Summary: | net-misc/nxnode, net-misc/nx Xorg security fixes included | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nx |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.nomachine.com/news-read.php?idnews=230 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2008-02-16 01:57:30 UTC
NX herd, please bump -- or do we have all the necessary code in the tree already? The last ebuild commit is dated before the press release. If so, is it ready for stabling? This is indeed bug #204362: "Four of the vulnerabilities affect NX Node 3.1.0-5, namely: XInput Extension Memory Corruption Vulnerability [IDEF2888 CVE-2007-6427]. TOG-CUP Extension Memory Corruption Vulnerability [IDEF2901 CVE-2007-6428]. EVI Extension Integer Overflow Vulnerability [IDEF2902 CVE-2007-6429]. MIT-SHM Extension Integer Overflow Vulnerability [IDEF2904 CVE-2007-6429]" Both nxnode and nx packages need to be bumped, I'm adding new versions. Stabling packages should also involve net-misc/nxclient-3.1.0 and net-misc/nxserver-freeedition-3.1.0, to go along with new nxnode-3.1.0. I'll sum up what needs to be stabled as soon as I have the packages in the tree Ok, new packages with security fixes included: net-misc/nxnode-3.1.0-r2 net-misc/nx-3.1.0-r1 Current stable versions are also based on Xorg, so security stabling is needed Need amd64 and x86 stable keywords: net-misc/nxnode-3.1.0-r2 net-misc/nxclient-3.1.0 (ready for stable, to go along with nxnode-3.1) net-misc/nxserver-freeedition-3.1.0 (same) x86 stable keyword: net-misc/nx-3.1.0-r1 net-misc/nxserver-freenx-0.7.1-r2 (ready for stable, has patches with better 3.1 nx detection) I was about to finally ask amd64 stabling on freenx, I guess it will have to wait a bit more... Thanks for the fast update, arches please stable as mentioned in the above comment. x86 stable I'm working on stabilization of this stuff. But I've never used it so this'll take some time. Hopefully today or tomorrow, I'll stabilize it. Well while I'm progressing in getting this stuff working I see the following problem with nxnode ebuild. It does: chown nx:root "${ROOT}"/usr/NX/etc/node.lic while it does not create nx user. Also for consistency it's better to use chown nx:0 ... see bug 103563. Thanks, the nx user is now created in nxnode (this worked before because the NX install script fixed the ownership in nxserver ebuild), and it's now nx:0. Should be fine (nxnode-3.1.0-r2) amd64 stable. After IRC discussion with voyageur I've stabilized -r1 for nxnode and nserver-freeedition. Fixed in release snapshot. request filed GLSA 200804-05 |