From mike.gabriel@das-netzwerkteam.de Wed Dec 25 21:22:20 2019 Received: (at 1428) by bugs.x2go.org; 25 Dec 2019 20:23:31 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from fregna.das-netzwerkteam.de (fregna.das-netzwerkteam.de [148.251.53.130]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 497ED5DA92; Wed, 25 Dec 2019 21:22:18 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [IPv6:2a01:4f8:202:1381::105]) by fregna.das-netzwerkteam.de (Postfix) with ESMTPS id 316C16028B; Wed, 25 Dec 2019 20:22:18 +0000 (UTC) Received: from das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 17B45C02E1; Wed, 25 Dec 2019 21:22:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=das-netzwerkteam.de; s=dkim; t=1577305338; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6J01qHurYtbj4gbov3BNTVC49mfJ3ZRN69206HRfN9M=; b=mgLWKU9rTO6p+JSzh4b8dkulUrk6U2UWGoIEERn0PkmvHDkPUaV0UgSxqRRq1wXCMU1Joi LfYBPlwYAS9YIAEAt5v/Pr2LMiEiql8iyAlOnOv2BOAaxZIa6gbUWupjhoAmZFZZ4iesZM yxLQ2fx+xo1F/VlEP3uxV7COacbEf7+jWKfwgcbIhBs5mJQIw5U6X6kDiMepIjKQ4jYROz sLnnB7VhbDecuPBquXT0zQ6+fgFlRvySTffgUucwfoaVoy9sDWYCMvoYwaFESyl5iSZJKc 8z+iGROs6ZEkeXcYI0PxG0HUXgO9XNTtxxiBzQZ45RpZ5k6pxSs7HcJ3jEoxOhJ9jbQEG0 0pvV+elB8OT5u9ZbFioAG1wFxQ9F2uYkS8I4M9iUssxFcntIJ6ZKPA2OeXAVvDhYRsqXVx SE66lZOgGTW6303ymPT7NiROJ5AfEtC1dB5dMNy/T30We3UBSCGaV4ayA6LFSMWjs1o6L1 Mr5jGsKCiCpsMG4AGOlkJHkoYk0MM61hjdN84xiz06QCLGvB840y9BeYGK48nNSTxd73QB U17IWDk2/Os5o41QRdVmUGNDuGu4eKN8KfWBuAwCWEWSVbCDh5OZmg3kSpFdIzRPo82jdb akDO5kj893g0uVL5560rND01ZGmIpEkODueZrYXhX4boy0QKaRt8g= Received: from [37.123.126.38] ([37.123.126.38]) by mail.das-netzwerkteam.de (Horde Framework) with HTTPS; Wed, 25 Dec 2019 20:22:18 +0000 Date: Wed, 25 Dec 2019 20:22:18 +0000 Message-ID: <20191225202218.Horde.R1o0BKmDXMXZYhl08zP0ZTs@mail.das-netzwerkteam.de> From: Mike Gabriel To: Mihai Moldovan , 1428@bugs.x2go.org Cc: 1428-submitter@bugs.x2go.org, 1429@bugs.debian.org Subject: Re: [X2Go-Dev] Bug#1428: X2Go issue (in src:x2goclient) has been marked as pending for release References: <20191220193249.A9F595DAF7@ymir.das-netzwerkteam.de> In-Reply-To: <20191220193249.A9F595DAF7@ymir.das-netzwerkteam.de> User-Agent: Horde Application Framework 5 Accept-Language: de,en Organization: DAS-NETZWERKTEAM X-Originating-IP: 37.123.126.38 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Type: multipart/signed; boundary="=_DVjzD2SLp75alQ3GBZwwTcm"; protocol="application/pgp-signature"; micalg=pgp-sha512 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_DVjzD2SLp75alQ3GBZwwTcm Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Fr 20 Dez 2019 20:32:49 CET, Mihai Moldovan wrote: > tag #1428 pending > fixed #1428 4.1.2.2 > thanks > > Hello, > > X2Go issue #1428 (src:x2goclient) reported by you has been > fixed in X2Go Git. You can see the changelog below, and you can > check the diff of the fix at: > > http://code.x2go.org/gitweb?p=3Dx2goclient.git;a=3Dcommitdiff;h=3Dce5= 59d1 > > The issue will most likely be fixed in src:x2goclient (4.1.2.2). > > light+love > X2Go Git Admin (on behalf of the sender of this mail) > > --- > commit ce559d163a943737fe4160f7233925df2eee1f9a > Author: Mihai Moldovan > Date: Fri Dec 20 20:27:31 2019 +0100 > > src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and=20=20 >=20$HOME{,/} from destination paths in scp mode. Fixes: #1428. > > This was already necessary for pascp (PuTTY-based Windows solution fo= r > Kerberos support), but newer libssh versions with the CVE-2019-14889 > also interpret paths as literal strings. > > diff --git a/debian/changelog b/debian/changelog > index 504d6ae..9f84281 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=3Dme= dium > sound weird first, but this behavior is consistent between all > applications - tray icons can be clicked via either button and wil= l > always trigger a context menu. Let X2Go Client behave the same way= . > + - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and=20=20 >=20$HOME{,/} from > + destination paths in scp mode. Fixes: #1428. This was already=20= =20 >=20necessary > + for pascp (PuTTY-based Windows solution for Kerberos=20=20 >=20support), but newer > + libssh versions with the CVE-2019-14889 also interpret paths=20=20 >=20as literal > + strings. > * debian/control: > + Add build-depend on pkg-config. > * x2goclient.spec: Please note that I am currently working on getting this=20=20 libssh/CVE-2019-14889=20robustness patch into Debian [done] and Ubuntu=20= =20 [pending]. Mike --=20 DAS-NETZWERKTEAM c\o Technik- und =C3=96kologiezentrum Eckernf=C3=B6rde Mike Gabriel, Marienthaler str. 17, 24340 Eckernf=C3=B6rde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de --=_DVjzD2SLp75alQ3GBZwwTcm Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIzBAABCgAdFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl4DxPgACgkQmvRrMCV3 GzGrng/8CEly5P+HXUV/vDSHod2dmJdFx1uCvQqpL4/ztdnO0e1WReuNxMjlLV+y HLLYWXRvuR1d5i1EelsPwF4IaBAbgsyx6gQsrAnd+E0sNN5C8qb0CqGiifcD1Oac Wx75wl+1MetQMHNlw6w9Nxd54d+NEsCC6ACeEhjKBxDKi01SUop6sWhZmsAFmCtp 0Na5OjCBdXJPVarng4IxOa19pe3FVOEMVP6LTWUt51bgV5RpyVH9QsALgI+zPqH3 A5ipbLY54q9la5o8Gh3Z1tu8KCr7h429kS45Q8USN+UZHAiVL/eG/JfwlaFR+0vO ybObtdHvf4FMKV2g3KYK9SQW6Ib46/gaCpAJIyTV0adcslVzsRRaDA7Bkp8Z91Ph gM/TE5Fz01AG0moZzmmKWqamWCfFtSeRNRvE4YdWUC6yoLWaXwGCKozfqwUUNqjB nVxNemEDOlYTKQLNJWsBy/yZuxRuamaJ5UdpuRiYBka+gXrRpLTVccI5hESCt9hZ AsjXIPvfaTyovSBPR2TF/i6pstGVVkjKim/122iWc1eurgoYoCyP95MJWQ2ZrAE/ RFLJUpww2vL95FwS9KK4LQiVCX0BEA3J3BGlyW88TyAqx23+dhoLvayexn8MKthD lbAJpYFTWIoOKUehkjtJEjEK6Z0fGYfnVWF5VeeOS2VD5Hgs+8s= =HpXi -----END PGP SIGNATURE----- --=_DVjzD2SLp75alQ3GBZwwTcm--