tag #333 pending fixed #333 4.0.1.2 thanks Hello, X2Go issue #333 (src:x2goclient) reported by you has been fixed in X2Go Git. You can see the changelog below, and you can check the diff of the fix at: http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=c121b7e The issue will most likely be fixed in src:x2goclient (4.0.1.2). light+love X2Go Git Admin (on behalf of the sender of this mail) --- commit c121b7e2d3d83abdc2d7a29637bc3294e38b2ec3 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Tue Oct 29 13:36:58 2013 +0100 Perform sanity checks on data that comes in from X2Go Servers. Prohibit the execution of arbitrary code via the ~/.bashrc file. (Fixes: #333). diff --git a/debian/changelog b/debian/changelog index e484ba5..e069591 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,9 @@ x2goclient (4.0.1.2-0~x2go2) UNRELEASED; urgency=low + Store broker HTTPS certificate exceptions in $HOME/.x2go/ssl/exceptions (before: $HOME/ssl/exceptions). (Fixes: #328). + + Perform sanity checks on data that comes in from X2Go Servers. + Prohibit the execution of arbitrary code via the ~/.bashrc file. + (Fixes: #333). * Pull-in packaging changes from Debian. [ Ricardo Díaz Martín ]
Processing commands for control@bugs.x2go.org:
tag #333 pending Bug #333 [x2goclient] users can inject data into X2Go Client using .bashrc Added tag(s) pending. fixed #333 4.0.1.2 Bug #333 [x2goclient] users can inject data into X2Go Client using .bashrc There is no source info for the package 'x2goclient' at version '4.0.1.2' with architecture '' Unable to make a source version for version '4.0.1.2' Marked as fixed in versions 4.0.1.2. thanks Stopping processing here.
Please contact me if you need assistance.
333: http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=333 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
Hi Mike, this fix to authenticate the commands is good. I didn't realize I was uncovering a security problem.
One question: the underlying crash was due to bad data. If authenticated but still bad data is sent, will the client still crash? I am thinking about a malicious server crafting something to crash the client or have it do something bad. I looked at the code diff and I didn't see some underlying verification of the x2go commands.
E.g.: X2GODATABEGIN:<good-uuidhash> bad data here X2GODATAEND:<good-uuidhash>
Hi Dan,
On Di 29 Okt 2013 13:59:30 CET, Dan Halbert wrote:
Hi Mike, this fix to authenticate the commands is good. I didn't
realize I was uncovering a security problem.One question: the underlying crash was due to bad data. If
authenticated but still bad data is sent, will the client still
crash? I am thinking about a malicious server crafting something to
crash the client or have it do something bad. I looked at the code
diff and I didn't see some underlying verification of the x2go
commands.E.g.: X2GODATABEGIN:<good-uuidhash> bad data here X2GODATAEND:<good-uuidhash>
I would indeed call this work in progress. See #334 for the ,,bad data
here'' location you address above.
We surely need a means to ensure that the data sent over the wire is
sane. An idea could be to encrypt/decrypt the data asymmetrically.
Maybe something else...
Hmmm...
I don't think that evaluating the data in itself (via regexp e.g.)
will lead to good results. We should invent a method that is common to
all sorts of text data and makes sure that the data is for the client
that requested it.
On the other hand... If you cannot trust your admin, who can you trust???
Any contribution of ideas is welcome.
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
Dan Halbert -
Mike Gabriel -
owner@bugs.x2go.org