[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: X2Go server
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-09-25 15:41:49
Message-ID: 5243043D.5000409 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/24/2013 12:33 PM, Chris Reffett wrote:
> Hi all, I couldn't find a CVE, so I would like to request one for
> a vulnerability in X2Go Server. The vendor reported an issue where
> a remote user could execute arbitrary code as the x2go user,
> apparently by leveraging a setgid executable which did not have a
> hardcoded path to "libx2go-server-db-sqlite3-wrapper.pl". [1] is
> the commit fixing the vulnerable code, [2] is the upstream release
> announcement.
> 
> Thanks, Chris Reffett
> 
> 
> [1] 
> http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=42264c88d7885474ebe3763b2991681ddfcfa69a
>
> 
[2]
> https://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html
>
> 
Please use CVE-2013-4376 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSQwQ9AAoJEBYNRVNeJnmTOecP/jwT6Mm4bCyevHTlX4dFE7s2
8WYVKrPnMAInp2cZmPRj8U7H/tsd4JO13ZLz7FdeG4uXWwoOUMn9RFEGPZ3WKN+S
Ey5+OHT1ZHIc9OJLgnTpoMNY+B7u72F3p0EeXhPPjIPtv3WBw7ZTDk3Bb/X3bcKy
AoUv3WJ56OSR/bB5N97PmhC+7+cXW725bWGQg7E3aSYV8zSDAv8UbGJU0GZNPMEq
XV0e1Ah/ys+rvHkVYN46/pdg2HqkVk/fSDGwDQsP9sh7mSHJw8cZ1NnXRXPrJE5W
cVBe9mHZCQE7g9GEdJtUThsCcY2rjkjIfTsHhGUvhR8+9pQbtZCiYzZbuw+GfufD
ErgBZzzHnBbH6lDvWQsj8emsTuhcSFXAgLI9Oj9iq5O1K/NdGBOuEsE/qCrIKdey
WTQvGLZLm9tSRAPN83inlw5mroVvjcLzj8mapqRL/FfuUe3s/vYGzrHeLpAts4vd
HvuGDOdlBCRI2FpO3Kxh7qb/i+mPRxC8539J1sygKHcj792bPlRfuXfOjtS+uN+e
6QXup9ODfbsGCvZJoh1JK46X/cp81UEXSwQX1+LVLtzbBn6vpIUAizOmjvy3FG46
4N1dFZ1C2b0pYVj0U58xik0cIsdVTr22IgshIBgwcygCXhIitXDV7k62vRvof8WG
VP0c3pp8zBgwCaiVcaBf
=N2gC
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]