Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 896180 (CVE-2023-24486) - <net-misc/icaclient-23.2.0.10: session takeover vulnerability
Summary: <net-misc/icaclient-23.2.0.10: session takeover vulnerability
Status: IN_PROGRESS
Alias: CVE-2023-24486
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://support.citrix.com/article/CT...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-24 09:06 UTC by Henning Schild
Modified: 2024-10-18 20:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Henning Schild 2023-02-24 09:06:28 UTC
The two ebuilds we currently have in the tree are affected by that. The version with the fix can be found here:

https://github.com/gentoo/gentoo/pull/29428

Reproducible: Always




We should likely update and drop the two others. Possibly making the whole package ~ only again.
Comment 1 Henning Schild 2023-02-25 18:00:45 UTC
Please let me know how to proceed with that. I guess we need a GLSA, drop the two (stable) and merge the new one (~). On top maybe a news item for users that this one is no longer stable.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-27 15:50:38 UTC
Why wouldn't we stable the new one?

CVE-2023-24486:

A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched.
Comment 3 Henning Schild 2023-02-27 16:49:10 UTC
We could maybe just stable the new one. That would be faster than the usual 30 days, but maybe in this case it would be allowed.

The whole story about making this non-stable again is something i wanted to do for some time, but we should not mix topics and first see about this one.
Comment 4 Henning Schild 2023-03-01 17:41:54 UTC
new package was merged, next step will be to drop the old stuff as proposed here

https://github.com/gentoo/gentoo/pull/29873
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-06 04:33:46 UTC
(In reply to Henning Schild from comment #4)
> new package was merged, next step will be to drop the old stuff as proposed
> here
> 
> https://github.com/gentoo/gentoo/pull/29873

But why would we do this and not stable the new one? Please just file a stablereq and have it block this bug.
Comment 6 Joonas Niilola gentoo-dev 2023-03-06 07:53:38 UTC
(In reply to John Helmert III from comment #5)
> (In reply to Henning Schild from comment #4)
> > new package was merged, next step will be to drop the old stuff as proposed
> > here
> > 
> > https://github.com/gentoo/gentoo/pull/29873
> 
> But why would we do this and not stable the new one? Please just file a
> stablereq and have it block this bug.

I promise you no AT will ever stabilize it, because it's fetch-restricted.
Comment 7 Henning Schild 2023-03-13 07:09:01 UTC
No affected ebuilds in the tree any longer.
Comment 8 Henning Schild 2023-05-08 19:44:34 UTC
i think this one can be closed
Comment 9 OzTiram 2024-10-18 20:05:35 UTC
The package not longer exists in the ebuild tree.
Comment 10 Christopher Fore 2024-10-18 20:30:55 UTC
Please do not close bugs assigned to security@, there is still a possibility that the package will receive a GLSA and security bugs are to be closed only after the security project votes to either not publish a GLSA or the GLSA is published.