mirror of
https://github.com/debauchee/barrier.git
synced 2026-05-15 14:16:02 -06:00
[GH-ISSUE #1129] Security issues on Windows #904
Labels
No labels
HiDPI
bounty
bsd/freebsd
bsd/openbsd
bug
bug
build-infra
cantfix
critical
doc
duplicate
enhancement
fix-available
from git
from release
good first issue
help wanted
installer/package
invalid
linux
macOS
meta
needs testing
pull-request
query
question
regression
regression
v2.4.0
windows
wontfix
work-in-progress
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/barrier#904
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @mmiszczyk on GitHub (Apr 14, 2021).
Original GitHub issue: https://github.com/debauchee/barrier/issues/1129
Describe the bug
Newest release of Barrier has two simple, easy to fix security issues on Windows (possibly inherited from Synergy but because I don't have a license for it, I can't verify if they are still present in new versions).
To Reproduce
I'm not sure if public issue tracker is the correct place to share this. I will post details if it's ok for you, but it would be better if you provided an e-mail for reporting potential security bugs.
Expected behavior
There should be no security bugs.
Desktop (please complete the following information):
@p12tic commented on GitHub (Jun 25, 2021):
@mmiszczyk Could you please contact me at povilas@radix.lt ? Thanks a lot
@mmiszczyk commented on GitHub (Jun 28, 2021):
@p12tic I've sent you an e-mail.
@shymega commented on GitHub (Jul 4, 2021):
@mmiszczyk Could you also email me at: barrier AT shymega DOT org DOT uk - thanks.
@mmiszczyk commented on GitHub (Jul 5, 2021):
@shymega I've forwarded you the email I sent to @p12tic
@AkechiShiro commented on GitHub (Jun 17, 2022):
@mmiszczyk could you please send me the mail as well ? I'm looking into using barrier but I was wondering about any security issues at the moment affecting it. Is the security issue very critical ? Or ?
@shymega commented on GitHub (Jun 17, 2022):
This issue was patched in v2.3.4 and v2.4.0.
@shymega commented on GitHub (Jun 17, 2022):
And really, security issues should be limited to notifying the maintainers, @AkechiShiro, not just anyone - for all we know, you could be an attacker.
@AkechiShiro commented on GitHub (Jun 17, 2022):
Thanks, well I guess you're right but a real attacker wouldn't use his own GitHub account but probably a burner one and also, my past activities has shown that I work in some security related projects but that might not be convincing enough, surely anyone who shows up asking for details should be treated as such.
I was wondering how bad the issue is since no criticality was mentioned nor anything about what can be doable with the vulnerabilities, I'm not asking for a PoC just more details so that I know if I'm exposing myself to say an RCE or something less critical, DoS or leak of sensitive information or anything like that.
What feature fixed the issue, was it the client certificate ?
@AkechiShiro commented on GitHub (Jun 18, 2022):
@shymega if this issue is fixed, then why is it open here ? Shouldn't it be closed?
@mmiszczyk commented on GitHub (Jun 20, 2022):
If the issues have been fixed, I agree this should be closed and there should be an advisory posted here: https://github.com/debauchee/barrier/security/advisories so that people will know that there is a security patch in those versions
@shymega commented on GitHub (Jul 16, 2022):
Sorry for my late reply. Work's been busy.
I would treat anyone who asks for security vulnerabilities details before it's patched with suspicion, especially if the vuln is zero-day. You have to be careful.
I found googling 'Barrier KVM CVEs' comes up with with you wanted, @AkechiShiro.
The issue can be closed now. I am no longer part of the Barrier project, we forked, but Povilas patched the vuln. I think I advised doing an advisory, as that is the correct way. Instead what transpired was just a notice in release notes and IRC. It is too late to do an advisory now that Povilas and I have left Barrier, and Barrier doesn't seem very well maintained anymore.
@mmiszczyk commented on GitHub (Jul 17, 2022):
@shymega @p12tic Looking at the release notes, it doesn't seem that any of them mentions the issues I've reported, only unrelated remote DoS vulnerabilities. Indeed, I've verified that both of them are present on 2.4.0.
@AkechiShiro commented on GitHub (Jul 17, 2022):
@mmiszczyk could you verify if they are present in input-leap ? The new fork I believe
@mmiszczyk commented on GitHub (Jul 17, 2022):
It seems that input-leap doesn't have releases newer than the one equivalent to 2.4.0.
BTW minor correction: one of the issues is fixed, but only if doing a full reinstall, not when doing an upgrade by running an installer without uninstalling first.
@AkechiShiro commented on GitHub (Jul 17, 2022):
Then this should be priority to fix this issue I believe.
@shymega commented on GitHub (Jul 17, 2022):
Yeah, I see now. I thought Povilas put it in the release notes. As far as I'm concerned, v2.4.0 is a bit of a mess. We need to bump to v2.5.0 and fix this. I no longer work on Barrier, only Input Leap and Continuity, but hopefully, @p12tic will see this. I am not familiar with C++.
@AkechiShiro commented on GitHub (Jul 17, 2022):
Should I open an issue in Input-Leap referencing this one here @shymega ?
@AkechiShiro commented on GitHub (Jul 17, 2022):
Also about Continuity, can people contribute to it with you, I'm interested, from what I saw that project is really at the bare first steps @shymega
@shymega commented on GitHub (Jul 17, 2022):
You can do. We did mirror issues on the fork, but nothing since the script last ran. I'm also thinking of merging some PRs that were put here on the Barrier project, merged or not. That way we have some updated code...
You can. There's an IRC channel too. It's pretty barebones, yes, but the main issue is drivers right now. I also need to develop the new USBvIP protocol (USB-via-IP), and video sharing crate.