Please use CVE-2022-1736 for the gnome-remote-desktop user service being enabled on Ubuntu.
The Debian packaging, and derivatives of both Ubuntu and Debian, for gnome-remote-desktop are probably very similar. The Debian policy strongly encourages services to be running by default after installation[1]. Ubuntu, however, strongly discourages open ports by default[2]. So, while there may be identical code in the other distributions, this may or may not be considered a vulnerability by the other distributions, based on their own policies. Thanks [1]: https://www.debian.org/doc/debian-policy/ch-opersys.html#managing-the-links "The default behaviour is to enable autostarting your package’s daemon" [2]: https://wiki.ubuntu.com/Security/Features#ports "Default installations of Ubuntu must have no listening network services after initial install. Exceptions to this rule [enumerated exceptions elided]" ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1736 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-remote-desktop in Ubuntu. https://bugs.launchpad.net/bugs/1973028 Title: gnome-remote-desktop user service is always running Status in gnome-remote-desktop package in Ubuntu: Fix Released Status in gnome-remote-desktop source package in Jammy: Triaged Bug description: Impact ------ The gnome-remote-desktop systemd user service is always running. This was a contributing factor for LP: #1971415 Although it's "harmless" for the user service to be running if remote desktop sharing is not enabled, it's a waste of resources to run a service if it's not needed. Test Case --------- Install all Ubuntu updates and the gnome-remote-desktop update. From a clean install (or new user), run this command: systemctl --user status gnome-remote-desktop.service It should show the service as "Active: inactive" Open the Settings app to the Sharing page. Turn on Sharing and turn on Remote Desktop. Use the systemctl command to verify that the service is "Active: active (running). Log out and log back in and reverify. Now turn off Remote Desktop Sharing and verify that the service is inactive. Log out and log back in and reverify. More details ------------------- This fix uses a dpkg maintscript to remove /etc/systemd/user/gnome-session.target.wants/gnome-remote-desktop.service . (That file is a symlink to the actual service). It also modifies debian/rules so that that file is no longer automatically added. Instead of /etc/systemd/user/ , the user service is intended to be enabled with the symlink ~/.config/systemd/user/gnome- session.target.wants/gnome-remote-desktop.service . That is appropriate since the GNOME implementation is per-user, not system- wide and it is also disabled by default. Fixing this bug has been strongly urged by the GNOME Remote Desktop maintainers, and this brings us in line with how non-Debian distros have been packaging gnome-remote-desktop. What could go wrong ------------------- The RDP and VNC sharing services in GNOME could start when they shouldn't or not start when they should. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1973028/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp