this as completed in #1030 May 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FvwmButtons listens for incoming TCP connections #1029

FvwmButtons listens for incoming TCP connections #1029

vladrich commented May 29, 2024

ThomasAdam commented May 29, 2024

vladrich commented May 29, 2024

FvwmButtons listens for incoming TCP connections #1029

FvwmButtons listens for incoming TCP connections #1029

Comments

vladrich commented May 29, 2024

ThomasAdam commented May 29, 2024

vladrich commented May 29, 2024