896180 – (CVE-2023-24486) <net-misc/icaclient-23.2.0.10: session takeover vulnerability

Bug 896180 (CVE-2023-24486) - <net-misc/icaclient-23.2.0.10: session takeover vulnerability

Summary: <net-misc/icaclient-23.2.0.10: session takeover vulnerability

Status:	IN_PROGRESS

Alias:	CVE-2023-24486

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://support.citrix.com/article/CT...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2023-02-24 09:06 UTC by Henning Schild
Modified:	2024-10-18 20:31 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Henning Schild 2023-02-24 09:06:28 UTC

The two ebuilds we currently have in the tree are affected by that. The version with the fix can be found here:

https://github.com/gentoo/gentoo/pull/29428

Reproducible: Always




We should likely update and drop the two others. Possibly making the whole package ~ only again.

Comment 1 Henning Schild 2023-02-25 18:00:45 UTC

Please let me know how to proceed with that. I guess we need a GLSA, drop the two (stable) and merge the new one (~). On top maybe a news item for users that this one is no longer stable.

Comment 2 John Helmert III archtester

2023-02-27 15:50:38 UTC

Why wouldn't we stable the new one?

CVE-2023-24486:

A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched.

Comment 3 Henning Schild 2023-02-27 16:49:10 UTC

We could maybe just stable the new one. That would be faster than the usual 30 days, but maybe in this case it would be allowed.

The whole story about making this non-stable again is something i wanted to do for some time, but we should not mix topics and first see about this one.

Comment 4 Henning Schild 2023-03-01 17:41:54 UTC

new package was merged, next step will be to drop the old stuff as proposed here

https://github.com/gentoo/gentoo/pull/29873

Comment 5 John Helmert III archtester

2023-03-06 04:33:46 UTC

(In reply to Henning Schild from comment #4)
> new package was merged, next step will be to drop the old stuff as proposed
> here
> 
> https://github.com/gentoo/gentoo/pull/29873

But why would we do this and not stable the new one? Please just file a stablereq and have it block this bug.

Comment 6 Joonas Niilola gentoo-dev

2023-03-06 07:53:38 UTC

(In reply to John Helmert III from comment #5)
> (In reply to Henning Schild from comment #4)
> > new package was merged, next step will be to drop the old stuff as proposed
> > here
> > 
> > https://github.com/gentoo/gentoo/pull/29873
> 
> But why would we do this and not stable the new one? Please just file a
> stablereq and have it block this bug.

I promise you no AT will ever stabilize it, because it's fetch-restricted.

Comment 7 Henning Schild 2023-03-13 07:09:01 UTC

No affected ebuilds in the tree any longer.

Comment 8 Henning Schild 2023-05-08 19:44:34 UTC

i think this one can be closed

Comment 9 OzTiram 2024-10-18 20:05:35 UTC

The package not longer exists in the ebuild tree.

Comment 10 Christopher Fore 2024-10-18 20:30:55 UTC

Please do not close bugs assigned to security@, there is still a possibility that the package will receive a GLSA and security bugs are to be closed only after the security project votes to either not publish a GLSA or the GLSA is published.