Hi Alex, hi Richard, On Di 21 Mai 2013 10:40:45 CEST Oleksandr Shneyder wrote:
Finally I've also looked at the server. In short, the 90's called, they want their setuid bugs back. x2gosqlitewrapper.c just wrong, anyone can make it executing whatever binary he wants with higher privileges.Sorry, I don't understand what are you talking about. I not found the file "x2gosqlitewrapper.c" in the source tree of package "x2go server". If you found a security problem in the recent x2goserver code, please open a bug report on bug tracker, describe the problem and show how it can be used. In best case show an example of exploit and send a bug fix. Saying "it is just wrong, anyone can do something" is just your opinion without any arguments.
In x2goserver.git master the file has been renamed to libx2go-server-db-sqlite3-wrapper.c. On x2goserver.git branch release/4.0.0.x the file is still named x2gosqlitewrapper.c.
[1] http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=libx2go-server-db-perl/src/libx2go-server-db-sqlite3-wrapper.c
A similar setuid/setgid wrapper is in use with x2gobroker.git. The wrapper came in as a replacement for the deprecated perlsuid (removed in Perl 5.12 and above).
Both wrappers (in x2goserver.git and x2gobroker.git) were compromisable and I fixed both issues [2, 3] over the weekend.
[2] http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=42264c88d7885474ebe3763b2991681ddfcfa69a [3] http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=65d635943bb2a8580eae0f04be99dcd3e5c9605c
Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: [email protected], http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
pgpdY9if8_MI5.pgp
Description: Digitale PGP-Unterschrift
_______________________________________________ X2Go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
