[X2Go-Dev] [Secunia] X2Go Server Vulnerability Request for Details
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Sat Sep 28 00:13:23 CEST 2013
Dear Dmitry,
On Do 26 Sep 2013 20:10:29 CEST, Secunia Research wrote:
> Hello,
>
> We are currently processing release notes [1] for X2Go Server and are
> evaluating to issue a Secunia advisory for this. Please see the original
> document for details.
>
> For the benefit of our mutual customers, to properly evaluate the mentioned
> vulnerability, we would appreciate if you could provide us with additional
> information:
>
> * Can you provide any additional information about the fixed vulnerability?
The vulnerability fix can be found at [1] for the current master
branch and a similar approach on the 4.0.0.x/4.0.1.x release branches
[2].
> * Can you provide additional information with regards to the impact and the
> exploitability of the vulnerability (e.g. an attack vector)?
Before the above commit it was easily possible to execute arbitrary
code as user x2gouser.
The setuid/gid wrapper (gid in our case) is a replacement for
deprectated perlsuid.
The release is included in X2Go Server 4.0.0.2 and any later version.
There were times when X2Go was still using perlsuid. There the
vulnerability did neither exist [3].
> * Are there any mitigating factors or recommended workarounds?
Upgrade to latest versions. We maintain the 4.0.0.x release series for
some more months/years (LTS X2Go bundle releases aka Baikal). The
current stable releases (4.0.1.x series) can also be chosen for
upgrade. The master branch is not yet released, but also fixes the
occurred issue.
> Thank you in advance and kind regards,
> Dmitry Janushkevich
>
> References:
> [1] http://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html
Greets,
Mike
PS: please note that there was a similar issue to fix in the X2Go
Session Broker [4]. That one got solved in x2gobroker 0.0.2.2 and
existed in all earlier versions.
[1]
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=42264c88d7885474ebe3763b2991681ddfcfa69a
[2]
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=011d14ae076ba6fec96cd1e019c4f82444ab0f9f
[3]
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=5c60ad18f7db28c0e397c0f74715eedc1ae1cbf4
[4]
http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=65d635943bb2a8580eae0f04be99dcd3e5c9605c
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 7251 bytes
Desc: ?ffentlicher PGP-Schl?ssel
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130927/c672564f/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20130927/c672564f/attachment.pgp>
More information about the x2go-dev
mailing list