oss-sec mailing list archives
Re: CVE request: X2Go Server privilege escalation
From: cve-assign () mitre org
Date: Mon, 19 May 2014 03:01:10 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I don't see a CVE assigned for the vulnerability announced here: http://permalink.gmane.org/gmane.linux.terminal-server.x2go.announce/83 It appears that this is a privilege escalation through injecting backticks, but I'm not absolutely sure. It is fixed as of versions 4.0.1.10/4.0.0.8 in the following commits: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7 http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7 http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=8347d3fef0e5cbabe4aa48f503612fa7b9d078f8 http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=bf44925ecccda436caa1cfc34f89eced9c1bd104
Use CVE-2013-7383. Please clarify whether there is a fourth required commit. (The first commit was listed twice in your original message.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTeaveAAoJEKllVAevmvms3f0H/2vioN2ivFWUf99AA22so7h3 JbDuMMthrw6Kb/pwFzQjrCYhgZ6alTLt2GN1xG8e5A6jUHpO5asRlicqYGHhVe3s B+R+yEHyF1xoA/e1ocWaub25zKHd8vcVENRvy1l2F4UC+b+645NJI/ftjU8za3Xa 0HTyiROryqhX/8pMfprX/yS0WtJK59m8d9GSsCm5jbseg8rkQJPR2F8yFSUiL49c C6v5mMw0qbqaxOuMWlZY9mKaBfcUwgRMIdeeZ0nz/y8vi5TX6liDdblLrzMVjbBz brYy7Fw50nhqytZQVDFnnkcNw/jlIMCXjsH5hS1is2dcXlPa6VlSIo/cOo35Umc= =rVsD -----END PGP SIGNATURE-----
Current thread:
- CVE request: X2Go Server privilege escalation Chris Reffett (May 17)
- Re: CVE request: X2Go Server privilege escalation cve-assign (May 19)
- Re: Re: CVE request: X2Go Server privilege escalation Chris Reffett (May 19)
- Re: CVE request: X2Go Server privilege escalation cve-assign (May 19)