Hi Alex, hi Richard,
On Di 21 Mai 2013 10:40:45 CEST Oleksandr Shneyder wrote:
Finally I've also looked at the server. In short, the 90's called, they want their setuid bugs back. x2gosqlitewrapper.c just wrong, anyone can make it executing whatever binary he wants with higher privileges.
Sorry, I don't understand what are you talking about. I not found the file "x2gosqlitewrapper.c" in the source tree of package "x2go server". If you found a security problem in the recent x2goserver code, please open a bug report on bug tracker, describe the problem and show how it can be used. In best case show an example of exploit and send a bug fix. Saying "it is just wrong, anyone can do something" is just your opinion without any arguments.
In x2goserver.git master the file has been renamed to
libx2go-server-db-sqlite3-wrapper.c. On x2goserver.git branch
release/4.0.0.x the file is still named x2gosqlitewrapper.c.
[1]
http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=libx2go-server-db-perl...
A similar setuid/setgid wrapper is in use with x2gobroker.git. The
wrapper came in as a replacement for the deprecated perlsuid (removed
in Perl 5.12 and above).
Both wrappers (in x2goserver.git and x2gobroker.git) were
compromisable and I fixed both issues [2, 3] over the weekend.
[2]
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=42264c88d7885474...
[3]
http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=65d635943bb2a858...
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...