Hi Mike, Thanks for your prompt reply and patching!
Regards, Hayawardh On Fri, Jan 6, 2012 at 1:55 PM, Mike Gabriel < [email protected]> wrote: > Hi Hayawardh, > > > On Fr 06 Jan 2012 00:26:29 CET Hayawardh V wrote: > > Hi, >> >> There is an untrusted library search path vulnerability in x2gostartagent. >> >> Lines 188,189 in /usr/bin/x2gostartagent in the Ubuntu PPA package say: >> >> LD_LIBRARY_PATH="${LD_LIBRARY_**PATH}:${X2GO_LIB}" >> export LD_LIBRARY_PATH >> >> If one of these are empty, then there will be an empty addendum to >> LD_LIBRARY_PATH, which will make ld search for libraries in the current >> working directory. >> >> Programs xauth, x2goserver-run-extensions and x2gofeature (and the >> programs >> further spawned by them, including perl, basename, find, grep, sort, bash >> etc.) are launched with this insecure LD_LIBRARY_PATH. >> >> Thus, the current working directory will be searched for shared libraries >> when this command is launched. >> >> Usually, x2gostartagent is launched over ssh, and the current working >> directory will be the user's home directory. >> >> The problem is that if a user is tricked into downloading a malicious >> library off the Internet and saves it into his home directory, this >> malicious library will be loaded and can take control of the user's >> process >> when an x2go session is launched. >> >> The fix is simply to check if either LD_LIBRARY_PATH or X2GO_LIB are >> empty. >> I am pasting the patch below. >> >> Please keep me updated on this issue. >> >> Thanks, >> Hayawardh Vijayakumar >> >> --- /usr/bin/x2gostartagent 2012-01-05 17:48:07.843705023 -0500 >> +++ /usr/bin/x2gostartagent.fixed 2012-01-05 16:44:41.839705377 >> -0500 >> @@ -184,8 +184,13 @@ >> >> X2GO_COOKIE=`mcookie` >> >> +if [ ! ${LD_LIBRARY_PATH} ] || [ ! ${X2GO_LIB} ] >> +then >> + LD_LIBRARY_PATH="${LD_LIBRARY_**PATH}${X2GO_LIB}" >> +else >> + LD_LIBRARY_PATH="${LD_LIBRARY_**PATH}:${X2GO_LIB}" >> +fi >> >> -LD_LIBRARY_PATH="${LD_**LIBRARY_PATH}:${X2GO_LIB}" >> export LD_LIBRARY_PATH >> >> PATH="${PATH}:${X2GO_BIN}/" >> >> > Very sensible patch!!! Just committed... > > Mike > > > -- > > DAS-NETZWERKTEAM > mike gabriel, dorfstr. 27, 24245 barmissen > fon: +49 (4302) 281418, fax: +49 (4302) 281419 > > GnuPG Key ID 0xB588399B > mail: mike.gabriel@das-netzwerkteam.**de<[email protected]>, > http://das-netzwerkteam.de > > freeBusy: > https://mail.das-netzwerkteam.**de/freebusy/m.gabriel%40das-** > netzwerkteam.de.xfb<https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb> > > _______________________________________________ > X2go-Dev mailing list > [email protected] > https://lists.berlios.de/mailman/listinfo/x2go-dev > >
_______________________________________________ X2go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
