[X2Go-Dev] Bug#333: X2Go issue (in src:x2goclient) has been marked as pending for release
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Tue Oct 29 14:15:48 CET 2013
Hi Dan,
On Di 29 Okt 2013 13:59:30 CET, Dan Halbert wrote:
> Hi Mike, this fix to authenticate the commands is good. I didn't
> realize I was uncovering a security problem.
>
> One question: the underlying crash was due to bad data. If
> authenticated but still bad data is sent, will the client still
> crash? I am thinking about a malicious server crafting something to
> crash the client or have it do something bad. I looked at the code
> diff and I didn't see some underlying verification of the x2go
> commands.
>
> E.g.:
> X2GODATABEGIN:<good-uuidhash>
> bad data here
> X2GODATAEND:<good-uuidhash>
I would indeed call this work in progress. See #334 for the ,,bad data
here'' location you address above.
We surely need a means to ensure that the data sent over the wire is
sane. An idea could be to encrypt/decrypt the data asymmetrically.
Maybe something else...
Hmmm...
I don't think that evaluating the data in itself (via regexp e.g.)
will lead to good results. We should invent a method that is common to
all sorts of text data and makes sure that the data is for the client
that requested it.
On the other hand... If you cannot trust your admin, who can you trust???
Any contribution of ideas is welcome.
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 7251 bytes
Desc: ?ffentlicher PGP-Schl?ssel
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/adf707c5/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20131029/adf707c5/attachment.pgp>
More information about the x2go-dev
mailing list