X2Go Bug report logs -
#1429
Tilde expansion no longer performed by libssh after CVE-2019-14889
Reported by: Sylvain Cuaz <sylvain@ilm-informatique.fr>
Date: Fri, 20 Dec 2019 17:25:01 UTC
Severity: normal
Tags: pending
Merged with 1428
Found in version 4.1.2.1
Fixed in version 4.1.2.2
Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1429; Package x2goclient.
(Fri, 20 Dec 2019 17:25:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sylvain Cuaz <sylvain@ilm-informatique.fr>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>.
(Fri, 20 Dec 2019 17:25:02 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):
Package: x2goclient
Version: 4.1.1.1
SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works.
Client OS Ubuntu 18.04.3 LTS with libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.5
Server OS Ubuntu 16.04.6 LTS
Since december, 10th on Ubuntu, every time I connect to a server with either file sharing or printing enabled I have this error message :
"Cannot create remote file ~ilm/.x2go/ssh/key.jdT502" - "SCP: Warning: status code 1 received: scp: ~ilm/.x2go/ssh: No such file or directory\n"
But the directory does exist.
After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst;
which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see
https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and
https://usn.ubuntu.com/4219-1/ for the ubuntu packages
A similar issue is handled for Windows in SshProcess::start_cp()
As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.
Information forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1429; Package x2goclient.
(Fri, 20 Dec 2019 18:10:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>.
(Fri, 20 Dec 2019 18:10:02 GMT) (full text, mbox, link).
Message #10 received at 1429@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: reassign -1 x2goclient 4.1.2.1
Control: forcemerge -1 1428
* On 12/20/19 6:21 PM, Sylvain Cuaz wrote:
> SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works.
> [...]
> After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst;
> which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see
> https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and
> https://usn.ubuntu.com/4219-1/ for the ubuntu packages
Yes, I think that this change has been intentional. I'll have to fix that in
X2Go Client and I know how to do this easily to retain support for pre-patched
and patched versions.
I will, however, probably not be able to provide new release versions with that
fix (and others) for about a months.
I'll let you know when fixed nightly versions are available, though.
> As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.
Please don't do that OR recommend that. You're essentially now running without
the CVE fix, which is probably worse than a broken client.
Mihai
[signature.asc (application/pgp-signature, attachment)]
Marked as found in versions 4.1.2.1; no longer marked as found in versions 4.1.1.1.
Request was from Mihai Moldovan <ionic@ionic.de>
to 1429-submit@bugs.x2go.org.
(Fri, 20 Dec 2019 18:10:03 GMT) (full text, mbox, link).
Merged 1428 1429
Request was from Mihai Moldovan <ionic@ionic.de>
to 1429-submit@bugs.x2go.org.
(Fri, 20 Dec 2019 18:10:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Mihai Moldovan <ionic@ionic.de>
to control@bugs.x2go.org.
(Fri, 20 Dec 2019 19:35:02 GMT) (full text, mbox, link).
Marked as fixed in versions 4.1.2.2.
Request was from Mihai Moldovan <ionic@ionic.de>
to control@bugs.x2go.org.
(Fri, 20 Dec 2019 19:35:02 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1429; Package x2goclient.
(Fri, 20 Dec 2019 20:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sylvain Cuaz <sylvain@ilm-informatique.fr>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>.
(Fri, 20 Dec 2019 20:45:02 GMT) (full text, mbox, link).
Message #23 received at 1429@bugs.x2go.org (full text, mbox, reply):
Le 20/12/2019 à 19:06, Mihai Moldovan a écrit :
> Control: reassign -1 x2goclient 4.1.2.1
> Control: forcemerge -1 1428
>
> * On 12/20/19 6:21 PM, Sylvain Cuaz wrote:
>> SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works.
>> [...]
>> After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst;
>> which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see
>> https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and
>> https://usn.ubuntu.com/4219-1/ for the ubuntu packages
> Yes, I think that this change has been intentional. I'll have to fix that in
> X2Go Client and I know how to do this easily to retain support for pre-patched
> and patched versions.
>
> I will, however, probably not be able to provide new release versions with that
> fix (and others) for about a months.
>
> I'll let you know when fixed nightly versions are available, though.
OK thanks
>> As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.
> Please don't do that OR recommend that. You're essentially now running without
> the CVE fix, which is probably worse than a broken client.
Yes, 'workaround' was not the right word. I meant while investigating to confirm my findings.
Information forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1429; Package x2goclient.
(Fri, 20 Dec 2019 23:35:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>.
(Fri, 20 Dec 2019 23:35:02 GMT) (full text, mbox, link).
Message #28 received at 1429@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
* On 12/20/19 9:44 PM, Sylvain Cuaz wrote:
> Le 20/12/2019 à 19:06, Mihai Moldovan a écrit :
>> I'll let you know when fixed nightly versions are available, though.
>
> OK thanks
Nightly builds should incorporate the fix now.
Mihai
[signature.asc (application/pgp-signature, attachment)]
Marked Bug as done
Request was from X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>
to control@bugs.x2go.org.
(Wed, 12 Feb 2020 21:50:12 GMT) (full text, mbox, link).
Notification sent
to Sylvain Cuaz <sylvain@ilm-informatique.fr>:
Bug acknowledged by developer.
(Wed, 12 Feb 2020 21:50:13 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.x2go.org>
to internal_control@bugs.x2go.org.
(Thu, 12 Mar 2020 06:24:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Thu Nov 21 14:17:21 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
