From mike.gabriel@das-netzwerkteam.de Tue Oct 29 14:15:50 2013 Received: (at 333) by bugs.x2go.org; 29 Oct 2013 13:15:50 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 1A2635DA6C for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:15:50 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 359BD1A54 for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:15:49 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id B85E63BA6D for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:15:48 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WN8xs4Ap8BT3 for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:15:48 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 89AD43BB68 for <333@bugs.x2go.org>; Tue, 29 Oct 2013 14:15:48 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 386FA3BA6D; Tue, 29 Oct 2013 14:15:48 +0100 (CET) Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Tue, 29 Oct 2013 13:15:48 +0000 Date: Tue, 29 Oct 2013 13:15:48 +0000 Message-ID: <20131029131548.Horde.CWdPSTcHA3SBHPz5HBqibQ8@mail.das-netzwerkteam.de> From: Mike Gabriel To: Dan Halbert Cc: 333@bugs.x2go.org Subject: Re: Bug#333: X2Go issue (in src:x2goclient) has been marked as pending for release References: <20131029123733.54E955DB18@ymir> <526FB132.7060505@halwitz.org> In-Reply-To: <526FB132.7060505@halwitz.org> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.47 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_PYbWfibJkTCC947zmfFVqg2"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_PYbWfibJkTCC947zmfFVqg2 Content-Type: multipart/mixed; boundary="=_Yoe2149I4zc1bCJ-3YtYFQ1" This message is in MIME format. --=_Yoe2149I4zc1bCJ-3YtYFQ1 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi Dan, On Di 29 Okt 2013 13:59:30 CET, Dan Halbert wrote: > Hi Mike, this fix to authenticate the commands is good. I didn't > realize I was uncovering a security problem. > > One question: the underlying crash was due to bad data. If > authenticated but still bad data is sent, will the client still > crash? I am thinking about a malicious server crafting something to > crash the client or have it do something bad. I looked at the code > diff and I didn't see some underlying verification of the x2go > commands. > > E.g.: > X2GODATABEGIN: > bad data here > X2GODATAEND: I would indeed call this work in progress. See #334 for the ,,bad data here'' location you address above. We surely need a means to ensure that the data sent over the wire is sane. An idea could be to encrypt/decrypt the data asymmetrically. Maybe something else... Hmmm... I don't think that evaluating the data in itself (via regexp e.g.) will lead to good results. We should invent a method that is common to all sorts of text data and makes sure that the data is for the client that requested it. On the other hand... If you cannot trust your admin, who can you trust??? Any contribution of ideas is welcome. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_Yoe2149I4zc1bCJ-3YtYFQ1 Content-Type: application/pgp-keys Content-Description: =?utf-8?b?w5ZmZmVudGxpY2hlciA=?= =?utf-8?b?UEdQLVNjaGzDvHNzZWw=?= -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.14 (GNU/Linux) mQINBFAI/RwBEAC882z9DZ0OqvdoswfZD6sWlHH43iTc2QUibyHEhz/Jov8UQLPK qUncNd9QMcQ3zp2NnU9tS4j5IY/QPcBMR96ZNdl9PWpV/Ubs6yZ9PK2/DBt3Noos FZUN2KrHbnbED5zf9sEHyRuBTnDtVRtskQlaFreX5NSZ1ndqJrC1Uqm64Mf+0mC8 7D1QRlNkH7OQmMK+u6EN8a1IZae7mDzzStgzvbvm1BZ6XDJ6ThNckvGEhgSbPF16 9zfW6a0mdlOjkmW50VIQg3wjtVHxlIYqFnH4KGp2kYslJR3SIB7ntbNW1wVQm8d2 vAnnnzXWNFFuIqOj7z6ylIL9lVTPEBen3rgDsha7/YCR5d4Kez4piKKbAMBxeSxZ yzz90YRtp/zIqjotfQt6Q05mAi9xVfvbi+XKBcGtoU89g5aekFi7bkrpxDB/JCAA VaLz0Mrpz0/33Pffhnf5a9JUvk6UhNmYBEknLn7fuO3WF0Q6Q58QvMYvHxpxAr3X nywyYFic8o71lxWB8D/Y2bhwHE3098BJhI80DLznx7cmuInORg0AnV5AArkdCBNa p+bh0rVbQXxOzKT3ETPkKBKbMRhAWtCiQfGGzOzVvtGzMw+yZMnGIEfJ7Dqe5URF rvRPJYlIJLPsa3josVtIMjaeK6xIG2o7c8qN/H89nNyplQkt+Vx28x3dewARAQAB tC9NaWtlIEdhYnJpZWwgPG1pa2UuZ2FicmllbEBkYXMtbmV0endlcmt0ZWFtLmRl PokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMAUJCsIk hAAKCRCa9GswJXcbMYLlD/9Ov0PPICrmOD5LG2W3eF/bEqSd5Lnvc0njkI0IOKhJ Ww/jjGcQpnclfxsDNIvhXtHcZHL3b50320p7neKL/MaO6NYRo+UMkOzmwsEFQL3b 6Cea70QRgvn+cxjpnDP5a5wLKyiezwE3GdlPV2+Aohlq1BrY1N3OAVby5/QylYoz Ezb4zlhg2ncvp3N4FZh7BBDkaK1d+ZObBP/uxrkwoapAXqp4S8iSE46d2/R1W20v 7edGN21+qi8DkKI69hTzo4OgyRPwF0LIQnJlGL0eI0cMA1P1SqJpLePKPPFPqHYY haBvDlGXWVwEflKBNh06CqT7fwi7nnRV7EkIP+kXDYYGxn05DsFqIbNB2fFRrPaO 4x2NCE7eCU9kf1Xazv6MRGudzTndeFGFKyqIrx4fRZHnrytL11vxxGw207mx/TCx +6zQwwGu3bMtv9QUnEjDvZWXkMU+emz7kDjg+3Bnb9lC78zKJRWXSpp3StTgMFi5 Cu+QzVVkzywEqmNzcLySIoyFqjUhhvVlXTQjzNU1JI3hRETG/sRQmftsIJNJQFf3 0/euiRD48rQvjH9s82sniUCI+l+DXUOyFkGofz5045Q7z8gky+W98q/c7Y8YG1d6 Cba1Im2tMaiR2m/jUzai1T3q+7AmdKxCVELvxpaSDSKLWR+UxVR8yjirhmGtwo1L eIkCQAQTAQgAKgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAIZAQUCUWUgKQUJ CsIkhAAKCRCa9GswJXcbMSVTEACKK4yB3eZJHV1F2bm8lvJCYsqhnuxmIGrZgXPa Apv2gItUdqiaHLTboa0MFIfhT29tJ7FYSD3xto9VX7tocegoUoRct+YVFiubiqge PTe1GU7eNER5i3UyG+b/o8jhDAQzv+GDH8jPFQ3CfbR5DyW9JMhncKbOrCtSI0Zy s2QdGjZJf22wUdkJF67Aac/Ohktjg/Lriv/swZXo4azE3BoCfPBVnxqQ0f5Cno/J NyLDRYEHvU6+vRsX0nsfmLi8AMYu0OD2/WSluRDLUK59fumBJSHNdxxnQ0aU4pZk FvLvP6XVG/RjnLiYpzTi78cSNLzcTxC2GqrZh4s6NVho70ZVhyAc8xFp2zcoD/YT iOI8cbetnxWDtMOY9i+0GKYK/FAlUkBhcKPKJfpWcBxGsUnV5XI2XDKMsL1sQafo eYz0afVcXEOnNoHiwJ2/Ez6G+TrJU8cSNsLd3eClimIoRNLUE0m4eE+SnVJSJxeq VlJhTFAtILSJ75u+N+SoP5d+PZc1aR88M3oVbjbNkQlVxqah6Ag5Tg/mOKX5lsbx Par35hhpQU1YukRDOFoAcvry79yp+Kh+OU/S3TNp2z6epTgAoSwZz+k+s9R/WG5s qUEarWQLbOM3J7740qkrvz7C949fgXO4GwLBl6p4skQZonIFNqp6QlqIUsTATlDu 94h2GLQwTWlrZSBHYWJyaWVsIDxtaWtlLmdhYnJpZWxAaXQtenVrdW5mdC1zY2h1 bGUuZGU+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJRZSAw BQkKwiSEAAoJEJr0azAldxsxfC8P/3hCWeFjbOp4tXfHTJy/C6d+vSIfUEwJ8RmV uMp7VledcGN9NffT3F1Qw+x9jX37M0kqa4RdAl2hes6h1c0fMUG/imAFpVt17E7k PT5BrTz4jMqRQAU0JHnuos0F2MiaoWc5/w22W8vwmj+NrdL8Bagu3OYUV66KGaIO YDsWLCw6Qqaj33on4AqAOcnsylvNyrV0zttB0x9ZvIY8sDPpgkfZ5iyA/eRBqlsc 1UShbbN7ucirfN5vJFnOXGTKABIVis/29o56KvlT571WRPK56H3U6U6f3402+gjW vaAYKTm5Ma8MelzPciXRVEj7CMWJ7+CvlRTUaOuPQfwDxPTLAE6K8t7Dbo8SCuai MYDLfd5cAO5Fs3zwdO0QOgnc/RUT/vKT6d/iskFdTXuMr3iNBuEOt0jW2elP3OeA OMKcITryYQZ73uOlDnns3P+WDDezMMMUHNoboy4mO7G3SKXsLCaJHXF1Meg/NWwN 0W38vLnHyqABlN2F3KwoXtCQzeJE6j3kVD76hAyL2KoSmB55UXP9mdfSwe17XUnS BEyYzdBdoJIlPKVTh8EzcNwHcxOCNMbV9FEFaNAVpBp5tDrkO6Og+XE+wohTJJAj fRSLD76+0O3jhYqbnqxsxaOMrtazxQv0mB2+ZNa4MoZWIBOzeA1SncZhAOdoqhgs eL3HVU3QtCxNaWtlIEdhYnJpZWwgPG0uZ2FicmllbEBkYXMtbmV0endlcmt0ZWFt LmRlPokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMQUJ CsIkhAAKCRCa9GswJXcbMekMD/9KeqniddnMyKAz9pLbY94YpkmRizhygOnLhxL+ Q3m68vKHfaexDGSa2SXiSOqY1DBeDbj8VQbwJfSu7TDN6JHzvoa6p9IufrkHwJzt bI4gz+GsGBlJsCD/2/tEf9AqKwnxPNK+5RmED4rKyG9uCs3Sdvte30ZF3yQia6JU zgDwCGMCWwNJUe+Diya7oOpW0R+O+T3Lyt7PGqi9xndC/pIZBPybysTzq+GLu1mj e7BNlSU8wc0AcVMIBusGPdby9uTCfN5/dPTlb5g0oOAg0lc381HsrUQYTP+pGPCJ azkz7GkTWJnarMEk1OTUVdjpXd5oW6Zn1JVI06VlpxV1D7lixtBXk1alwecj4TZP bAl4qVNloNX7J7FOWK2o58qXiNU56i9RhmurFMes4O66WvznGaUMH9RW/Agd6SVV Su+Obu7fvIg1W5tJ6wtkXWSMYebro9zmBcTnIC61VRqIgHW/miqw69Ds0KpNPW0I yxUUzuq+g+gby4PwF2RhAIKCE324JMVl7cCexobHuO/pB3PFv7Fo0lcAQ1S6W72l C+ksgQHVzpLDTRl9PYF+nmI7T/70orhN+J7zxzV2Zuu+iJSTA/DAIGN9o9CNJdwt P0Y+m3FQUYuMk7NyIdSYqYPuCa8NqOn/Z1oN/VDIstF0JuCwN+wZcr3B/+5B+tLF m+NGubQdTWlrZSBHYWJyaWVsIDxtaWtlQHVidW50dS5kZT6JAj0EEwEIACcCGwMF CwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlFlIDEFCQrCJIQACgkQmvRrMCV3GzHv SBAAsLX0Y3ov6kKk1tfYms+V51+1rqCcAn6Dm5Zj+CUnMmsxAkJoDqsStrKaEh6H aJglVg8+ddvHU7Hd9f/rALRttpMEN8crIYugv2PevK2u4+WAxyCuTqM+CQyRLaSo o0ndfDqc5NCZggKD3Xr3RNUQgmNqIaXuGeVG2BqEaPreurP2MYpakYJYTgRkj10z p+srw0RujzCOyq2t4r0JkElEJQx1eTXnxo1ByOO0E8kZkN9hQ9Jg0a34EwGvxqk4 qXfb8rQM5qFQRymOI2OCKvjb7ehkaQZR9nSobVQtFWRX5cVauZL5pmfOmHl+tjwn qSMiR9+fdulOTLZ7jsr1JBYb4czs1y7ShbbcZD1BCvF17oNGqi2up27jDD290jJU xBy7Z0RkWlPRsFO2B/9d1ic7arYIDjN4PZETMXIogVp9doaU9M+t3vWK7nEf8/1+ dNuyBLZBgFbGt9zOnoeLqFlhUQVHlJjpjjwn1CvfPIBd6eAiyfa4OE7YAkZySu2E pazJ02xDw+DJ+8NVGFqQrbOc9JN/Vc9zusrf4YTxxWRbSysR8QgrTjF5WPy4CbAo QoS8qGrWnNuOn8YJ/d5z6icOd7VGNjCRREEyAVXU1kIQUXbIJWuUjyYNWdzoaLWx qIt+CB/bcQDngqjUEDZ2CZkWNL58vd8aAXjprqRElB2hvtK0I01pa2UgR2Ficmll bCA8c3Vud2VhdmVyQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRSD+9AhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCa9GswJXcbMYtjEAClP1Fz+ID1p8RxxCeR jYjL1oeeLRwXTuIS1wQfeAoz5wbLMMn/HsKKQ2YDebxzhiroW7Moa0FMO++O9Wmd ua9rVwV1g4qShrmDzSwWmRBrowlAav0IbcCM2vcbi845tSyGWmR2i6bJZpK8NZAS Cug5hijNdXwRVfAmNGFElcIXC1aa6U2kIVuh45tG/IuO5YmZWC5LQdK8VgTLs/yk HBlNt8sdo7TgzRpKHmEZG1jCpmYRuxgJPTroPdzvwqTKamh+LIqC8Z+E9pGlZeQf 44dKpvHJuSdEy1UBTOnvCiRgFP4ZX735Arc9WA83qFzrNFjLiy3zNQp9pcCdBY2x aLhsyfG8EBtZE9GXEgc52EuTqDZSAyBi5IeRcG7FvdHvLV8zypEHK3Hn9g3Eq2OS PDOw6/EL7KnVbhvogEujPlgD3wJW0FItrE6iR05TAeK0jE0gUBNMzGnyUbFRxJZX RTHEsFyIc9oMqoNEUOSblH8cgGY+HLEWFWaqfkTLBC6kVKP/RxZOVypNvtHZn86q 85x6XucfCoBpVqRzrHmOcAXuA6YHGEamoK7OdvkOrV1Nc1OMxYWnxG/4WYjokxEc Hx2Jg7CAlzi1/NFHAQD4o9TJaAraQjy0nqFiobHHzyLmiPBDKMfjTXdsSRjjVm3k m5mV6Bpy15KNVamTcINasFCChbkCDQRQCP0cARAAocrlXanxu815kLU6zhFP6Jp3 sQHcTRXucq28BgWf7Dz8galugBPTEEdKTkrxxAiSGZ3iHEJsmW8H4XNy56Jh+jpL OqW0+4RvPc6Eemv1MzgfdAuEkKNA+3ar3ETqhVnn54olI6rMo0FulDCopNE/0LIC AjSLekPXTlPj2swClmyl35hXJYiTgtwwLCkoQHMxz2L1+igyoGdR/O3lEwQJ1pI7 oaanWV8fda4jQkLpDf1q6bY2tEdUZx2uR5J79pjpjNkxpCbD1TvGRWjekkZP9Yi7 4ZgtyTh86hAPVP1x30a7/Hb0ysfeqJ63f8sQEqLtrfjPYO0IRoaPvL/RXxXrO2nV RMmLVeeho6GHk0LqubfA8gzZ1Vu9Rfag1EMMNy6ZkvdHNJm8sSaec90tn59aPLUP taBe5d4Ji6tlpJu2ez75A6tmt3JMDrQ6crfN5eZ0ISAGHwWHN9SPDhAcVcGBZrKQ QQaKIcQ2gVbGcnO3lOCY4MkxgyCiJX+MepnWOpvB2pyv4ftJLv7rxfOQ3Z/3yewS GRfwrT+AW/i1jcW/C+c5sLZPGFtG8gBXPwUj2CYbAGI74eFhGk6Ksu3f2qxFOVDM IJdiBJatEYojN64Gzap2nzZfhUHPqOnBeI/cL+Z/YbakUuIAcva3o1UuOLvGg+Fo 9kFdPLDXRhPOqMywdDUAEQEAAYkCHwQYAQgACQUCUAj9HAIbDAAKCRCa9GswJXcb MZubEAC8GzMcU5CVNqDGOHiStowzKgU3njez9aYa70Gsmtm62WPkJSTVw7Nw6wfC val84JLqy0wL8tq90px0du/Ep7lE3laKlhREXiDLFGTccLH2XzK9CcnRygqjhPV9 yTY7YGorNbYKpwwgL889Ld6dhXlwDfR4PmvEKZjzqdhwDAXWsivkMYsEwC3oKC1m Ra3Nzf/oHUNrPwKSW55EKswc88u+T7553BUpGMyp2lktuA6jFSgbal3KdA0Ipbr7 C8elt7IapSz03MjcGTfVvnax5M8m/6dejdjKjGi8UFpaTbIiufQw8gpCFJhwRMpK MzU9qmDwOpeg5yL+a/k41wvBEZx4hHHkpcMfTF9vigZb+h8WHgwN/Zu+mCS84MyS g/oGwYs0flIPi/FJ9KrcMJFzB+d8YNYdx1mZaxY1b2gs4RtmTrhhRXbdcNeHNEH4 xHaRhSfDGW8UFuFVY4LKz4iF/mnoo6jMXds2HLKz7OaEneDbeDlZc8EViXvOtL7Q 8nS7ta8cWLCDd9n42hzf6Dw+dq4B/OLVJTFYGMrhouA6xr3GzhgcgAeUmFEPoBbU fX5Gy108fh4YQh1w+QsJxznorI+2rqOD1RxG2dxxBlHKSfDbY4gT35U4SrSfV6rW P6TFT0JSxqgibbegXJUN0jSUL4HibtLXHS2/vpV/wTceVaGB/g== =uwZl -----END PGP PUBLIC KEY BLOCK----- --=_Yoe2149I4zc1bCJ-3YtYFQ1-- --=_PYbWfibJkTCC947zmfFVqg2 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSb7UDAAoJEJr0azAldxsxQj0P/ir7ZSpcAUCVxCCGVICjigBN f0PGse57pZq4Unzikmc4oYX4uSgjcJtOR7jTj5DXHOSDpgP5zMFV3X5a8xlABeJL ciWQRcZ7glRryWmZwIobZhuAJl19uuHi+lYCEwUi6NW8U9PqIFps27ZFcaSpET4o gojTvTquQAP4QvC0ROhgY3NiruUSBf/2lthNBEcR8EihUV5fNW02ZFUNCbi521Z6 yeoeQSIH5RuDHnFNysgMCVXAlkzPV6vkj5qDzmlIwlb8sBW+D9pHziGCskkANwta MBCJUxLSVB2mJihj4Is5Yut7dA8Zbm0va45aMh93AC5OBCGQsO4dxo3mkBNPL3jt Tj3NOvch/GsT4OWWkAmmVBMU/AWA6jAk/73L17Z7wZn+zSXMCu4T4oHgAMF8RFAp VMaj5aqtpYEerVvde6WkuzIwoOlfuZ9CTevS3Kq7xv3u2pBf8LatfNsJ+whGtoGs wfZ86vaCuEBoe4iH+q1KAgxRm/2OcS5T7jYEwU0TYtQx4PIUAHJWj/OT8pA3luut ng528p35DdzS8qMAW4WREQY4YQ4LlKHStV8YBZRSwx94b7lN5JmUK4jrLPc03QbJ wcmSHsuX6gNBmEeVzk8mxXiisPWX7gd9bAfOL9xd4UdEilcO4qhuyvEYSnJ8SJNQ OuiD+6hYMgxqBPfIyFlh =Yw39 -----END PGP SIGNATURE----- --=_PYbWfibJkTCC947zmfFVqg2--