-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hello X2Go Developers,
Over the last few weeks, I have been auditing nx-libs against all the vulnerabilities (CVEs) in X.org 6.9.0.
nx-libs 3.5.0 (released by NoMachine in 2011) contains a fork of X.org 6.9.0 (released in December 2005). So our concern was that a large percentage of the X.org vulnerabilities announced since X.org 6.9.0 affect nx-libs.
I wrote a spreadsheet with the results of my audit here. Note that I have not actually tested whether the vulnerabilities affect us. For example, I have not tried out any proof-of-concept exploits. But if the vulnerable code is present, and the vulnerable code is not totally ignored by nx-libs, then I assumed that the vulnerability affects nx-libs. The only exception is CVE-2013-1940; I inferred that it does not affect us because it only affects VT switching on Linux, and nx-libs does not use VTs.
https://docs.google.com/spreadsheets/d/1WeneRYO2TkXYOl5J0WozThsLkreF1DiuJAvK...
To summarize the results:
- Some vulnerabilities do not affect us for various reasons. Often because the code was removed by NoMachine.
- NoMachine did a very good job of patching the vulnerabilities. The earliest vulnerability that was unpatched, CVE-2011-2895, was announced on 2011-08-10.
- The majority of the vulnerabilities after 2011-08-10 did affect nx-libs 3.5.0.x and nx-libs 3.6.x. I fixed these and the fixes are now in git. See details below.
As I audited nx-libs, I fixed each vulnerability. Before the December 2014 vulnerabilities, I backported the commit/patch from upstream X.org. For the December 2014 vulnerabilities, which were numerous and whose patches/commits were hard to merge, I obtained the patches from RHEL5 instead. RHEL 5 uses X.org 7.1 (xorg-server 1.1.1), so their patches were easier to apply to nx-libs.
I am a beginner at programming in C. So I asked Mike#1 (Mike Gabriel) to review my work. He did, and did not find any issues. I still welcome further review though.
Mike#1 committed my work to the 3.6.x branch: 1st commit: http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=af55da1e9c1a6a352b24823... last (40th) commit: http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=1ea1cd8c4f93b0c03e5b34f...
He also committed it to the 3.5.0.x branch as one commit with 40 patch files: http://code.x2go.org/gitweb?p=nx-libs.git;a=commitdiff;h=4587881130db36125c6...
However, because many lines of code have been changed, Mike#1 and I agreed that we will not release 3.5.0.29 with these fixes immediately. Instead, we will let users/developers do some testing to see if any regressions were introduced.
Also, note that by default, X2GO launches nxagent (the nx-libs X server) with "-nolisten tcp". This is configurable in /etc/x2go/x2goagent.options . This setting mitigates many of the vulnerabilities by preventing nxagent from ever talking to X11 clients not running on the X2Go Server. I will now be determining which vulnerabilities it does mitigate.
- -Mike#2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iF4EAREIAAYFAlTfiSUACgkQIFy22CVQsitDXAEAlte83RMq3iy218Q7zXggAb0R XpvCpQYOYnaZenHPqQsBAMVfH8olUE1mh6DNfTgeC2909c1t4JDAjx3pSEdSDdL5 =mUvD -----END PGP SIGNATURE-----
-
Mike DePaulo