[X2Go-Dev] Bug#333: X2Go issue (in src:x2goclient) has been marked as pending for release
Dan Halbert
halbert at halwitz.org
Tue Oct 29 13:59:30 CET 2013
Hi Mike, this fix to authenticate the commands is good. I didn't realize
I was uncovering a security problem.
One question: the underlying crash was due to bad data. If authenticated
but still bad data is sent, will the client still crash? I am thinking
about a malicious server crafting something to crash the client or have
it do something bad. I looked at the code diff and I didn't see some
underlying verification of the x2go commands.
E.g.:
X2GODATABEGIN:<good-uuidhash>
bad data here
X2GODATAEND:<good-uuidhash>
More information about the x2go-dev
mailing list