Bug 192712 - net-misc/nx-2.1.0, nxnode-2.1.0 Multiple issues in XFree86 code
Bug#: 192712 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/21446/
Summary: net-misc/nx-2.1.0, nxnode-2.1.0 Multiple issues in XFree86 code
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2007-09-16 18:05 0000
Description:   Opened: 2007-09-16 18:05 0000 
net-misc/nx contains a modified version of XFree86 4.3.0 in the file
nx-X11-2.1.0-3.tar.gz. That file contains xfree code from February 2003 that
is, by itself, vulnerable to several issues reported since then. I am unaware
whether the package was patched for some of the earlier issues, but I verified
the code is unpatched for:

* CVE-2007-1003 (Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList
function in the XC-MISC extension)
in nx-X11/programs/Xserver/Xext/xcmisc.c

* CVE-2007-1351 (Integer overflow in the bdfReadCharacters function in
bdfread.c)
in nx-x11/lib/font/bitmap/bdfread.c

* CVE-2007-1352 (Integer overflow in the FontFileInitTable function)
in nx-x11/lib/font/fontfile/fontdir.c

* CVE-2007-1667 (Multiple integer overflows in (1) the XGetPixel function in
ImUtil.c, and (2) XInitImage)
in nx-x11/lib/X11/ImUtil.c

* CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 (Multiple integer overflows in dbe
and render extensions)

* CVE-2006-3739 CVE-2006-3740 (Integer overflows in handling CID encoded Type1
fonts)

This code is compiled and statically linked into the nxagent (nx X server)
executable. I believe the privilege escalations are not issues here because
nxagent is running with user rights. Nevertheless some might be a security
problem.

As far as I saw, nx is only used for the GPL NX server "nxserver-freenx" and
not for nxserver-freeedition. nx is stable on x86 as per bug 180040.

------- Comment #1 From Robert Buchholz 2007-09-16 18:43:05 0000 ------- 
nx, what's your advice?

------- Comment #2 From Bernard Cafarelli 2007-09-16 21:55:45 0000 ------- 
net-misc/nxnode's (for the freeedition server) nxagent is built from the same
code , so it's vulnerable as well

The 2.x branch (based on xfree) is not maintained anymore upstream, replaced in
favor of 3.x (xorg-based and maintained).

So I'd recommend dropping nxnode 2.1* (and nxserver-freeeedition 2.1 that only
works with it), and only leave 3.0: this will require x86 stabilization for
nxclient-3.0.0-r3 (3.0 version is required by nxnode 3.0), nxnode-3.0.0-r2 and
nxserver-freeedition-3.0.0-r2

For freenx, a patch was released to get freenx-0.7 working with a nx-3.0
package. I have to make new nx and nxserver-freenx packages for that, after
that we can test (and mark) them stable on x86, and drop the remaining 2.x
packages

------- Comment #3 From Robert Buchholz 2007-09-16 23:10:47 0000 ------- 
Setting whiteboard to B2 because the codebase might allow code execution when
using a manipulated fonts with the old freetype code. [1] The vulnerabilities
quoted above are privilege escalations and I do not think they're an issue
here.

[1] http://secunia.com/advisories/21446/

Bernard, thanks for pointing out the dependencies. To sum up, we have two
vulnerable packages:
1) net-misc/nx-2.1.0
2) net-misc/nxnode-2.1.0

------- Comment #4 From Bernard Cafarelli 2007-09-18 10:00:40 0000 ------- 
net-misc/nx-3.0.0 and net-misc/nxserver-freenx-0.7.0-r1 (that works with nx3)
are in portage now

------- Comment #5 From Robert Buchholz 2007-09-18 10:23:33 0000 ------- 
Thanks a lot, Bernard.

x86, please test and mark stable:
net-misc/nx
net-misc/nxclient
net-misc/nxnode
net-misc/nxserver-freeedition
(all in the latest 3.0.0 versions)

net-misc/nxserver-freenx-0.7.0-r1

------- Comment #6 From Torsten Kaiser 2007-09-18 17:34:54 0000 ------- 
I see a new net-misc/nx-3.0.0:
nx-3.0.0.ebuild 1.1   8 hours   voyageur   Version bump to new 3.0.0 branch,...
but nothing in net-misc/nxserver-freenx:
nxserver-freenx-0.6.0.ebuild 1.5   2 months   opfer   stable x86, bug 180040 
nxserver-freenx-0.7.0.ebuild 1.1   5 weeks   voyageur   Version bump 
(from sources.gentoo.org/viewcvs.py)

CVS commit borked? Because the freenx-0.7.0 version in portage still depends on
~net-misc/nx-2.1.0

------- Comment #7 From Robert Buchholz 2007-09-18 17:49:19 0000 ------- 
Seems like the new freenx was committed after the comment here, but it's in CVS
now.

------- Comment #8 From Bernard Cafarelli 2007-09-18 17:58:15 0000 ------- 
Sorry for the delay, I missed the enter key after "repoman commit", and only
realized it when I did not see it appear on mirrors at the same time as
nx-3.0.0. The new version is 0.7.0-r1, not 0.7.0 (a patch is needed to use nx
3.0.0)

------- Comment #9 From Christian Faulhammer 2007-09-19 16:59:03 0000 ------- 
 * Running NoMachine's update script
NX> 701 Updating: server at: Mi Sep 19 16:44:59 2007.
NX> 701 Autodetected system: gentoo.
NX> 701 Update log is: /usr/NX/var/log/update.
NX> 701 Checking NX server configuration using /usr/NX/etc/server.cfg file.
NX> 701 ERROR: Output: chown: cannot access
`/usr/NX/etc/keys/node.localhost.id_dsa': No such file or directory.
NX> 701 ERROR: Cannot set ownership attributes for
'/usr/NX/etc/keys/node.localhost.id_dsa' to 'nx:root'.
 *
 * ERROR: net-misc/nxserver-freeedition-3.0.0-r3 failed.

------- Comment #10 From Bernard Cafarelli 2007-09-19 22:54:34 0000 ------- 
/usr/NX/etc/server.cfg is created by the setup script on first installation, at
that time the files in /usr/NX/etc/keys are created. So when updating
(determined by server.cfg already existing in the ebuild), these files should
be there... A leftover incorrect /usr/NX/etc/server.cfg ?

------- Comment #11 From Christian Faulhammer 2007-09-20 12:48:04 0000 ------- 
x86 stable, last arch, glsa to be requested, thus changing whiteboard

------- Comment #12 From Pierre-Yves Rofes 2007-09-20 13:01:15 0000 ------- 
glsa request filed.

------- Comment #13 From Pierre-Yves Rofes 2007-10-09 22:45:16 0000 ------- 
GLSA 200710-09