Package: vncserver Version: 3.3.7-7 Severity: grave Tags: security Justification: user security hole
vncserver lets me in without supplying the full password. To reproduce this: start vncserver: vncserver :1 whe prompted enter a password of eight or more characters start xvncviewer and connect to :1 when prompted enter the first eight characters of the password and hit enter You have been authenticated. It appears that any characters after the 8th are ignored by vncserver. If instead of entering the first 8 chracters and stopping you enter more, random characters you will also be authenticated. This was reported in #debian on freenode by dob1. I checked it and found that he was correct. If this is the expected behavior of vncserver it should be mentioned somewhere (prominently!) in the man page. I've tested this by connecting with xvncviewer, vncviewer and xtightvncviewer all from the local machine. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12.2 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages vncserver depends on: ii dpkg 1.10.10 Package maintenance system for Deb ii libc6 2.3.5-3 GNU C Library: Shared libraries an ii libgcc1 1:4.0.2-2 GCC support library ii libice6 4.3.0.dfsg.1-8 Inter-Client Exchange library ii libsm6 4.3.0.dfsg.1-8 X Window System Session Management ii libstdc++5 1:3.3.5-5 The GNU Standard C++ Library v3 ii libx11-6 6.8.2.dfsg.1-5 X Window System protocol client li ii libxext6 4.3.0.dfsg.1-8 X Window System miscellaneous exte ii perl 5.8.7-4 Larry Wall's Practical Extraction ii vnc-common 3.3.7-7 Virtual network computing server s ii xbase-clients 4.3.0.dfsg.1-8 miscellaneous X clients ii xlibs 4.3.0-7 X Window System client libraries m ii xserver-common 6.8.2.dfsg.1-4 files and utilities common to all ii zlib1g 1:1.2.1-1 compression library - runtime Versions of packages vncserver recommends: ii xfonts-base 4.2.1-3 standard fonts for X -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
