Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 17 May 2014 22:09:01 -0400
From: Chris Reffett <creffett@...too.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: X2Go Server privilege escalation

Hello,
I don't see a CVE assigned for the vulnerability announced here:
http://permalink.gmane.org/gmane.linux.terminal-server.x2go.announce/83
It appears that this is a privilege escalation through injecting
backticks, but I'm not absolutely sure. It is fixed as of versions
4.0.1.10/4.0.0.8 in the following commits:
http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7
http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7
http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=8347d3fef0e5cbabe4aa48f503612fa7b9d078f8
http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=bf44925ecccda436caa1cfc34f89eced9c1bd104

Could a CVE be assigned?

Thanks,
Chris Reffett


Download attachment "signature.asc" of type "application/pgp-signature" (1032 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.