Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 896180 (CVE-2023-24486)

Summary: <net-misc/icaclient-23.2.0.10: session takeover vulnerability
Product: Gentoo Security Reporter: Henning Schild <henning>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: henning, oz.tiram, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux-security-bulletin-for-cve202324486
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---

Description Henning Schild 2023-02-24 09:06:28 UTC 
The two ebuilds we currently have in the tree are affected by that. The version with the fix can be found here:

https://github.com/gentoo/gentoo/pull/29428

Reproducible: Always




We should likely update and drop the two others. Possibly making the whole package ~ only again.
Comment 1 Henning Schild 2023-02-25 18:00:45 UTC 
Please let me know how to proceed with that. I guess we need a GLSA, drop the two (stable) and merge the new one (~). On top maybe a news item for users that this one is no longer stable.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-27 15:50:38 UTC 
Why wouldn't we stable the new one?

CVE-2023-24486:

A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched.
Comment 3 Henning Schild 2023-02-27 16:49:10 UTC 
We could maybe just stable the new one. That would be faster than the usual 30 days, but maybe in this case it would be allowed.

The whole story about making this non-stable again is something i wanted to do for some time, but we should not mix topics and first see about this one.
Comment 4 Henning Schild 2023-03-01 17:41:54 UTC 
new package was merged, next step will be to drop the old stuff as proposed here

https://github.com/gentoo/gentoo/pull/29873
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-06 04:33:46 UTC 
(In reply to Henning Schild from comment #4)
> new package was merged, next step will be to drop the old stuff as proposed
> here
> 
> https://github.com/gentoo/gentoo/pull/29873

But why would we do this and not stable the new one? Please just file a stablereq and have it block this bug.
Comment 6 Joonas Niilola gentoo-dev 2023-03-06 07:53:38 UTC 
(In reply to John Helmert III from comment #5)
> (In reply to Henning Schild from comment #4)
> > new package was merged, next step will be to drop the old stuff as proposed
> > here
> > 
> > https://github.com/gentoo/gentoo/pull/29873
> 
> But why would we do this and not stable the new one? Please just file a
> stablereq and have it block this bug.

I promise you no AT will ever stabilize it, because it's fetch-restricted.
Comment 7 Henning Schild 2023-03-13 07:09:01 UTC 
No affected ebuilds in the tree any longer.
Comment 8 Henning Schild 2023-05-08 19:44:34 UTC 
i think this one can be closed
Comment 9 OzTiram 2024-10-18 20:05:35 UTC 
The package not longer exists in the ebuild tree.
Comment 10 Christopher Fore 2024-10-18 20:30:55 UTC 
Please do not close bugs assigned to security@, there is still a possibility that the package will receive a GLSA and security bugs are to be closed only after the security project votes to either not publish a GLSA or the GLSA is published.