X2Go Bug report logs - #1429
Tilde expansion no longer performed by libssh after CVE-2019-14889

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Sylvain Cuaz <sylvain@ilm-informatique.fr>

Date: Fri, 20 Dec 2019 17:25:01 UTC

Severity: normal

Tags: pending

Merged with 1428

Found in version 4.1.2.1

Fixed in version 4.1.2.2

Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Full log


Message #16 received at control@bugs.x2go.org (full text, mbox, reply):

Received: (at control) by bugs.x2go.org; 20 Dec 2019 19:32:54 +0000
From x2go@ymir.das-netzwerkteam.de  Fri Dec 20 20:32:51 2019
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,NO_RELAYS,
	URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2
Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005)
	id A9F595DAF7; Fri, 20 Dec 2019 20:32:49 +0100 (CET)
From: Mihai Moldovan <ionic@ionic.de>
To: 1428-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 1428@bugs.x2go.org
Subject: X2Go issue (in src:x2goclient) has been marked as pending for release
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Mailer: http://snipr.com/post-receive-tag-pending
Message-Id: <20191220193249.A9F595DAF7@ymir.das-netzwerkteam.de>
Date: Fri, 20 Dec 2019 20:32:49 +0100 (CET)
tag #1428 pending
fixed #1428 4.1.2.2
thanks

Hello,

X2Go issue #1428 (src:x2goclient) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1

The issue will most likely be fixed in src:x2goclient (4.1.2.2).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit ce559d163a943737fe4160f7233925df2eee1f9a
Author: Mihai Moldovan <ionic@ionic.de>
Date:   Fri Dec 20 20:27:31 2019 +0100

    src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode. Fixes: #1428.
    
    This was already necessary for pascp (PuTTY-based Windows solution for
    Kerberos support), but newer libssh versions with the CVE-2019-14889
    also interpret paths as literal strings.

diff --git a/debian/changelog b/debian/changelog
index 504d6ae..9f84281 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
       sound weird first, but this behavior is consistent between all
       applications - tray icons can be clicked via either button and will
       always trigger a context menu. Let X2Go Client behave the same way.
+    - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from
+      destination paths in scp mode. Fixes: #1428. This was already necessary
+      for pascp (PuTTY-based Windows solution for Kerberos support), but newer
+      libssh versions with the CVE-2019-14889 also interpret paths as literal
+      strings.
   * debian/control:
     + Add build-depend on pkg-config.
   * x2goclient.spec:


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 18:36:39 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.