[X2Go-Dev] Bug#333: X2Go issue (in src:x2goclient) has been marked as pending for release

Dan Halbert halbert at halwitz.org
Tue Oct 29 13:59:30 CET 2013


Hi Mike, this fix to authenticate the commands is good. I didn't realize 
I was uncovering a security problem.

One question: the underlying crash was due to bad data. If authenticated 
but still bad data is sent, will the client still crash? I am thinking 
about a malicious server crafting something to crash the client or have 
it do something bad. I looked at the code diff and I didn't see some 
underlying verification of the x2go commands.

E.g.:
X2GODATABEGIN:<good-uuidhash>
bad data here
X2GODATAEND:<good-uuidhash>



More information about the x2go-dev mailing list