Dear Dmitry, On Do 26 Sep 2013 20:10:29 CEST, Secunia Research wrote:
Hello, We are currently processing release notes [1] for X2Go Server and are evaluating to issue a Secunia advisory for this. Please see the original document for details. For the benefit of our mutual customers, to properly evaluate the mentioned vulnerability, we would appreciate if you could provide us with additional information: * Can you provide any additional information about the fixed vulnerability?
The vulnerability fix can be found at [1] for the current master branch and a similar approach on the 4.0.0.x/4.0.1.x release branches [2].
* Can you provide additional information with regards to the impact and the exploitability of the vulnerability (e.g. an attack vector)?
Before the above commit it was easily possible to execute arbitrary code as user x2gouser. The setuid/gid wrapper (gid in our case) is a replacement for deprectated perlsuid.
The release is included in X2Go Server 4.0.0.2 and any later version. There were times when X2Go was still using perlsuid. There the vulnerability did neither exist [3].
* Are there any mitigating factors or recommended workarounds?
Upgrade to latest versions. We maintain the 4.0.0.x release series for some more months/years (LTS X2Go bundle releases aka Baikal). The current stable releases (4.0.1.x series) can also be chosen for upgrade. The master branch is not yet released, but also fixes the occurred issue.
Thank you in advance and kind regards, Dmitry Janushkevich References: [1] http://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html
Greets, MikePS: please note that there was a similar issue to fix in the X2Go Session Broker [4]. That one got solved in x2gobroker 0.0.2.2 and existed in all earlier versions.
[1] http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=42264c88d7885474ebe3763b2991681ddfcfa69a [2] http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=011d14ae076ba6fec96cd1e019c4f82444ab0f9f [3] http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=5c60ad18f7db28c0e397c0f74715eedc1ae1cbf4 [4] http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=65d635943bb2a8580eae0f04be99dcd3e5c9605c
-- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: [email protected], http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
binMsTYajT238.bin
Description: Öffentlicher PGP-Schlüssel
pgpbo8BkGN6ZK.pgp
Description: Digitale PGP-Signatur
_______________________________________________ X2Go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
