Gentoo has issued an advisory today (October 28): http://www.gentoo.org/security/en/glsa/glsa-201310-19.xml The issue is fixed in version 4.0.0.2. Mageia 3 is also affected; Mageia 2 may be as well. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
CC: (none) => mageia
CC: (none) => oliver.bgrAssignee: oliver.bgr => mageia
Blocks: (none) => 11726
Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO
Blocks: (none) => 10739
Suggested advisory: ======================== Updated x2goserver packages fix security vulnerabilities: A remote attacker may be able to execute arbitrary code with the privileges of the user running the server process. References: https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html http://lwn.net/Vulnerabilities/571986/ ======================== Updated packages in core/updates_testing: ======================== x2goserver-sqlite-4.0.0.2-1.1.mga3.i586 x2goserver-postgresql-4.0.0.2-1.1.mga3.x86_64 x2goserver-debuginfo-4.0.0.2-1.1.mga3.x86_64 x2goserver-sqlite-4.0.0.2-1.1.mga3.x86_64 x2goserver-4.0.0.2-1.1.mga3.i586 x2goserver-postgresql-4.0.0.2-1.1.mga3.i586 x2goserver-debuginfo-4.0.0.2-1.1.mga3.i586 x2goserver-4.0.0.2-1.1.mga3.x86_64 Source RPMs: x2goserver-4.0.0.2-1.1.mga3.src x2goserver-4.0.0.2-2.mga4.src Freeze push needed for x2goserver-4.0.0.2-2.mga4.src
CC: (none) => makowski.mageiaAssignee: mageia => qa-bugs
Thanks Philippe! Just making some minor changes to the advisory. Advisory: ======================== Updated x2goserver packages fix security vulnerability: A vulnerability in x2goserver before 4.0.0.2 in the setgid wrapper x2gosqlitewrapper.c, which does not hardcode an internal path to x2gosqlitewrapper.pl, allowing a remote attacker to change that path. A remote attacker may be able to execute arbitrary code with the privileges of the user running the server process (CVE-2013-4376). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4376 https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html http://www.gentoo.org/security/en/glsa/glsa-201310-19.xml ======================== Updated packages in core/updates_testing: ======================== x2goserver-4.0.0.2-1.1.mga3 x2goserver-postgresql-4.0.0.2-1.1.mga3 x2goserver-sqlite-4.0.0.2-1.1.mga3 from x2goserver-4.0.0.2-1.1.mga3.src.rpm
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
Please do not. I'm working on this. 4.0.0.2 is not the good one. Moreover, missing packages.
Status: NEW => ASSIGNEDAssignee: qa-bugs => mageia
(In reply to Damien Lallement from comment #4) > Please do not. > I'm working on this. 4.0.0.2 is not the good one. 4.0.0.2 is needed to fix a serious remotely exploitable security vulnerability. Furthermore this is the first this report has been acted on since being reported two months ago. If we can't update this, then we should drop this package.
As I said: WIP. So, I can and I'm on it. :-)
Ok, I will not have time (personal lost) to check to finish and to validate the update of _all_ the X2Go packages to the LTS release. I will do an update request for 4 once out. Reassignin to QA. BTW, thanks Philippe.
Assignee: mageia => qa-bugs
We should not ship this package in 4 if the issue isn't fixed there, this is a serious issue. If need be the package could be re-added to 4 later as an update since it's in 3. You haven't explained why the update Philippe has already committed to SVN isn't acceptable for you.
Oh, you were unclear in your message here. Your post to the dev ml indicates you're OK with the freeze push request, just that you'll have additional fixes for the package coming later. That's fine then. Thanks.
CC: makowski.mageia => (none)
Is this ready for testing then? It's not clear from the above.
CC: (none) => davidwhodgins
(In reply to Dave Hodgins from comment #10) > Is this ready for testing then? It's not clear from the above. Yes. Damien is planning a further bugfix update after Mageia 4 is out, but for the security update it's ready to go.
x2goserver-4.0.0.2-2.mga4 uploaded for Cauldron.
Blocks: 11726 => (none)
Whiteboard: (none) => advisory
The file /lib/systemd/system/x2goserver.service needs the PIDFile line added, so systemd will be able to confirm it's started, as in ... [Service] # The process to start is x2gocleansession ExecStart=/usr/sbin/x2gocleansessions PIDFile=/var/run/x2goserver.pid It may also be a good idea to enable the service in postinstall. Also /usr/bin/perl /usr/sbin/x2gocleansessions is running as root, while the announcement on lists.berlios.de indicates it should be running as x2gouser. Not sure what's required to do that.
Whiteboard: advisory => feedback
According to Fedora's update advisory for this, it sounds like there's another severe security vulnerability in x2gocleansessions that was fixed in 4.0.0.8: https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126414.html This may need to be updated again.
CC: (none) => makowski.mageia
Created attachment 4808 [details] Screenshot of a failure with the x2goservice and the x2go client on a VM This is a screenshot of the failure I'm getting trying to run first x2goservice as root (using "service x2goserver start" IIRC) and then "service sshd start" as root, and then try to connect using the x2goclient. BTW, last time I tried running "x2goclient localhost" crashed immediately. My VM is a VirtualBox Mageia 3 x86-64 VM.
CC: (none) => shlomif
(In reply to Shlomi Fish from comment #15) > Created attachment 4808 [details] > Screenshot of a failure with the x2goservice and the x2go client on a VM > > This is a screenshot of the failure I'm getting trying to run first > x2goservice as root (using "service x2goserver start" IIRC) and then > "service sshd start" as root, and then try to connect using the x2goclient. > > BTW, last time I tried running "x2goclient localhost" crashed immediately. > > My VM is a VirtualBox Mageia 3 x86-64 VM. I should note that I updated all the updates from Updates Testing.
(In reply to David Walser from comment #14) > According to Fedora's update advisory for this, it sounds like there's > another severe security vulnerability in x2gocleansessions that was fixed in > 4.0.0.8: > https://lists.fedoraproject.org/pipermail/package-announce/2014-January/ > 126414.html > > This may need to be updated again. Assigning back to the maintainer due to this.
CC: (none) => qa-bugsVersion: 3 => CauldronBlocks: (none) => 11726Assignee: qa-bugs => mageiaWhiteboard: feedback => MGA3TOO
I've updated to latest versions in Cauldron for mga4.
x2goserver-4.0.1.13-1.mga4 uploaded for Cauldron.
Version: Cauldron => 3Blocks: 11726 => (none)Whiteboard: MGA3TOO => (none)
Please test x2goserver-4.0.1.13-1.2.mga3.
Oops, please test: x2goserver-4.0.1.13-1.mga3
Assigning back to QA. Advisory: ======================== Updated x2goserver packages fix security vulnerability: A vulnerability in x2goserver before 4.0.0.2 in the setgid wrapper x2gosqlitewrapper.c, which does not hardcode an internal path to x2gosqlitewrapper.pl, allowing a remote attacker to change that path. A remote attacker may be able to execute arbitrary code with the privileges of the user running the server process (CVE-2013-4376). A vulnerability in x2goserver before 4.0.0.8 in x2gocleansessions has also been fixed. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4376 https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html http://www.gentoo.org/security/en/glsa/glsa-201310-19.xml https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126414.html ======================== Updated packages in core/updates_testing: ======================== x2goserver-4.0.1.13-1.mga3 x2goserver-postgresql-4.0.1.13-1.mga3 x2goserver-sqlite-4.0.1.13-1.mga3 from x2goserver-4.0.1.13-1.mga3.src.rpm
Started the server on a Mageia 3 x86_64 vb system. On a Mageia 3 i586 system, the client will connect, then kde starts, then the client closes. In a terminal, it shows ... Generating public/private rsa key pair. Ohhhh jeeee: Assertion `pool_is_locked' failed (random-csprng.c:1074:add_randomness) Aborted This appears to be a problem with https://github.com/Chronic-Dev/libgcrypt/tree/master/random or in how it's being called. Google shows half a dozen reports of this message, but with no solutions. The dialog displays ... The remote proxy closed the connection while negotiating the session. This may be due to the wrong authentication credentials passed to the server. Situation is the same with the server on i586, and the client on x86_64. As the server starts, and it seems there is also a windows client, which may work, should we go ahead and push this security update, and open a separate bug report for the client?
(In reply to Dave Hodgins from comment #23) > As the server starts, and it seems there is also a windows > client, which may work, should we go ahead and push this > security update, and open a separate bug report for the > client? Critical remotely exploitable security issues in the server; I'd say so.
Whiteboard: (none) => feedback
Whiteboard: feedback => (none)
Keywords: (none) => validated_updateWhiteboard: (none) => MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0111.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
The second vulnerability has been assigned a CVE: http://openwall.com/lists/oss-security/2014/05/19/4 Revised advisory: Updated x2goserver packages fix security vulnerabilities: A vulnerability in x2goserver before 4.0.0.2 in the setgid wrapper x2gosqlitewrapper.c, which does not hardcode an internal path to x2gosqlitewrapper.pl, allowing a remote attacker to change that path. A remote attacker may be able to execute arbitrary code with the privileges of the user running the server process (CVE-2013-4376). A vulnerability in x2goserver before 4.0.0.8 in x2gocleansessions has also been fixed (CVE-2013-7383). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7383 https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html https://lists.berlios.de/pipermail/x2go-announcement/2014-January/000165.html http://openwall.com/lists/oss-security/2014/05/19/4 http://www.gentoo.org/security/en/glsa/glsa-201310-19.xml https://lists.fedoraproject.org/pipermail/package-announce/2014-January/126414.html
LWN reference for CVE-2013-7383: http://lwn.net/Vulnerabilities/599443/