Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 210317 - net-misc/nxnode, net-misc/nx Xorg security fixes included
Summary: net-misc/nxnode, net-misc/nx Xorg security fixes included
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2008-02-16 01:57 UTC by Robert Buchholz (RETIRED)
Modified: 2008-04-06 13:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-02-16 01:57:30 UTC
"NoMachine makes available today the second maintenance release of NX Node 3.1.0. The new packages include minor bug fixes to the NX software and, namely, some security fixes affecting the X11 code-base."

Seems to be xorg bug 204362.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-02-16 01:58:53 UTC
NX herd, please bump -- or do we have all the necessary code in the tree already? The last ebuild commit is dated before the press release. If so, is it ready for stabling?
Comment 2 Bernard Cafarelli gentoo-dev 2008-02-17 22:42:16 UTC
This is indeed bug #204362:
"Four of the vulnerabilities affect NX Node 3.1.0-5, namely:

XInput Extension Memory Corruption Vulnerability [IDEF2888 CVE-2007-6427].
TOG-CUP Extension Memory Corruption Vulnerability [IDEF2901 CVE-2007-6428].
EVI Extension Integer Overflow Vulnerability [IDEF2902 CVE-2007-6429].
MIT-SHM Extension Integer Overflow Vulnerability [IDEF2904 CVE-2007-6429]"

Both nxnode and nx packages need to be bumped, I'm adding new versions. 
Stabling packages should also involve net-misc/nxclient-3.1.0 and net-misc/nxserver-freeedition-3.1.0, to go along with new nxnode-3.1.0.

I'll sum up what needs to be stabled as soon as I have the packages in the tree
Comment 3 Bernard Cafarelli gentoo-dev 2008-02-17 23:12:55 UTC
Ok, new packages with security fixes included:
Current stable versions are also based on Xorg, so security stabling is needed

Need amd64 and x86 stable keywords:
net-misc/nxclient-3.1.0 (ready for stable, to go along with nxnode-3.1)
net-misc/nxserver-freeedition-3.1.0 (same)

x86 stable keyword:
net-misc/nxserver-freenx-0.7.1-r2 (ready for stable, has patches with better 3.1 nx detection)

I was about to finally ask amd64 stabling on freenx, I guess it will have to wait a bit more...
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-02-18 04:07:05 UTC
Thanks for the fast update, arches please stable as mentioned in the above comment.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-18 17:57:22 UTC
x86 stable
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 08:43:51 UTC
I'm working on stabilization of this stuff. But I've never used it so this'll take some time. Hopefully today or tomorrow, I'll stabilize it.
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 19:59:18 UTC
Well while I'm progressing in getting this stuff working I see the following problem with nxnode ebuild. It does:

  chown nx:root "${ROOT}"/usr/NX/etc/node.lic

while it does not create nx user. Also for consistency it's better to use chown nx:0 ... see bug 103563.
Comment 8 Bernard Cafarelli gentoo-dev 2008-03-10 00:58:16 UTC
Thanks, the nx user is now created in nxnode (this worked before because the NX install script fixed the ownership in nxserver ebuild), and it's now nx:0. Should be fine (nxnode-3.1.0-r2)
Comment 9 Peter Volkov (RETIRED) gentoo-dev 2008-03-19 11:17:02 UTC
amd64 stable. After IRC discussion with voyageur I've stabilized -r1 for nxnode and nserver-freeedition.

Fixed in release snapshot.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-03-21 02:19:06 UTC
request filed
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-04-06 13:33:02 UTC
GLSA 200804-05