Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 472582 (CVE-2013-4376) - <net-misc/x2goserver-4.0.0.2: arbitrary code execution as uid x2gouser (CVE-2013-4376)
Summary: <net-misc/x2goserver-4.0.0.2: arbitrary code execution as uid x2gouser (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2013-4376
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lists.berlios.de/pipermail/x2...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-07 14:11 UTC by Bernard Cafarelli
Modified: 2013-12-12 17:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Cafarelli gentoo-dev 2013-06-07 14:11:17 UTC
Per upstream announcement (in URL), this version includes:
Vulnerability fix. With previous version it was easily possible for an attacker to execute arbitrary code as uid x2gouser
WARNING::: The above mentioned vulnerability fix demands that you  
upgrade all your X2Go Server installations to version 4.0.0.2.

4.0.0.2 is in tree now and works fine with ~arch x2goclient and net-misc/nx, but I have not tested it as much with stable versions.

To be on the safe side, we should stable:
* net-misc/nx-3.5.0.20
* net-misc/x2goclient-4.0.1.0 (to test the server)
* net-misc/x2goserver-4.0.0.2
Target arches: amd64 and x86

Both nx and x2goclient versions have been in tree for some time now without new bugreports
Comment 1 Bernard Cafarelli gentoo-dev 2013-06-10 23:02:35 UTC
With arches CC'ed it will be better sorry. Arches please test and mark stable:
* net-misc/nx-3.5.0.20
* net-misc/x2goclient-4.0.1.0 (to test the server)
* net-misc/x2goserver-4.0.0.2 (only recent package)

Thanks!
Comment 2 Agostino Sarubbo gentoo-dev 2013-06-11 10:20:10 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-06-11 10:20:41 UTC
x86 stable
Comment 4 Bernard Cafarelli gentoo-dev 2013-06-12 09:39:43 UTC
Thanks ago! Vulnerable versions removed from tree
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 15:01:12 UTC
GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-10-28 12:30:18 UTC
This issue was resolved and addressed in
 GLSA 201310-19 at http://security.gentoo.org/glsa/glsa-201310-19.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 17:26:32 UTC
CVE-2013-4376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4376):
  The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server before
  4.0.0.2 allows remote attackers to execute arbitrary code via unspecified
  vectors, relate to the path to libx2go-server-db-sqlite3-wrapper.pl.