[X2Go-Dev] x2go and (none)security

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Tue May 21 11:04:09 CEST 2013


Hi Alex, hi Richard,

On Di 21 Mai 2013 10:40:45 CEST Oleksandr Shneyder wrote:

>> Finally I've also looked at the server.
>> In short, the 90's called, they want their setuid bugs back.
>> x2gosqlitewrapper.c just wrong, anyone can make it executing whatever
>> binary he wants with higher privileges.
>
> Sorry, I don't understand what are you talking about. I not found the
> file "x2gosqlitewrapper.c" in the source tree of package "x2go server".
> If you found a security problem in the recent x2goserver code, please
> open a bug report on bug tracker, describe the problem and show how it
> can be used. In best case show an example of exploit and send a bug fix.
> Saying "it is just wrong, anyone can do something" is just your opinion
> without any arguments.
>

In x2goserver.git master the file has been renamed to  
libx2go-server-db-sqlite3-wrapper.c. On x2goserver.git branch  
release/4.0.0.x the file is still named x2gosqlitewrapper.c.

[1]  
http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c

A similar setuid/setgid wrapper is in use with x2gobroker.git. The  
wrapper came in as a replacement for the deprecated perlsuid (removed  
in Perl 5.12 and above).

Both wrappers (in x2goserver.git and x2gobroker.git) were  
compromisable and I fixed both issues [2, 3] over the weekend.

[2]  
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=42264c88d7885474ebe3763b2991681ddfcfa69a
[3]  
http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=65d635943bb2a8580eae0f04be99dcd3e5c9605c

Greets,
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130521/6fd43ce5/attachment.pgp>


More information about the x2go-dev mailing list