From unknown Fri Apr 17 07:44:10 2026 X-Loop: owner@bugs.x2go.org Subject: Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889 Reply-To: Sylvain Cuaz , 1429@bugs.x2go.org Resent-From: Sylvain Cuaz Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Fri, 20 Dec 2019 17:25:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 1429 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: Received: via spool by submit@bugs.x2go.org id=B.157686249031611 (code B); Fri, 20 Dec 2019 17:25:01 +0000 Received: (at submit) by bugs.x2go.org; 20 Dec 2019 17:21:30 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=BAYES_20,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from 7.mo179.mail-out.ovh.net (7.mo179.mail-out.ovh.net [46.105.61.94]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 58EBE5DAE7 for ; Fri, 20 Dec 2019 18:21:26 +0100 (CET) Received: from player796.ha.ovh.net (unknown [10.108.54.94]) by mo179.mail-out.ovh.net (Postfix) with ESMTP id D3B09152F1A for ; Fri, 20 Dec 2019 18:21:25 +0100 (CET) Received: from ilm-informatique.fr (38.233.153.77.rev.sfr.net [77.153.233.38]) (Authenticated sender: sylvain@ilm-informatique.fr) by player796.ha.ovh.net (Postfix) with ESMTPSA id 437A4D696DC2 for ; Fri, 20 Dec 2019 17:21:25 +0000 (UTC) From: Sylvain Cuaz To: submit@bugs.x2go.org Message-ID: Date: Fri, 20 Dec 2019 18:21:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB X-Ovh-Tracer-Id: 222083760637030345 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedrvddufedgleekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhuffvkffffgggtgfgsehtjeertddtfeejnecuhfhrohhmpefuhihlvhgrihhnucevuhgriicuoehshihlvhgrihhnsehilhhmqdhinhhfohhrmhgrthhiqhhuvgdrfhhrqeenucffohhmrghinhepuhgsuhhnthhurdgtohhmpdhlihgsshhshhdrohhrghenucfkpheptddrtddrtddrtddpjeejrdduheefrddvfeefrdefkeenucfrrghrrghmpehmohguvgepshhmthhpqdhouhhtpdhhvghlohepphhlrgihvghrjeeliedrhhgrrdhovhhhrdhnvghtpdhinhgvtheptddrtddrtddrtddpmhgrihhlfhhrohhmpehshihlvhgrihhnsehilhhmqdhinhhfohhrmhgrthhiqhhuvgdrfhhrpdhrtghpthhtohepshhusghmihhtsegsuhhgshdrgidvghhordhorhhgnecuvehluhhsthgvrhfuihiivgeptd Package: x2goclient Version: 4.1.1.1 SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works. Client OS Ubuntu 18.04.3 LTS with libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.5 Server OS Ubuntu 16.04.6 LTS Since december, 10th on Ubuntu, every time I connect to a server with either file sharing or printing enabled I have this error message : "Cannot create remote file ~ilm/.x2go/ssh/key.jdT502" - "SCP: Warning: status code 1 received: scp: ~ilm/.x2go/ssh: No such file or directory\n" But the directory does exist. After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst; which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and https://usn.ubuntu.com/4219-1/ for the ubuntu packages A similar issue is handled for Windows in SshProcess::start_cp() As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.