oss-sec mailing list archives
CVE request: X2Go Server privilege escalation
From: Chris Reffett <creffett () gentoo org>
Date: Sat, 17 May 2014 22:09:01 -0400
Hello, I don't see a CVE assigned for the vulnerability announced here: http://permalink.gmane.org/gmane.linux.terminal-server.x2go.announce/83 It appears that this is a privilege escalation through injecting backticks, but I'm not absolutely sure. It is fixed as of versions 4.0.1.10/4.0.0.8 in the following commits: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7 http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7 http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=8347d3fef0e5cbabe4aa48f503612fa7b9d078f8 http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=bf44925ecccda436caa1cfc34f89eced9c1bd104 Could a CVE be assigned? Thanks, Chris Reffett
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: X2Go Server privilege escalation Chris Reffett (May 17)
- Re: CVE request: X2Go Server privilege escalation cve-assign (May 19)
- Re: Re: CVE request: X2Go Server privilege escalation Chris Reffett (May 19)
- Re: CVE request: X2Go Server privilege escalation cve-assign (May 19)