oss-sec mailing list archives
Re: CVE request: X2Go server
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 25 Sep 2013 09:41:49 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/24/2013 12:33 PM, Chris Reffett wrote:
Hi all, I couldn't find a CVE, so I would like to request one for a vulnerability in X2Go Server. The vendor reported an issue where a remote user could execute arbitrary code as the x2go user, apparently by leveraging a setgid executable which did not have a hardcoded path to "libx2go-server-db-sqlite3-wrapper.pl". [1] is the commit fixing the vulnerable code, [2] is the upstream release announcement. Thanks, Chris Reffett [1] http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=42264c88d7885474ebe3763b2991681ddfcfa69a
[2]
https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html
Please use CVE-2013-4376 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSQwQ9AAoJEBYNRVNeJnmTOecP/jwT6Mm4bCyevHTlX4dFE7s2 8WYVKrPnMAInp2cZmPRj8U7H/tsd4JO13ZLz7FdeG4uXWwoOUMn9RFEGPZ3WKN+S Ey5+OHT1ZHIc9OJLgnTpoMNY+B7u72F3p0EeXhPPjIPtv3WBw7ZTDk3Bb/X3bcKy AoUv3WJ56OSR/bB5N97PmhC+7+cXW725bWGQg7E3aSYV8zSDAv8UbGJU0GZNPMEq XV0e1Ah/ys+rvHkVYN46/pdg2HqkVk/fSDGwDQsP9sh7mSHJw8cZ1NnXRXPrJE5W cVBe9mHZCQE7g9GEdJtUThsCcY2rjkjIfTsHhGUvhR8+9pQbtZCiYzZbuw+GfufD ErgBZzzHnBbH6lDvWQsj8emsTuhcSFXAgLI9Oj9iq5O1K/NdGBOuEsE/qCrIKdey WTQvGLZLm9tSRAPN83inlw5mroVvjcLzj8mapqRL/FfuUe3s/vYGzrHeLpAts4vd HvuGDOdlBCRI2FpO3Kxh7qb/i+mPRxC8539J1sygKHcj792bPlRfuXfOjtS+uN+e 6QXup9ODfbsGCvZJoh1JK46X/cp81UEXSwQX1+LVLtzbBn6vpIUAizOmjvy3FG46 4N1dFZ1C2b0pYVj0U58xik0cIsdVTr22IgshIBgwcygCXhIitXDV7k62vRvof8WG VP0c3pp8zBgwCaiVcaBf =N2gC -----END PGP SIGNATURE-----
Current thread:
- CVE request: X2Go server Chris Reffett (Sep 24)
- Re: CVE request: X2Go server Kurt Seifried (Sep 25)