[Tigervnc-commits] SF.net SVN: tigervnc:[4401] trunk

Tue, 10 May 2011 01:55:11 -0700 

Revision: 4401
          http://tigervnc.svn.sourceforge.net/tigervnc/?rev=4401&view=rev
Author:   atkac
Date:     2011-05-10 08:54:57 +0000 (Tue, 10 May 2011)

Log Message:
-----------
[Security] vncviewer can send password without proper validation of X.509 certs
(CVE-2011-1775).

Reference: 
http://www.mail-archive.com/[email protected]/msg01342.html

Modified Paths:
--------------
    trunk/common/rfb/CSecurityTLS.cxx

Property Changed:
----------------
    trunk/


Property changes on: trunk
___________________________________________________________________
Modified: svn:mergeinfo
   - /branches/1_1:4340,4342-4359,4361,4377,4396-4397
/branches/unified_buildsys:3892-3898
   + /branches/1_1:4340,4342-4359,4361,4377,4396-4397,4400
/branches/unified_buildsys:3892-3898

Modified: trunk/common/rfb/CSecurityTLS.cxx
===================================================================
--- trunk/common/rfb/CSecurityTLS.cxx   2011-05-10 08:53:38 UTC (rev 4400)
+++ trunk/common/rfb/CSecurityTLS.cxx   2011-05-10 08:54:57 UTC (rev 4401)
@@ -171,8 +171,15 @@
     if (!is->checkNoWait(1))
       return false;
 
-    if (is->readU8() == 0)
-      return true;
+    if (is->readU8() == 0) {
+      rdr::U32 result = is->readU32();
+      CharArray reason;
+      if (result == secResultFailed || result == secResultTooMany)
+        reason.buf = is->readString();
+      else
+        reason.buf = strDup("Authentication failure (protocol error)");
+      throw AuthFailureException(reason.buf);
+    }
 
     if (gnutls_init(&session, GNUTLS_CLIENT) != GNUTLS_E_SUCCESS)
       throw AuthFailureException("gnutls_init failed");


This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Tigervnc-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tigervnc-commits

Reply via email to