Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 472582 (CVE-2013-4376)

Summary: <net-misc/x2goserver-4.0.0.2: arbitrary code execution as uid x2gouser (CVE-2013-4376)
Product: Gentoo Security Reporter: Bernard Cafarelli <voyageur>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: nx
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Bernard Cafarelli gentoo-dev 2013-06-07 14:11:17 UTC 
Per upstream announcement (in URL), this version includes:
Vulnerability fix. With previous version it was easily possible for an attacker to execute arbitrary code as uid x2gouser
WARNING::: The above mentioned vulnerability fix demands that you  
upgrade all your X2Go Server installations to version 4.0.0.2.

4.0.0.2 is in tree now and works fine with ~arch x2goclient and net-misc/nx, but I have not tested it as much with stable versions.

To be on the safe side, we should stable:
* net-misc/nx-3.5.0.20
* net-misc/x2goclient-4.0.1.0 (to test the server)
* net-misc/x2goserver-4.0.0.2
Target arches: amd64 and x86

Both nx and x2goclient versions have been in tree for some time now without new bugreports
Comment 1 Bernard Cafarelli gentoo-dev 2013-06-10 23:02:35 UTC 
With arches CC'ed it will be better sorry. Arches please test and mark stable:
* net-misc/nx-3.5.0.20
* net-misc/x2goclient-4.0.1.0 (to test the server)
* net-misc/x2goserver-4.0.0.2 (only recent package)

Thanks!
Comment 2 Agostino Sarubbo gentoo-dev 2013-06-11 10:20:10 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-06-11 10:20:41 UTC 
x86 stable
Comment 4 Bernard Cafarelli gentoo-dev 2013-06-12 09:39:43 UTC 
Thanks ago! Vulnerable versions removed from tree
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 15:01:12 UTC 
GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 12:30:18 UTC 
This issue was resolved and addressed in
 GLSA 201310-19 at http://security.gentoo.org/glsa/glsa-201310-19.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 17:26:32 UTC 
CVE-2013-4376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4376):
  The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server before
  4.0.0.2 allows remote attackers to execute arbitrary code via unspecified
  vectors, relate to the path to libx2go-server-db-sqlite3-wrapper.pl.