[X2Go-Dev] Fixes for 2011-2014 X.org CVEs and potential regressions in nx-libs
Mike DePaulo
mikedep333 at gmail.com
Sat Feb 14 18:43:02 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello X2Go Developers,
Over the last few weeks, I have been auditing nx-libs against all the
vulnerabilities (CVEs) in X.org 6.9.0.
nx-libs 3.5.0 (released by NoMachine in 2011) contains a fork of X.org
6.9.0 (released in December 2005). So our concern was that a large
percentage of the X.org vulnerabilities announced since X.org 6.9.0
affect nx-libs.
I wrote a spreadsheet with the results of my audit here. Note that I
have not actually tested whether the vulnerabilities affect us. For
example, I have not tried out any proof-of-concept exploits. But if
the vulnerable code is present, and the vulnerable code is not totally
ignored by nx-libs, then I assumed that the vulnerability affects
nx-libs. The only exception is CVE-2013-1940; I inferred that it does
not affect us because it only affects VT switching on Linux, and
nx-libs does not use VTs.
https://docs.google.com/spreadsheets/d/1WeneRYO2TkXYOl5J0WozThsLkreF1DiuJAvKCj7xFjU/edit#gid=0
To summarize the results:
1. Some vulnerabilities do not affect us for various reasons. Often
because the code was removed by NoMachine.
2. NoMachine did a very good job of patching the vulnerabilities. The
earliest vulnerability that was unpatched, CVE-2011-2895, was
announced on 2011-08-10.
3. The majority of the vulnerabilities after 2011-08-10 did affect
nx-libs 3.5.0.x and nx-libs 3.6.x. I fixed these and the fixes are now
in git. See details below.
As I audited nx-libs, I fixed each vulnerability. Before the December
2014 vulnerabilities, I backported the commit/patch from upstream
X.org. For the December 2014 vulnerabilities, which were numerous and
whose patches/commits were hard to merge, I obtained the patches from
RHEL5 instead. RHEL 5 uses X.org 7.1 (xorg-server 1.1.1), so their
patches were easier to apply to nx-libs.
I am a beginner at programming in C. So I asked Mike#1 (Mike Gabriel)
to review my work. He did, and did not find any issues. I still
welcome further review though.
Mike#1 committed my work to the 3.6.x branch:
1st commit:
http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=af55da1e9c1a6a352b24823a8f7062c288ffbbc0
last (40th) commit:
http://code.x2go.org/gitweb?p=nx-libs.git;a=commit;h=1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa
He also committed it to the 3.5.0.x branch as one commit with 40 patch
files:
http://code.x2go.org/gitweb?p=nx-libs.git;a=commitdiff;h=4587881130db36125c6b800e8f7e3fa0a3c5c9fb;hp=f46d117903c4bc4fe9863041f470e8816d355709
However, because many lines of code have been changed, Mike#1 and I
agreed that we will not release 3.5.0.29 with these fixes immediately.
Instead, we will let users/developers do some testing to see if any
regressions were introduced.
Also, note that by default, X2GO launches nxagent (the nx-libs X
server) with "-nolisten tcp". This is configurable in
/etc/x2go/x2goagent.options . This setting mitigates many of the
vulnerabilities by preventing nxagent from ever talking to X11 clients
not running on the X2Go Server. I will now be determining which
vulnerabilities it does mitigate.
- -Mike#2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREIAAYFAlTfiSUACgkQIFy22CVQsitDXAEAlte83RMq3iy218Q7zXggAb0R
XpvCpQYOYnaZenHPqQsBAMVfH8olUE1mh6DNfTgeC2909c1t4JDAjx3pSEdSDdL5
=mUvD
-----END PGP SIGNATURE-----
More information about the x2go-dev
mailing list