Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 378345 (CVE-2011-3977) - <net-misc/nxnode-, <net-misc/nxserver-freeedition- local command injection vulnerability (CVE-2011-3977)
Summary: <net-misc/nxnode-, <net-misc/nxserver-freeedition- local comma...
Alias: CVE-2011-3977
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2011-08-08 14:53 UTC by Bernard Cafarelli
Modified: 2012-01-23 12:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Cafarelli gentoo-dev 2011-08-08 14:53:33 UTC
"The script can allow the execution of arbitrary commands on the system

The script, a SUIDed script used by NX Server Manager to update the server configuration, could be executed by any user to execute arbitrary commands on the system.

A possible workaround, until the new node and server packages fixing this issue are available, is to remove the script and replace it with a fake file: 

# rm /usr/NX/scripts/restricted/ 
# touch /usr/NX/scripts/restricted/ 

Please note that by applying this workaround, you will be no longer able to configure the server via NX Server Manager interface until you upgrade your NX server installation to the new package."

net-misc/nxnode- and net-misc/nxserver-freeedition- are in tree now, and is only a security bugfix over current 3.5 versions (in tree for more than 2 months, without new open bugs).

Stable candidates are (target keywordsamd64 and x86):
* =net-misc/nxclient- (needed for 3.5 server)
* =net-misc/nxnode-.
* =net-misc/nxserver-freeedition-

Other NX servers in tree do not use this system, so are not affected
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-08-20 03:21:18 UTC
Thanks for the great detail, Bernard.

Arches, please test and mark stable:
Target keywords : "amd64 x86"

Target keywords : "amd64 x86"

Target keywords : "amd64 x86"
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-08-20 04:25:57 UTC
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2011-08-20 11:30:44 UTC
Take a look at bug 379959 that can't block this stabilization.

amd64 ok
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-08-20 16:45:05 UTC
all emerges and works
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-08-23 17:25:40 UTC
amd64 done. Thanks Agostino and Ian
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-08-23 17:30:21 UTC
Thanks, folks. GLSA request filed.
Comment 7 Bernard Cafarelli gentoo-dev 2011-09-23 09:43:46 UTC
Vulnerable versions removed from tree (thanks ago for the reminder in bug #384097)
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 12:18:58 UTC
This issue was resolved and addressed in
 GLSA 201201-07 at
by GLSA coordinator Sean Amoss (ackle).