A path vulnerability in X2Go Server may allow remote execution of arbitrary code.
|Package||net-misc/x2goserver on all architectures|
|Affected versions||< 18.104.22.168|
|Unaffected versions||>= 22.214.171.124|
X2Go is an open source terminal server project.
A vulnerability in the setgid wrapper x2gosqlitewrapper.c does not hardcode an internal path to x2gosqlitewrapper.pl, allowing a remote attacker to change that path.
A remote attacker may be able to execute arbitrary code with the privileges of the user running the server process.
There is no known workaround at this time.
All X2Go Server users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/x2goserver-126.96.36.199"
October 28, 2013
October 28, 2013: 1