[gentoo-announce] [ GLSA 200807-07 ] NX: User-assisted execution of arbitrary code - gentoo-announce

From:	Robert Buchholz <rbu@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200807-07 ] NX: User-assisted execution of arbitrary code
Date:	Wed, 09 Jul 2008 22:32:14
Message-Id:	`200807100001.52617.rbu@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200807-07

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: NX: User-assisted execution of arbitrary code

9

      Date: July 09, 2008

10

      Bugs: #230147

11

        ID: 200807-07

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

NX uses code from the X.org X11 server which is prone to multiple

19

vulnerabilities.

20

21

Background

22

==========

23

24

NoMachine's NX establishes remote connections to X11 desktops over

25

small bandwidth links. NX and NX Node are the compression core

26

libraries, whereas NX is used by FreeNX and NX Node by the binary-only

27

NX servers.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package          /  Vulnerable  /                      Unaffected

34

    -------------------------------------------------------------------

35

  1  net-misc/nxnode     < 3.2.0-r3                        >= 3.2.0-r3

36

  2  net-misc/nx         < 3.2.0-r2                        >= 3.2.0-r2

37

    -------------------------------------------------------------------

38

     2 affected packages on all of their supported architectures.

39

    -------------------------------------------------------------------

40

41

Description

42

===========

43

44

Multiple integer overflow and buffer overflow vulnerabilities have been

45

discovered in the X.Org X server as shipped by NX and NX Node (GLSA

46

200806-07).

47

48

Impact

49

======

50

51

A remote attacker could exploit these vulnerabilities via unspecified

52

vectors, leading to the execution of arbitrary code with the privileges

53

of the user on the machine running the NX server.

54

55

Workaround

56

==========

57

58

There is no known workaround at this time.

59

60

Resolution

61

==========

62

63

All NX Node users should upgrade to the latest version:

64

65

    # emerge --sync

66

    # emerge --ask --oneshot --verbose ">=net-misc/nxnode-3.2.0-r3"

67

68

All NX users should upgrade to the latest version:

69

70

    # emerge --sync

71

    # emerge --ask --oneshot --verbose ">=net-misc/nx-3.2.0-r2"

72

73

References

74

==========

75

76

  [ 1 ] GLSA 200806-07

77

        http://www.gentoo.org/security/en/glsa/glsa-200806-07.xml

78

79

Availability

80

============

81

82

This GLSA and any updates to it are available for viewing at

83

the Gentoo Security Website:

84

85

  http://security.gentoo.org/glsa/glsa-200807-07.xml

86

87

Concerns?

88

=========

89

90

Security is a primary focus of Gentoo Linux and ensuring the

91

confidentiality and security of our users machines is of utmost

92

importance to us. Any security concerns should be addressed to

93

security@g.o or alternatively, you may file a bug at

94

http://bugs.gentoo.org.

95

96

License

97

=======

98

99

Copyright 2008 Gentoo Foundation, Inc; referenced text

100

belongs to its owner(s).

101

102

The contents of this document are licensed under the

103

Creative Commons - Attribution / Share Alike license.

104

105

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200807-07
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: NX: User-assisted execution of arbitrary code
9	Date: July 09, 2008
10	Bugs: #230147
11	ID: 200807-07
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	NX uses code from the X.org X11 server which is prone to multiple
19	vulnerabilities.
20
21	Background
22	==========
23
24	NoMachine's NX establishes remote connections to X11 desktops over
25	small bandwidth links. NX and NX Node are the compression core
26	libraries, whereas NX is used by FreeNX and NX Node by the binary-only
27	NX servers.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 net-misc/nxnode < 3.2.0-r3 >= 3.2.0-r3
36	2 net-misc/nx < 3.2.0-r2 >= 3.2.0-r2
37	-------------------------------------------------------------------
38	2 affected packages on all of their supported architectures.
39	-------------------------------------------------------------------
40
41	Description
42	===========
43
44	Multiple integer overflow and buffer overflow vulnerabilities have been
45	discovered in the X.Org X server as shipped by NX and NX Node (GLSA
46	200806-07).
47
48	Impact
49	======
50
51	A remote attacker could exploit these vulnerabilities via unspecified
52	vectors, leading to the execution of arbitrary code with the privileges
53	of the user on the machine running the NX server.
54
55	Workaround
56	==========
57
58	There is no known workaround at this time.
59
60	Resolution
61	==========
62
63	All NX Node users should upgrade to the latest version:
64
65	# emerge --sync
66	# emerge --ask --oneshot --verbose ">=net-misc/nxnode-3.2.0-r3"
67
68	All NX users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=net-misc/nx-3.2.0-r2"
72
73	References
74	==========
75
76	[ 1 ] GLSA 200806-07
77	http://www.gentoo.org/security/en/glsa/glsa-200806-07.xml
78
79	Availability
80	============
81
82	This GLSA and any updates to it are available for viewing at
83	the Gentoo Security Website:
84
85	http://security.gentoo.org/glsa/glsa-200807-07.xml
86
87	Concerns?
88	=========
89
90	Security is a primary focus of Gentoo Linux and ensuring the
91	confidentiality and security of our users machines is of utmost
92	importance to us. Any security concerns should be addressed to
93	security@g.o or alternatively, you may file a bug at
94	http://bugs.gentoo.org.
95
96	License
97	=======
98
99	Copyright 2008 Gentoo Foundation, Inc; referenced text
100	belongs to its owner(s).
101
102	The contents of this document are licensed under the
103	Creative Commons - Attribution / Share Alike license.
104
105	http://creativecommons.org/licenses/by-sa/2.5