Patches for TightVNC and/or VNC

Constantin Kaplinsky const "at" ce.cctpu.edu.ru
Sun, 24 Mar 2002 15:37:59 +0000


Hello Ivan,

>>>>> "IP" == Ivan Popov <pin "at" math.chalmers.se> writes:

IP> Looking at TightVNC Unix Changelog at www.tightvnc.com, I don't
IP> see any changes since November 2001. I see also that most of the
IP> traffic on vnc-tight-list concerns Windows (looking at the
IP> archives, I am not on the list).

IP> It makes the impression that Constantin - surely for good reasons
IP> - has abandoned development of the Unix version (Constantin,
IP> correct me if I'm wrong).

Yes, I think you're wrong. ;-)

I update change logs only on releasing new versions, that's why there
were no new records sinse November. In the future, I'll try to release
new versions more often. I worked on the Unix version and I plan to
continue working on it (actually, I like Unix part of the work much
more than Win32 version).

IP> For those using vnc on distributed filesystems I have to warn that
IP> the default configuration of the tools is essentially insecure, in
IP> some real scenarios opening access to your session to the whole
IP> world. Exploitation in such cases is trivial even for
IP> script-kiddies.

IP> It is not a problem with the protocol or the implementation, it is
IP> just wrong defaults (assuming a local home filesystem) built into
IP> the software that are so dangerous.

IP> I hope Constantin will either find resources to fix the Unix
IP> version, or delegate that part of the project to another volunteer
IP> (well, may be not easy to find, I would not volunteer myself!).

IP> I do not think independent patches flying around are a good
IP> solution for the project. But anyway -

Why not? In general, I don't see any problems with including good
patches into the TightVNC codebase. Regarding your security
improvements, I think they're important, and I saved them for later
inclusion; sorry that I could not find the time to answer your
previous mail on the subject :-(. But before inclusion into the
TightVNC codebase, I'd like first to discuss the changes with the
community. I understand that keeping passwords in home directories is
often a security risk, but is /tmp really a better place for _most_
users?

And you know that there is a lot of other security-related problems in
VNC (e.g. causing denial of service in Xvnc is extremely easy), so I
think VNC should be used _only_ on trusted networks anyway...

Currently, I'd prefer to include your changes, but only as an optional
choice, so admins could easily choose where to place .vnc directories
-- either in home directories, or in /tmp.

IP> some non-intel architectures workaround patch:
[skip]
I believe this problem is fixed in the latest version.

-- 
With Best Wishes,
Constantin
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------