X2Go Bug report logs - #1429
Tilde expansion no longer performed by libssh after CVE-2019-14889

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Sylvain Cuaz <sylvain@ilm-informatique.fr>

Date: Fri, 20 Dec 2019 17:25:01 UTC

Severity: normal

Tags: pending

Merged with 1428

Found in version 4.1.2.1

Fixed in version 4.1.2.2

Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889
Reply-To: Sylvain Cuaz <sylvain@ilm-informatique.fr>, 1429@bugs.x2go.org
Resent-From: Sylvain Cuaz <sylvain@ilm-informatique.fr>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Fri, 20 Dec 2019 17:25:01 +0000
Resent-Message-ID: <handler.1429.B.157686249031611@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 1429
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: 
Received: via spool by submit@bugs.x2go.org id=B.157686249031611
          (code B); Fri, 20 Dec 2019 17:25:01 +0000
Received: (at submit) by bugs.x2go.org; 20 Dec 2019 17:21:30 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=3.0 tests=BAYES_20,SPF_HELO_NONE,
	URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2
Received: from 7.mo179.mail-out.ovh.net (7.mo179.mail-out.ovh.net [46.105.61.94])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 58EBE5DAE7
	for <submit@bugs.x2go.org>; Fri, 20 Dec 2019 18:21:26 +0100 (CET)
Received: from player796.ha.ovh.net (unknown [10.108.54.94])
	by mo179.mail-out.ovh.net (Postfix) with ESMTP id D3B09152F1A
	for <submit@bugs.x2go.org>; Fri, 20 Dec 2019 18:21:25 +0100 (CET)
Received: from ilm-informatique.fr (38.233.153.77.rev.sfr.net [77.153.233.38])
	(Authenticated sender: sylvain@ilm-informatique.fr)
	by player796.ha.ovh.net (Postfix) with ESMTPSA id 437A4D696DC2
	for <submit@bugs.x2go.org>; Fri, 20 Dec 2019 17:21:25 +0000 (UTC)
From: Sylvain Cuaz <sylvain@ilm-informatique.fr>
To: submit@bugs.x2go.org
Message-ID: <cd6dd615-289f-6914-7668-9190b8aca97e@ilm-informatique.fr>
Date: Fri, 20 Dec 2019 18:21:24 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
X-Ovh-Tracer-Id: 222083760637030345
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedrvddufedgleekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhuffvkffffgggtgfgsehtjeertddtfeejnecuhfhrohhmpefuhihlvhgrihhnucevuhgriicuoehshihlvhgrihhnsehilhhmqdhinhhfohhrmhgrthhiqhhuvgdrfhhrqeenucffohhmrghinhepuhgsuhhnthhurdgtohhmpdhlihgsshhshhdrohhrghenucfkpheptddrtddrtddrtddpjeejrdduheefrddvfeefrdefkeenucfrrghrrghmpehmohguvgepshhmthhpqdhouhhtpdhhvghlohepphhlrgihvghrjeeliedrhhgrrdhovhhhrdhnvghtpdhinhgvtheptddrtddrtddrtddpmhgrihhlfhhrohhmpehshihlvhgrihhnsehilhhmqdhinhhfohhrmhgrthhiqhhuvgdrfhhrpdhrtghpthhtohepshhusghmihhtsegsuhhgshdrgidvghhordhorhhgnecuvehluhhsthgvrhfuihiivgeptd

Package: x2goclient
Version: 4.1.1.1

SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works.

Client OS Ubuntu 18.04.3 LTS with libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.5
Server OS Ubuntu 16.04.6 LTS

Since december, 10th on Ubuntu, every time I connect to a server with either file sharing or printing enabled I have this error message :
"Cannot create remote file ~ilm/.x2go/ssh/key.jdT502" - "SCP: Warning: status code 1 received: scp: ~ilm/.x2go/ssh: No such file or directory\n"
But the directory does exist.

After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst;
which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see
https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and
https://usn.ubuntu.com/4219-1/ for the ubuntu packages

A similar issue is handled for Windows in SshProcess::start_cp()

As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue Nov 18 02:51:19 2025; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.