github-starred/barrier
2
0
Fork 0
mirror of https://github.com/debauchee/barrier.git synced 2026-05-15 14:16:02 -06:00
Code Issues 1.0k Projects Packages Wiki Activity Actions

[PR #1346] [MERGED] Implement client identity verification [SECURITY VULNERABILITIES CVE-2021-42072, CVE-2021-42073] #1785

New issue
Closed
opened 2026-05-05 08:01:53 -06:00 by gitea-mirror · 0 comments
gitea-mirror commented 2026-05-05 08:01:53 -06:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/debauchee/barrier/pull/1346
Author: @p12tic
Created: 11/1/2021
Status: Merged
Merged: 11/1/2021
Merged by: @p12tic

Base: masterHead: client-identity-verification

📝 Commits (10+)

  • c0ce893 lib/net: Load client SSL certificates when connecting
  • 92ba6f6 gui: Move SSL fingerprint labels out of server frame
  • 4d73ed9 lib/net: Present client certificate when connecting to server
  • ed32e2e gui: Expand checkboxes in settings dialog through both grid columns
  • 8bc280e gui: Add configuration for requiring client certificates
  • 133e447 lib/net: Don't hardcode fingerprint DB path in verify_cert_fingerprint()
  • 82b8fa9 lib/net: Improve name of showCertificate() to reflect what it does
  • 5c7d719 lib/net: Use enum for connection security level instead of boolean
  • 57769cf lib/net: Pass connection security level to within socket classes
  • e79bdf3 gui: Fix fingerprint database being not populated due to missing dirs

📊 Changes

31 files changed (+680 additions, -255 deletions)

View changed files

doc/newsfragments/client-certificate-checking.bugfix (+7 -0)
doc/newsfragments/client-send-certificate.feature (+1 -0)
📝 src/gui/CMakeLists.txt (+2 -0)
📝 src/gui/src/AppConfig.cpp (+7 -0)
📝 src/gui/src/AppConfig.h (+4 -0)
src/gui/src/FingerprintAcceptDialog.cpp (+65 -0)
src/gui/src/FingerprintAcceptDialog.h (+45 -0)
src/gui/src/FingerprintAcceptDialog.ui (+174 -0)
📝 src/gui/src/MainWindow.cpp (+33 -31)
📝 src/gui/src/MainWindow.h (+3 -7)
📝 src/gui/src/MainWindowBase.ui (+101 -101)
📝 src/gui/src/SettingsDialog.cpp (+2 -0)
📝 src/gui/src/SettingsDialogBase.ui (+42 -35)
📝 src/gui/src/SslCertificate.cpp (+5 -0)
📝 src/gui/src/ZeroconfService.cpp (+1 -1)
📝 src/lib/barrier/ArgParser.cpp (+3 -1)
src/lib/barrier/BarrierType.h (+26 -0)
📝 src/lib/barrier/ServerApp.cpp (+13 -3)
📝 src/lib/barrier/ServerArgs.h (+1 -0)
📝 src/lib/client/Client.cpp (+8 -3)

...and 11 more files

📄 Description

This PR implements client identity verification. Essentially server gets the same process of accepting and rejecting clients like the clients can accept or reject the server. This is important because even though the client can't move the mouse on the server, it can still receive input and potentially set the clipboard.

This PR fixes the following security vulnerabilities:

  • CVE-2021-42072 server does not verify client identity (certificate fingerprint)
  • CVE-2021-42073 By guessing/listening in on valid client names server clipboard content can be manipulated.

The issues have been reported by Matthias Gerstner mgerstner@suse.de @mgerstner. Matthias also provided insights into how best to fix the issues, precise reproduction steps and any used tools and made the maintainer's life as pleasant as possible. Thank you!

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/debauchee/barrier/pull/1346 **Author:** [@p12tic](https://github.com/p12tic) **Created:** 11/1/2021 **Status:** ✅ Merged **Merged:** 11/1/2021 **Merged by:** [@p12tic](https://github.com/p12tic) **Base:** `master` ← **Head:** `client-identity-verification` --- ### 📝 Commits (10+) - [`c0ce893`](https://github.com/debauchee/barrier/commit/c0ce893711eb5e504e3bf6b376c84b4616d4241e) lib/net: Load client SSL certificates when connecting - [`92ba6f6`](https://github.com/debauchee/barrier/commit/92ba6f61e69dcc88ef7cea4ed74bc42883f263ed) gui: Move SSL fingerprint labels out of server frame - [`4d73ed9`](https://github.com/debauchee/barrier/commit/4d73ed9fddedba63b91935799c6f7ae22d9ea989) lib/net: Present client certificate when connecting to server - [`ed32e2e`](https://github.com/debauchee/barrier/commit/ed32e2e326fa6a28129a597b6cdc7d0b01122562) gui: Expand checkboxes in settings dialog through both grid columns - [`8bc280e`](https://github.com/debauchee/barrier/commit/8bc280e0dd6dd95952cecb4b810b9f034de53927) gui: Add configuration for requiring client certificates - [`133e447`](https://github.com/debauchee/barrier/commit/133e447fb67d558d52309da80bfa1b0d10e6173b) lib/net: Don't hardcode fingerprint DB path in verify_cert_fingerprint() - [`82b8fa9`](https://github.com/debauchee/barrier/commit/82b8fa905eb31b0291bfe2ca4adffaa764292c4e) lib/net: Improve name of showCertificate() to reflect what it does - [`5c7d719`](https://github.com/debauchee/barrier/commit/5c7d7194d5cb8589b2d12a89fa0c678887da51d4) lib/net: Use enum for connection security level instead of boolean - [`57769cf`](https://github.com/debauchee/barrier/commit/57769cffdae571298671f828ee681c153f098d4d) lib/net: Pass connection security level to within socket classes - [`e79bdf3`](https://github.com/debauchee/barrier/commit/e79bdf333c47952b9f18972f782bc3b4b75ad204) gui: Fix fingerprint database being not populated due to missing dirs ### 📊 Changes **31 files changed** (+680 additions, -255 deletions) <details> <summary>View changed files</summary> ➕ `doc/newsfragments/client-certificate-checking.bugfix` (+7 -0) ➕ `doc/newsfragments/client-send-certificate.feature` (+1 -0) 📝 `src/gui/CMakeLists.txt` (+2 -0) 📝 `src/gui/src/AppConfig.cpp` (+7 -0) 📝 `src/gui/src/AppConfig.h` (+4 -0) ➕ `src/gui/src/FingerprintAcceptDialog.cpp` (+65 -0) ➕ `src/gui/src/FingerprintAcceptDialog.h` (+45 -0) ➕ `src/gui/src/FingerprintAcceptDialog.ui` (+174 -0) 📝 `src/gui/src/MainWindow.cpp` (+33 -31) 📝 `src/gui/src/MainWindow.h` (+3 -7) 📝 `src/gui/src/MainWindowBase.ui` (+101 -101) 📝 `src/gui/src/SettingsDialog.cpp` (+2 -0) 📝 `src/gui/src/SettingsDialogBase.ui` (+42 -35) 📝 `src/gui/src/SslCertificate.cpp` (+5 -0) 📝 `src/gui/src/ZeroconfService.cpp` (+1 -1) 📝 `src/lib/barrier/ArgParser.cpp` (+3 -1) ➕ `src/lib/barrier/BarrierType.h` (+26 -0) 📝 `src/lib/barrier/ServerApp.cpp` (+13 -3) 📝 `src/lib/barrier/ServerArgs.h` (+1 -0) 📝 `src/lib/client/Client.cpp` (+8 -3) _...and 11 more files_ </details> ### 📄 Description This PR implements client identity verification. Essentially server gets the same process of accepting and rejecting clients like the clients can accept or reject the server. This is important because even though the client can't move the mouse on the server, it can still receive input and potentially set the clipboard. This PR fixes the following security vulnerabilities: - CVE-2021-42072 server does not verify client identity (certificate fingerprint) - CVE-2021-42073 By guessing/listening in on valid client names server clipboard content can be manipulated. The issues have been reported by Matthias Gerstner <mgerstner@suse.de> @mgerstner. Matthias also provided insights into how best to fix the issues, precise reproduction steps and any used tools and made the maintainer's life as pleasant as possible. Thank you! --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
gitea-mirror 2026-05-05 08:01:53 -06:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
enhancement/builds/windows-multi-versions-build
martin-furter-barrier-term
enhancement/builds/macos-universal
enhancement/builds/macos-universal-qt6-test
2.3.x
fix/lang-translation/ssl-slash-tls
feature/build/compile/32-bit
feature/build/compile/armv7
testing-framework
README-update
remotes/fork/README-update
remotes/fork/smartzeroconf
smartzeroconf
pages-devel
remotes/fork/pages-devel
pkgconfig
remotes/fork/pkgconfig
release
remotes/fork/release
v2.4.0
v2.3.4
v2.3.3
1.11.0-stable
v1.11.0-rc2
v2.3.2
v1.10.3-stable
v2.3.2-alpha
v2.3.1
v2.3.0
v1.10.2-stable
v1.10.2-rc1
v1.10.2-rc2
v2.1.2
v2.0.8-beta
v2.0.7-beta
v2.0.4-beta
v2.0.3-beta
v2.1.1
v2.1.0
v1.9.1-stable
v2.0.0
v1.9.0-stable
v2.0.0-RC2
v2.0.0-RC1
v2.0.0-stable
v1.8.8-stable
v1.8.7-stable
v1.8.6-stable
v1.8.5-stable
v1.8.4-stable
v1.8.3-stable
v1.8.1-stable
v1.8.0-beta
v1.7.3-stable
v1.7.2-stable
v1.7.1-stable
1.7.0
1.6.3-final
1.6.2
1.6.1
1.6.0
Labels
Clear labels   
HiDPI

   
bounty

   
bsd/freebsd

   
bsd/openbsd

   
bug

   
bug

   
build-infra

   
cantfix

   
critical

   
doc

   
duplicate

   
enhancement

   
fix-available

   
from git

   
from release

   
good first issue

   
help wanted

   
installer/package

   
invalid

   
linux

   
macOS

   
meta

   
needs testing

   
pull-request

Mirrored from GitHub Pull Request

  
query

   
question

   
regression

   
regression

   
v2.4.0

   
windows

   
wontfix

   
work-in-progress
No labels
HiDPI
bounty
bsd/freebsd
bsd/openbsd
bug
bug
build-infra
cantfix
critical
doc
duplicate
enhancement
fix-available
from git
from release
good first issue
help wanted
installer/package
invalid
linux
macOS
meta
needs testing
pull-request
query
question
regression
regression
v2.4.0
windows
wontfix
work-in-progress
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/barrier#1785
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?