X2Go Server: Arbitrary code execution A path vulnerability in X2Go Server may allow remote execution of arbitrary code. x2goserver 2013-10-28 2013-10-28 472582 remote 4.0.0.2 4.0.0.2

X2Go is an open source terminal server project.

A vulnerability in the setgid wrapper x2gosqlitewrapper.c does not hardcode an internal path to x2gosqlitewrapper.pl, allowing a remote attacker to change that path.

A remote attacker may be able to execute arbitrary code with the privileges of the user running the server process.

There is no known workaround at this time.

All X2Go Server users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/x2goserver-4.0.0.2"
CVE-2013-4376 creffett creffett