Gentoo Archives: gentoo-announce

From: Robert Buchholz <rbu@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200804-05 ] NX: User-assisted execution of arbitrary code
Date: Sun, 06 Apr 2008 13:34:11
Message-Id: 200804061531.49379.rbu@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200804-05:02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: NX: User-assisted execution of arbitrary code
9 Date: April 06, 2008
10 Updated: April 06, 2008
11 Bugs: #210317
12 ID: 200804-05:02
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 NX uses code from the X.org X11 server which is prone to multiple
20 vulnerabilities.
21
22 Background
23 ==========
24
25 NoMachine's NX establishes remote connections to X11 desktops over
26 small bandwidth links. NX and NX Node are the compression core
27 libraries, whereas NX is used by FreeNX and NX Node by the binary-only
28 NX servers.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 net-misc/nxnode < 3.1.0-r2 >= 3.1.0-r2
37 2 net-misc/nx < 3.1.0-r1 >= 3.1.0-r1
38 -------------------------------------------------------------------
39 2 affected packages on all of their supported architectures.
40 -------------------------------------------------------------------
41
42 Description
43 ===========
44
45 Multiple integer overflow and buffer overflow vulnerabilities have been
46 discovered in the X.Org X server as shipped by NX and NX Node
47 (vulnerabilities 1-4 in GLSA 200801-09).
48
49 Impact
50 ======
51
52 A remote attacker could exploit these vulnerabilities via unspecified
53 vectors, leading to the execution of arbitrary code with the privileges
54 of the user on the machine running the NX server.
55
56 Workaround
57 ==========
58
59 There is no known workaround at this time.
60
61 Resolution
62 ==========
63
64 All NX Node users should upgrade to the latest version:
65
66 # emerge --sync
67 # emerge --ask --oneshot --verbose ">=net-misc/nxnode-3.1.0-r2"
68
69 All NX users should upgrade to the latest version:
70
71 # emerge --sync
72 # emerge --ask --oneshot --verbose ">=net-misc/nx-3.1.0-r1"
73
74 References
75 ==========
76
77 [ 1 ] GLSA 200801-09
78 http://www.gentoo.org/security/en/glsa/glsa-200801-09.xml
79
80 Availability
81 ============
82
83 This GLSA and any updates to it are available for viewing at
84 the Gentoo Security Website:
85
86 http://security.gentoo.org/glsa/glsa-200804-05.xml
87
88 Concerns?
89 =========
90
91 Security is a primary focus of Gentoo Linux and ensuring the
92 confidentiality and security of our users machines is of utmost
93 importance to us. Any security concerns should be addressed to
94 security@g.o or alternatively, you may file a bug at
95 http://bugs.gentoo.org.
96
97 License
98 =======
99
100 Copyright 2008 Gentoo Foundation, Inc; referenced text
101 belongs to its owner(s).
102
103 The contents of this document are licensed under the
104 Creative Commons - Attribution / Share Alike license.
105
106 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature