Revision: 4400
http://tigervnc.svn.sourceforge.net/tigervnc/?rev=4400&view=rev
Author: atkac
Date: 2011-05-10 08:53:38 +0000 (Tue, 10 May 2011)
Log Message:
-----------
[Security] vncviewer can send password without proper validation of X.509 certs
(CVE-2011-1775).
Reference:
http://www.mail-archive.com/[email protected]/msg01342.html
Modified Paths:
--------------
branches/1_1/common/rfb/CSecurityTLS.cxx
Modified: branches/1_1/common/rfb/CSecurityTLS.cxx
===================================================================
--- branches/1_1/common/rfb/CSecurityTLS.cxx 2011-04-30 05:07:31 UTC (rev
4399)
+++ branches/1_1/common/rfb/CSecurityTLS.cxx 2011-05-10 08:53:38 UTC (rev
4400)
@@ -171,8 +171,15 @@
if (!is->checkNoWait(1))
return false;
- if (is->readU8() == 0)
- return true;
+ if (is->readU8() == 0) {
+ rdr::U32 result = is->readU32();
+ CharArray reason;
+ if (result == secResultFailed || result == secResultTooMany)
+ reason.buf = is->readString();
+ else
+ reason.buf = strDup("Authentication failure (protocol error)");
+ throw AuthFailureException(reason.buf);
+ }
if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_init failed");
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Tigervnc-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tigervnc-commits
