clipboard integration -- possible security implications

[Tony Baechler]

I do sometimes use Speakup via ssh.  Sometimes I want to make sure my 
hardware synthesizer is working.  I often build new Speakup modules via 
ssh for convenience.  When I was playing with virtual machines and 
DOSemu, I tried sending output through Speakup.  I'm actually wondering 
if there could be a potential security issue with a remote user flooding 
a hardware synth buffer by sending massive amounts of text to it.  I 
have verified that I can make my synth talk from across the room with 
ssh, so presumably there would definitely be a security issue in that a 
user could send unwanted and/or annoying messages to your synth when you 
aren't expecting it.  In the case of the DECtalk, they could send text 
without a closing bracket and potentially cause loss of speech.

On 11/9/2009 8:35 PM, Steve Holmes wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> And to add to this suggestion, while in that same shell, you could
> pipe the pasted contents into xclip in much the same way and then you
> have it in the X clipboard also.
>
> I like the idea of the select group to hold all speakup settings.
> This would improve security issues in general, I think.  I like the
> concept of using /sys/accessibility/speakup/clip or whatever to hold a
> file name that could then be used and owned by a specific user but I
> also understand the downside to this as was pointed out earlier in
> this thread.
>
> I wonder if tiing this business to virtual consoles wouldn't be a bad
> idea.  I mean, think about it.  First off, speakup would never be used
> by a remote user like over ssh; at least I can't imagine such a case.
> As I think about it right now, I would think that could be an
> excellent way to secure this aspect.  If the speakup cut/paste feature
> is accessing the resource, any other users currently using the system
> are mostlikely not on the virtual consoles and would probably have no
> idea it was in use.
>