Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 497260 (CVE-2013-7383) - <net-misc/x2goserver-4.0.1.12: privilege escalation (CVE-2013-7383)
Summary: <net-misc/x2goserver-4.0.1.12: privilege escalation (CVE-2013-7383)
Status: RESOLVED FIXED
Alias: CVE-2013-7383
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://lists.berlios.de/pipermail/x2...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-06 12:28 UTC by Bernard Cafarelli
Modified: 2014-05-19 07:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Cafarelli gentoo-dev 2014-01-06 12:28:37 UTC
From announcement:
"Please note::: This release fixes a severe vulnerability in X2Go Server
that allowed an attacker with user permissions to gain root access to
the X2Go Server machine. Everyone, please upgrade your X2Go Server
installations."

I just added x2goserver-4.0.1.10 to tree, it works fine with stable x2goclient and libssh (and openssh[-hpn] on the server), so it can be stabled to fix this vulnerability
Comment 1 Agostino Sarubbo gentoo-dev 2014-01-06 12:46:54 UTC
Thanks for the report
Comment 2 Bernard Cafarelli gentoo-dev 2014-01-06 18:04:15 UTC
4.0.1.10 fixed the vulnerability but introduced a small bug when session ID strings contained dot characters.

So arches please test and mark stable =net-misc/x2goserver-4.0.1.11 instead, thanks!
Comment 3 Bernard Cafarelli gentoo-dev 2014-01-09 16:24:45 UTC
Another hotfix release (this time for remote printing) came, so I removed the previous stable candidates. Sorry for the noise

Arches, new stable target is =net-misc/x2goserver-4.0.1.12
Comment 4 Pacho Ramos gentoo-dev 2014-01-12 16:57:10 UTC
amd64 stable
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-01-21 00:43:43 UTC
x86 stable
Comment 6 Bernard Cafarelli gentoo-dev 2014-03-03 16:41:14 UTC
Vulnerable versions removed from tree
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-03-04 17:29:59 UTC
Maintainers and Arches thank you for your work.

GLSA Request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-05-19 07:44:59 UTC
This issue was resolved and addressed in
 GLSA 201405-26 at http://security.gentoo.org/glsa/glsa-201405-26.xml
by GLSA coordinator Mikle Kolyada (Zlogene).