X2Go Bug report logs - #722
add sanity checks when processing stdout of X2Go

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Orion Poplawski <orion@cora.nwra.com>

Date: Wed, 7 Jan 2015 18:00:01 UTC

Severity: important

Found in version 4.0.2.1

Full log


Message #14 received at 722@bugs.x2go.org (full text, mbox, reply):

Received: (at 722) by bugs.x2go.org; 8 Jan 2015 09:48:35 +0000
From mike.gabriel@das-netzwerkteam.de  Thu Jan  8 10:48:33 2015
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 3E9C15DB53
	for <722@bugs.x2go.org>; Thu,  8 Jan 2015 10:48:33 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id CBB5A1FBB;
	Thu,  8 Jan 2015 10:48:32 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id B9B533C881;
	Thu,  8 Jan 2015 10:48:32 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id qTv2f9O8e989; Thu,  8 Jan 2015 10:48:32 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 8977C3C880;
	Thu,  8 Jan 2015 10:48:32 +0100 (CET)
Received: from 134.245.44.4 ([134.245.44.4]) by mail.das-netzwerkteam.de
 (Horde Framework) with HTTP; Thu, 08 Jan 2015 09:48:32 +0000
Date: Thu, 08 Jan 2015 09:48:32 +0000
Message-ID: <20150108094832.Horde.C_vJM1ggUEDggFjNirGLEA1@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Orion Poplawski <orion@cora.nwra.com>, 722@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#722: Fwd: [Bug 1179869] New: [abrt] x2goclient:
 ref(): x2goclient killed by SIGSEGV
References: <bug-1179869-140047@bugzilla.redhat.com>
 <54AD7354.2010500@cora.nwra.com>
In-Reply-To: <54AD7354.2010500@cora.nwra.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.2)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 134.245.44.4
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101
 Firefox/32.0 Iceweasel/32.0
Content-Type: multipart/signed; boundary="=_JMtDv8EZPrSSrnPoPzK0Ow5";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
Control: severity -1 important
Control: retitle -1 add sanity checks when processing stdout of X2Go  
Server commands

Hi Orion,

On  Mi 07 Jan 2015 18:56:36 CET, Orion Poplawski wrote:

> Package: x2goclient
> Version: 4.0.2.1
>
> This crashing here:
> x2goSession ONMainWindow::getSessionFromString ( const QString& string )
> {
>     QStringList lst=string.split ( '|' );
>     x2goSession s;
>     s.agentPid=lst[0];
>     s.sessionId=lst[1];
>
> looks like the session string is corrupted and doesn't have the expected
> number of elements.  Need some error checking here.
>

Unfortunately, X2Go Client code does no sanitizing at all at most  
place. It simply expects that the X2Go Server on the other end is  
working correctly (which it sometimes is not)...

Raising severity to important...

Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 15:26:19 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.