Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 83560

Summary: net-misc/nxserver: X Server Authentication Bypass Security Issue
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: nx
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://secunia.com/advisories/14417/
Whiteboard: B4 [noglsa] jaervosz
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-02-28 07:36:56 UTC 
Description:
Two security issues have been reported in NX Server, which can be exploited by malicious, local users to bypass certain security restrictions.

1) An error in the way the authority file is handled can allow access to the display of another user running a NX session on the system.

2) An error when reading the authority file can be exploited to interrupt the server by a signal, which can result in the server enabling local host access.

Solution:
Update to version 1.4.0-107.
http://www.nomachine.com/download.php
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 11:42:28 UTC 
One more for superStuart -- the package is still (or already) masked.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-27 02:01:51 UTC 
Stuart, any news on this one?
Comment 3 Stuart Herbert (RETIRED) gentoo-dev 2005-05-23 12:26:41 UTC 
This upgrade is now done.  Actually, it's been done for a month or so; but I
missed it because it wasn't assigned to the nx herd.

nxserver-*-1.4.0 hasn't come out of package.mask yet, so it's up to you whether
a GLSA should be issued or not.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-23 12:43:50 UTC 
Security please vote on GLSA release. I tend to vote YES. 
 
Stuart, you don't have to keep it masked until GLSA status is resolved.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-06-12 07:26:43 UTC 
x86: please test and mark nxserver-business-1.4.0 stable
Comment 6 Olivier Crete (RETIRED) gentoo-dev 2005-06-16 19:03:02 UTC 
Stuart, I guess you can mark it.. I'm not even sure how to test this..
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-23 05:11:50 UTC 
Stuart any news on this one?
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-06-29 08:59:01 UTC 
Ready for GLSA vote
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-07-03 09:54:25 UTC 
I tend to say NO, as this has been fixed a long time ago, and I don't see an
easy way to exploit this.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-03 13:28:17 UTC 
Voting NO as well -> closing.