Hi, On Fr 20 Dez 2019 20:32:49 CET, Mihai Moldovan wrote: > tag #1428 pending > fixed #1428 4.1.2.2 > thanks > > Hello, > > X2Go issue #1428 (src:x2goclient) reported by you has been > fixed in X2Go Git. You can see the changelog below, and you can > check the diff of the fix at: > > http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 > > The issue will most likely be fixed in src:x2goclient (4.1.2.2). > > light+love > X2Go Git Admin (on behalf of the sender of this mail) > > --- > commit ce559d163a943737fe4160f7233925df2eee1f9a > Author: Mihai Moldovan > Date: Fri Dec 20 20:27:31 2019 +0100 > > src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and > $HOME{,/} from destination paths in scp mode. Fixes: #1428. > > This was already necessary for pascp (PuTTY-based Windows solution for > Kerberos support), but newer libssh versions with the CVE-2019-14889 > also interpret paths as literal strings. > > diff --git a/debian/changelog b/debian/changelog > index 504d6ae..9f84281 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium > sound weird first, but this behavior is consistent between all > applications - tray icons can be clicked via either button and will > always trigger a context menu. Let X2Go Client behave the same way. > + - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and > $HOME{,/} from > + destination paths in scp mode. Fixes: #1428. This was already > necessary > + for pascp (PuTTY-based Windows solution for Kerberos > support), but newer > + libssh versions with the CVE-2019-14889 also interpret paths > as literal > + strings. > * debian/control: > + Add build-depend on pkg-config. > * x2goclient.spec: Please note that I am currently working on getting this libssh/CVE-2019-14889 robustness patch into Debian [done] and Ubuntu [pending]. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de