X2Go Server: Arbitrary code execution — GLSA 201310-19

A path vulnerability in X2Go Server may allow remote execution of arbitrary code.

Affected Packages

net-misc/x2goserver on all architectures
Affected versions < 4.0.0.2
Unaffected versions >= 4.0.0.2

Background

X2Go is an open source terminal server project.

Description

A vulnerability in the setgid wrapper x2gosqlitewrapper.c does not hardcode an internal path to x2gosqlitewrapper.pl, allowing a remote attacker to change that path.

Impact

A remote attacker may be able to execute arbitrary code with the privileges of the user running the server process.

Workaround

There is no known workaround at this time.

Resolution

All X2Go Server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/x2goserver-4.0.0.2"
 

References

Release Date
October 28, 2013

Latest Revision
October 28, 2013: 1

Severity
high

Exploitable
remote

Bugzilla entries