LOL - This is one of the most fascinating things about Open Source software...
You should theoretically be able to compile your own and have the sources available. Have a problem? You don't need a binary - grab a few lines, eyeball them, drop them in, and recompile...And if you can see it's going to do something you can't have happen, you're welcome to modify the behavior... ----- Original Message ----- From: "Tim Waugh" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, 2002-03-12 05:04 Subject: Re: zlib vulnerability could affect VNC : On Mon, Mar 11, 2002 at 09:46:44PM -0600, Mike Miller wrote: : : > Has anyone seen this? I hope it doesn't open a security hole in VNC. : > The article suggests that VNC is "potentially vulnerable." : > : > http://www.linuxsecurity.com/articles/security_sources_article-4582.html : : The reason is that many vendors were shipping VNC with zlib statically : linked in (which is the default). In fact, a malicious user must : authenticate in order to be able to send compressed data. : : However, VNC's own authentication has been shown to be prone to a : man-in-the-middle attack. : : (Disregarding the fact that once you have authenticated to a VNC : server you can in general do things as the VNC server's user much more : easily than that..) : : The other compelling reason to release VNC in this advisory was the : fact that there is an exploitable denial-of-service problem in the : mini-httpd that Xvnc provides. Patch appended. : : Tim. : */ (code snipped so no one accidentally tries to compile a bunch of lines starting with ":") --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
