Summary: | net-misc/nx-2.1.0, nxnode-2.1.0 Multiple issues in XFree86 code | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nx, Storklerk |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/21446/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2007-09-16 18:05:23 UTC
nx, what's your advice? net-misc/nxnode's (for the freeedition server) nxagent is built from the same code , so it's vulnerable as well The 2.x branch (based on xfree) is not maintained anymore upstream, replaced in favor of 3.x (xorg-based and maintained). So I'd recommend dropping nxnode 2.1* (and nxserver-freeeedition 2.1 that only works with it), and only leave 3.0: this will require x86 stabilization for nxclient-3.0.0-r3 (3.0 version is required by nxnode 3.0), nxnode-3.0.0-r2 and nxserver-freeedition-3.0.0-r2 For freenx, a patch was released to get freenx-0.7 working with a nx-3.0 package. I have to make new nx and nxserver-freenx packages for that, after that we can test (and mark) them stable on x86, and drop the remaining 2.x packages Setting whiteboard to B2 because the codebase might allow code execution when using a manipulated fonts with the old freetype code. [1] The vulnerabilities quoted above are privilege escalations and I do not think they're an issue here. [1] http://secunia.com/advisories/21446/ Bernard, thanks for pointing out the dependencies. To sum up, we have two vulnerable packages: 1) net-misc/nx-2.1.0 2) net-misc/nxnode-2.1.0 net-misc/nx-3.0.0 and net-misc/nxserver-freenx-0.7.0-r1 (that works with nx3) are in portage now Thanks a lot, Bernard. x86, please test and mark stable: net-misc/nx net-misc/nxclient net-misc/nxnode net-misc/nxserver-freeedition (all in the latest 3.0.0 versions) net-misc/nxserver-freenx-0.7.0-r1 I see a new net-misc/nx-3.0.0: nx-3.0.0.ebuild 1.1 8 hours voyageur Version bump to new 3.0.0 branch,... but nothing in net-misc/nxserver-freenx: nxserver-freenx-0.6.0.ebuild 1.5 2 months opfer stable x86, bug 180040 nxserver-freenx-0.7.0.ebuild 1.1 5 weeks voyageur Version bump (from sources.gentoo.org/viewcvs.py) CVS commit borked? Because the freenx-0.7.0 version in portage still depends on ~net-misc/nx-2.1.0 Seems like the new freenx was committed after the comment here, but it's in CVS now. Sorry for the delay, I missed the enter key after "repoman commit", and only realized it when I did not see it appear on mirrors at the same time as nx-3.0.0. The new version is 0.7.0-r1, not 0.7.0 (a patch is needed to use nx 3.0.0) * Running NoMachine's update script NX> 701 Updating: server at: Mi Sep 19 16:44:59 2007. NX> 701 Autodetected system: gentoo. NX> 701 Update log is: /usr/NX/var/log/update. NX> 701 Checking NX server configuration using /usr/NX/etc/server.cfg file. NX> 701 ERROR: Output: chown: cannot access `/usr/NX/etc/keys/node.localhost.id_dsa': No such file or directory. NX> 701 ERROR: Cannot set ownership attributes for '/usr/NX/etc/keys/node.localhost.id_dsa' to 'nx:root'. * * ERROR: net-misc/nxserver-freeedition-3.0.0-r3 failed. /usr/NX/etc/server.cfg is created by the setup script on first installation, at that time the files in /usr/NX/etc/keys are created. So when updating (determined by server.cfg already existing in the ebuild), these files should be there... A leftover incorrect /usr/NX/etc/server.cfg ? x86 stable, last arch, glsa to be requested, thus changing whiteboard glsa request filed. GLSA 200710-09 |