192712 2007-09-16 18:05 0000 net-misc/nx-2.1.0, nxnode-2.1.0 Multiple issues in XFree86 code 2007-10-09 22:45:16 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/21446/ B2 [glsa] P2 normal --- 1 rbu@gentoo.org security@gentoo.org nx@gentoo.org Storklerk@ariolc.dyndns.org rbu@gentoo.org 2007-09-16 18:05:23 0000 net-misc/nx contains a modified version of XFree86 4.3.0 in the file nx-X11-2.1.0-3.tar.gz. That file contains xfree code from February 2003 that is, by itself, vulnerable to several issues reported since then. I am unaware whether the package was patched for some of the earlier issues, but I verified the code is unpatched for: * CVE-2007-1003 (Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension) in nx-X11/programs/Xserver/Xext/xcmisc.c * CVE-2007-1351 (Integer overflow in the bdfReadCharacters function in bdfread.c) in nx-x11/lib/font/bitmap/bdfread.c * CVE-2007-1352 (Integer overflow in the FontFileInitTable function) in nx-x11/lib/font/fontfile/fontdir.c * CVE-2007-1667 (Multiple integer overflows in (1) the XGetPixel function in ImUtil.c, and (2) XInitImage) in nx-x11/lib/X11/ImUtil.c * CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 (Multiple integer overflows in dbe and render extensions) * CVE-2006-3739 CVE-2006-3740 (Integer overflows in handling CID encoded Type1 fonts) This code is compiled and statically linked into the nxagent (nx X server) executable. I believe the privilege escalations are not issues here because nxagent is running with user rights. Nevertheless some might be a security problem. As far as I saw, nx is only used for the GPL NX server "nxserver-freenx" and not for nxserver-freeedition. nx is stable on x86 as per bug 180040. rbu@gentoo.org 2007-09-16 18:43:05 0000 nx, what's your advice? voyageur@gentoo.org 2007-09-16 21:55:45 0000 net-misc/nxnode's (for the freeedition server) nxagent is built from the same code , so it's vulnerable as well The 2.x branch (based on xfree) is not maintained anymore upstream, replaced in favor of 3.x (xorg-based and maintained). So I'd recommend dropping nxnode 2.1* (and nxserver-freeeedition 2.1 that only works with it), and only leave 3.0: this will require x86 stabilization for nxclient-3.0.0-r3 (3.0 version is required by nxnode 3.0), nxnode-3.0.0-r2 and nxserver-freeedition-3.0.0-r2 For freenx, a patch was released to get freenx-0.7 working with a nx-3.0 package. I have to make new nx and nxserver-freenx packages for that, after that we can test (and mark) them stable on x86, and drop the remaining 2.x packages rbu@gentoo.org 2007-09-16 23:10:47 0000 Setting whiteboard to B2 because the codebase might allow code execution when using a manipulated fonts with the old freetype code. [1] The vulnerabilities quoted above are privilege escalations and I do not think they're an issue here. [1] http://secunia.com/advisories/21446/ Bernard, thanks for pointing out the dependencies. To sum up, we have two vulnerable packages: 1) net-misc/nx-2.1.0 2) net-misc/nxnode-2.1.0 voyageur@gentoo.org 2007-09-18 10:00:40 0000 net-misc/nx-3.0.0 and net-misc/nxserver-freenx-0.7.0-r1 (that works with nx3) are in portage now rbu@gentoo.org 2007-09-18 10:23:33 0000 Thanks a lot, Bernard. x86, please test and mark stable: net-misc/nx net-misc/nxclient net-misc/nxnode net-misc/nxserver-freeedition (all in the latest 3.0.0 versions) net-misc/nxserver-freenx-0.7.0-r1 Storklerk@ariolc.dyndns.org 2007-09-18 17:34:54 0000 I see a new net-misc/nx-3.0.0: nx-3.0.0.ebuild 1.1 8 hours voyageur Version bump to new 3.0.0 branch,... but nothing in net-misc/nxserver-freenx: nxserver-freenx-0.6.0.ebuild 1.5 2 months opfer stable x86, bug 180040 nxserver-freenx-0.7.0.ebuild 1.1 5 weeks voyageur Version bump (from sources.gentoo.org/viewcvs.py) CVS commit borked? Because the freenx-0.7.0 version in portage still depends on ~net-misc/nx-2.1.0 rbu@gentoo.org 2007-09-18 17:49:19 0000 Seems like the new freenx was committed after the comment here, but it's in CVS now. voyageur@gentoo.org 2007-09-18 17:58:15 0000 Sorry for the delay, I missed the enter key after "repoman commit", and only realized it when I did not see it appear on mirrors at the same time as nx-3.0.0. The new version is 0.7.0-r1, not 0.7.0 (a patch is needed to use nx 3.0.0) fauli@gentoo.org 2007-09-19 16:59:03 0000 * Running NoMachine's update script NX> 701 Updating: server at: Mi Sep 19 16:44:59 2007. NX> 701 Autodetected system: gentoo. NX> 701 Update log is: /usr/NX/var/log/update. NX> 701 Checking NX server configuration using /usr/NX/etc/server.cfg file. NX> 701 ERROR: Output: chown: cannot access `/usr/NX/etc/keys/node.localhost.id_dsa': No such file or directory. NX> 701 ERROR: Cannot set ownership attributes for '/usr/NX/etc/keys/node.localhost.id_dsa' to 'nx:root'. * * ERROR: net-misc/nxserver-freeedition-3.0.0-r3 failed. voyageur@gentoo.org 2007-09-19 22:54:34 0000 /usr/NX/etc/server.cfg is created by the setup script on first installation, at that time the files in /usr/NX/etc/keys are created. So when updating (determined by server.cfg already existing in the ebuild), these files should be there... A leftover incorrect /usr/NX/etc/server.cfg ? fauli@gentoo.org 2007-09-20 12:48:04 0000 x86 stable, last arch, glsa to be requested, thus changing whiteboard py@gentoo.org 2007-09-20 13:01:15 0000 glsa request filed. py@gentoo.org 2007-10-09 22:45:16 0000 GLSA 200710-09