Package: x2goclient Severity: importantIn X2Go it is currently possible to replace every command in X2Go Server by a command of the same name in ~/bin.
An attacker could use this to infiltrate X2Go Client with arbitrary data.IMHO, we should make sure, X2Go Client only uses system-wide paths when evoking commands on X2Go Servers.
This, of course, will boycott installing X2Go Server into ~<user> space, but actually, I prefer a safe setup to such custom installation tweaks.
Feedback?!? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: [email protected], http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
binwyBkxrDSkq.bin
Description: Öffentlicher PGP-Schlüssel
pgpKEwBcZ3ukA.pgp
Description: Digitale PGP-Signatur
_______________________________________________ X2Go-Dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
