X2Go Bug report logs - #1429
Tilde expansion no longer performed by libssh after CVE-2019-14889

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Sylvain Cuaz <sylvain@ilm-informatique.fr>

Date: Fri, 20 Dec 2019 17:25:01 UTC

Severity: normal

Tags: pending

Merged with 1428

Found in version 4.1.2.1

Fixed in version 4.1.2.2

Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1429; Package x2goclient. (Fri, 20 Dec 2019 17:25:02 GMT) (full text, mbox, link).


Acknowledgement sent to Sylvain Cuaz <sylvain@ilm-informatique.fr>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 20 Dec 2019 17:25:02 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Sylvain Cuaz <sylvain@ilm-informatique.fr>
To: submit@bugs.x2go.org
Subject: Tilde expansion no longer performed by libssh after CVE-2019-14889
Date: Fri, 20 Dec 2019 18:21:24 +0100
Package: x2goclient
Version: 4.1.1.1

SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works.

Client OS Ubuntu 18.04.3 LTS with libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.5
Server OS Ubuntu 16.04.6 LTS

Since december, 10th on Ubuntu, every time I connect to a server with either file sharing or printing enabled I have this error message :
"Cannot create remote file ~ilm/.x2go/ssh/key.jdT502" - "SCP: Warning: status code 1 received: scp: ~ilm/.x2go/ssh: No such file or directory\n"
But the directory does exist.

After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst;
which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see
https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and
https://usn.ubuntu.com/4219-1/ for the ubuntu packages

A similar issue is handled for Windows in SshProcess::start_cp()

As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1429; Package x2goclient. (Fri, 20 Dec 2019 18:10:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 20 Dec 2019 18:10:02 GMT) (full text, mbox, link).


Message #10 received at 1429@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: Sylvain Cuaz <sylvain@ilm-informatique.fr>, 1429@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889
Date: Fri, 20 Dec 2019 19:06:14 +0100
[Message part 1 (text/plain, inline)]
Control: reassign -1 x2goclient 4.1.2.1
Control: forcemerge -1 1428

* On 12/20/19 6:21 PM, Sylvain Cuaz wrote:
> SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works.
> [...]
> After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst;
> which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see
> https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and
> https://usn.ubuntu.com/4219-1/ for the ubuntu packages

Yes, I think that this change has been intentional. I'll have to fix that in
X2Go Client and I know how to do this easily to retain support for pre-patched
and patched versions.

I will, however, probably not be able to provide new release versions with that
fix (and others) for about a months.

I'll let you know when fixed nightly versions are available, though.


> As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.

Please don't do that OR recommend that. You're essentially now running without
the CVE fix, which is probably worse than a broken client.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Marked as found in versions 4.1.2.1; no longer marked as found in versions 4.1.1.1. Request was from Mihai Moldovan <ionic@ionic.de> to 1429-submit@bugs.x2go.org. (Fri, 20 Dec 2019 18:10:03 GMT) (full text, mbox, link).


Merged 1428 1429 Request was from Mihai Moldovan <ionic@ionic.de> to 1429-submit@bugs.x2go.org. (Fri, 20 Dec 2019 18:10:03 GMT) (full text, mbox, link).


Added tag(s) pending. Request was from Mihai Moldovan <ionic@ionic.de> to control@bugs.x2go.org. (Fri, 20 Dec 2019 19:35:02 GMT) (full text, mbox, link).


Marked as fixed in versions 4.1.2.2. Request was from Mihai Moldovan <ionic@ionic.de> to control@bugs.x2go.org. (Fri, 20 Dec 2019 19:35:02 GMT) (full text, mbox, link).


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1429; Package x2goclient. (Fri, 20 Dec 2019 20:45:02 GMT) (full text, mbox, link).


Acknowledgement sent to Sylvain Cuaz <sylvain@ilm-informatique.fr>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 20 Dec 2019 20:45:02 GMT) (full text, mbox, link).


Message #23 received at 1429@bugs.x2go.org (full text, mbox, reply):

From: Sylvain Cuaz <sylvain@ilm-informatique.fr>
To: Mihai Moldovan <ionic@ionic.de>, 1429@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889
Date: Fri, 20 Dec 2019 21:44:07 +0100
Le 20/12/2019 à 19:06, Mihai Moldovan a écrit :
> Control: reassign -1 x2goclient 4.1.2.1
> Control: forcemerge -1 1428
>
> * On 12/20/19 6:21 PM, Sylvain Cuaz wrote:
>> SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works.
>> [...]
>> After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst;
>> which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see
>> https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and
>> https://usn.ubuntu.com/4219-1/ for the ubuntu packages
> Yes, I think that this change has been intentional. I'll have to fix that in
> X2Go Client and I know how to do this easily to retain support for pre-patched
> and patched versions.
>
> I will, however, probably not be able to provide new release versions with that
> fix (and others) for about a months.
>
> I'll let you know when fixed nightly versions are available, though.

OK thanks

>> As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.
> Please don't do that OR recommend that. You're essentially now running without
> the CVE fix, which is probably worse than a broken client.

Yes, 'workaround' was not the right word. I meant while investigating to confirm my findings.


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1429; Package x2goclient. (Fri, 20 Dec 2019 23:35:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 20 Dec 2019 23:35:02 GMT) (full text, mbox, link).


Message #28 received at 1429@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: Sylvain Cuaz <sylvain@ilm-informatique.fr>, 1429@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889
Date: Sat, 21 Dec 2019 00:30:51 +0100
[Message part 1 (text/plain, inline)]
* On 12/20/19 9:44 PM, Sylvain Cuaz wrote:
> Le 20/12/2019 à 19:06, Mihai Moldovan a écrit :
>> I'll let you know when fixed nightly versions are available, though.
> 
> OK thanks

Nightly builds should incorporate the fix now.



Mihai


[signature.asc (application/pgp-signature, attachment)]

Marked Bug as done Request was from X2Go Release Manager X2Go Release Manager <git-admin@x2go.org> to control@bugs.x2go.org. (Wed, 12 Feb 2020 21:50:12 GMT) (full text, mbox, link).


Notification sent to Sylvain Cuaz <sylvain@ilm-informatique.fr>:
Bug acknowledged by developer. (Wed, 12 Feb 2020 21:50:13 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Feb 27 05:33:58 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.