X2Go Bug report logs - #335
Users can inject arbitrary data into Pyhoca-GUI via .bashrc

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: "Dan Halbert" <halbert@halwitz.org>

Date: Mon, 21 Oct 2013 12:48:02 UTC

Severity: grave

Tags: confirmed, pending

Fixed in version 0.4.0.9

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#333: X2Go issue (in src:x2goclient) has been marked as pending for release
Reply-To: Dan Halbert <halbert@halwitz.org>, 333@bugs.x2go.org
Resent-From: Dan Halbert <halbert@halwitz.org>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Tue, 29 Oct 2013 13:18:02 +0000
Resent-Message-ID: <handler.333.B333.13830519976787@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 333
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: confirmed pending
Received: via spool by 333-submit@bugs.x2go.org id=B333.13830519976787
          (code B ref 333); Tue, 29 Oct 2013 13:18:02 +0000
Received: (at 333) by bugs.x2go.org; 29 Oct 2013 13:06:37 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	RCVD_IN_DNSWL_BLOCKED autolearn=ham version=3.3.2
X-Greylist: delayed 396 seconds by postgrey-1.34 at ymir; Tue, 29 Oct 2013 14:06:36 CET
Received: from smtp139.dfw.emailsrvr.com (smtp139.dfw.emailsrvr.com [67.192.241.139])
	by ymir (Postfix) with ESMTPS id B215E5DA6C
	for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:06:36 +0100 (CET)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp23.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 26CDD2F83BD;
	Tue, 29 Oct 2013 08:59:59 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp23.relay.dfw1a.emailsrvr.com (Authenticated sender: halbert-AT-halwitz.org) with ESMTPSA id D01012F8393;
	Tue, 29 Oct 2013 08:59:58 -0400 (EDT)
Message-ID: <526FB132.7060505@halwitz.org>
Date: Tue, 29 Oct 2013 08:59:30 -0400
From: Dan Halbert <halbert@halwitz.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 333@bugs.x2go.org
CC: 333@bugs.x2go.org
References: <20131029123733.54E955DB18@ymir>
In-Reply-To: <20131029123733.54E955DB18@ymir>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi Mike, this fix to authenticate the commands is good. I didn't realize 
I was uncovering a security problem.

One question: the underlying crash was due to bad data. If authenticated 
but still bad data is sent, will the client still crash? I am thinking 
about a malicious server crafting something to crash the client or have 
it do something bad. I looked at the code diff and I didn't see some 
underlying verification of the x2go commands.

E.g.:
X2GODATABEGIN:<good-uuidhash>
bad data here
X2GODATAEND:<good-uuidhash>

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 20:56:00 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.