[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: CVE request: X2Go Server privilege escalation
From:       Chris Reffett <creffett () gentoo ! org>
Date:       2014-05-19 19:02:40
Message-ID: 537A5550.809 () gentoo ! org
[Download RAW message or body]

On 5/19/2014 3:01 AM, cve-assign@mitre.org wrote:
>> I don't see a CVE assigned for the vulnerability announced here:
>> http://permalink.gmane.org/gmane.linux.terminal-server.x2go.announce/83
>> It appears that this is a privilege escalation through injecting
>> backticks, but I'm not absolutely sure. It is fixed as of versions
>> 4.0.1.10/4.0.0.8 in the following commits:
>> http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7
>> http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7
>> http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=8347d3fef0e5cbabe4aa48f503612fa7b9d078f8
>> http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=bf44925ecccda436caa1cfc34f89eced9c1bd104
> 
> Use CVE-2013-7383.
> 
> Please clarify whether there is a fourth required commit. (The
> first commit was listed twice in your original message.)
> 
> 
Sorry about that, my mistake. The second commit should have been:
http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=b03665513ab1969b069c1351fe17cbb8b5fca256
So yes, there are four commits. Thanks for the catch!

Chris Reffett
[prev in list] [next in list] [prev in thread] [next in thread]