Package: x2goclient Severity: important
In X2Go it is currently possible to replace every command in X2Go
Server by a command of the same name in ~/bin.
An attacker could use this to infiltrate X2Go Client with arbitrary data.
IMHO, we should make sure, X2Go Client only uses system-wide paths
when evoking commands on X2Go Servers.
This, of course, will boycott installing X2Go Server into ~<user>
space, but actually, I prefer a safe setup to such custom installation
tweaks.
Feedback?!?
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
clone #334 -1 reassign #334 python-x2go thanks
Hi all,
On Di 29 Okt 2013 13:41:06 CET, Mike Gabriel wrote:
Package: x2goclient Severity: important
In X2Go it is currently possible to replace every command in X2Go
Server by a command of the same name in ~/bin.An attacker could use this to infiltrate X2Go Client with arbitrary data.
IMHO, we should make sure, X2Go Client only uses system-wide paths
when evoking commands on X2Go Servers.This, of course, will boycott installing X2Go Server into ~<user>
space, but actually, I prefer a safe setup to such custom
installation tweaks.Feedback?!?
Mike
This issue also applies to Python X2Go.
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Processing commands for control@bugs.x2go.org:
clone #334 -1 Bug #334 [x2goclient] Don't allow users to override X2Go commands via ~/bin (or similar) Bug 334 cloned as bug 336 reassign #334 python-x2go Bug #334 [x2goclient] Don't allow users to override X2Go commands via ~/bin (or similar) Bug reassigned from package 'x2goclient' to 'python-x2go'. Ignoring request to alter found versions of bug #334 to the same values previously set Ignoring request to alter fixed versions of bug #334 to the same values previously set thanks Stopping processing here.
Please contact me if you need assistance.
334: http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=334 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
-
Mike Gabriel -
owner@bugs.x2go.org