From sylvain@ilm-informatique.fr Fri Dec 20 18:21:27 2019 Received: (at submit) by bugs.x2go.org; 20 Dec 2019 17:21:30 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=BAYES_20,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from 7.mo179.mail-out.ovh.net (7.mo179.mail-out.ovh.net [46.105.61.94]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 58EBE5DAE7 for ; Fri, 20 Dec 2019 18:21:26 +0100 (CET) Received: from player796.ha.ovh.net (unknown [10.108.54.94]) by mo179.mail-out.ovh.net (Postfix) with ESMTP id D3B09152F1A for ; Fri, 20 Dec 2019 18:21:25 +0100 (CET) Received: from ilm-informatique.fr (38.233.153.77.rev.sfr.net [77.153.233.38]) (Authenticated sender: sylvain@ilm-informatique.fr) by player796.ha.ovh.net (Postfix) with ESMTPSA id 437A4D696DC2 for ; Fri, 20 Dec 2019 17:21:25 +0000 (UTC) From: Sylvain Cuaz Subject: Tilde expansion no longer performed by libssh after CVE-2019-14889 To: submit@bugs.x2go.org Message-ID: Date: Fri, 20 Dec 2019 18:21:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB X-Ovh-Tracer-Id: 222083760637030345 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedrvddufedgleekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhuffvkffffgggtgfgsehtjeertddtfeejnecuhfhrohhmpefuhihlvhgrihhnucevuhgriicuoehshihlvhgrihhnsehilhhmqdhinhhfohhrmhgrthhiqhhuvgdrfhhrqeenucffohhmrghinhepuhgsuhhnthhurdgtohhmpdhlihgsshhshhdrohhrghenucfkpheptddrtddrtddrtddpjeejrdduheefrddvfeefrdefkeenucfrrghrrghmpehmohguvgepshhmthhpqdhouhhtpdhhvghlohepphhlrgihvghrjeeliedrhhgrrdhovhhhrdhnvghtpdhinhgvtheptddrtddrtddrtddpmhgrihhlfhhrohhmpehshihlvhgrihhnsehilhhmqdhinhhfohhrmhgrthhiqhhuvgdrfhhrpdhrtghpthhtohepshhusghmihhtsegsuhhgshdrgidvghhordhorhhgnecuvehluhhsthgvrhfuihiivgeptd Package: x2goclient Version: 4.1.1.1 SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works. Client OS Ubuntu 18.04.3 LTS with libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.5 Server OS Ubuntu 16.04.6 LTS Since december, 10th on Ubuntu, every time I connect to a server with either file sharing or printing enabled I have this error message : "Cannot create remote file ~ilm/.x2go/ssh/key.jdT502" - "SCP: Warning: status code 1 received: scp: ~ilm/.x2go/ssh: No such file or directory\n" But the directory does exist. After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst; which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and https://usn.ubuntu.com/4219-1/ for the ubuntu packages A similar issue is handled for Windows in SshProcess::start_cp() As a workaround I reinstalled an old version of the libssh-4 package and the bug went away. From ionic@ionic.de Fri Dec 20 19:06:25 2019 Received: (at 1429) by bugs.x2go.org; 20 Dec 2019 18:06:28 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail.ionic.de (ionic.de [IPv6:2001:41d0:a:588b:1::2]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 2CED25DAE7 for <1429@bugs.x2go.org>; Fri, 20 Dec 2019 19:06:22 +0100 (CET) Received: from [10.30.44.19] (178.162.222.41.adsl.inet-telecom.org [178.162.222.41]) by mail.ionic.de (Postfix) with ESMTPSA id 29F0A4F07479; Fri, 20 Dec 2019 18:06:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ionic.de; s=default; t=1576865181; bh=6AgbV/qoXIy0X66TIaTOOZ6pR6mzNgCg9KxAaraiPJs=; h=To:References:From:Subject:Date:In-Reply-To:From; b=M56M1fOtM/cChhe7QhbZSGlGPRUtpbd9/HdmxO4PZBSnAQO2Z1ihuz7bEFWoYR/KN d/DKTia+dE471DkGGSEbEyXsGz4gXmXjJrRLVfN1jY9yJ/Kcx/Zttz1WU6qhjS0ahK mW9lKxuRPlTsF5MT2P2VtRgZ2aq0onYf/FW8tz6I= To: Sylvain Cuaz , 1429@bugs.x2go.org References: From: Mihai Moldovan Autocrypt: addr=ionic@ionic.de; prefer-encrypt=mutual; keydata= mQINBEjok5sBEADlDP0MwtucH6BJN2pUuvLLuRgVo2rBG2TsE/Ijht8/C4QZ6v91pXEs02m0 y/q3L/FzDSdcKddY6mWqplOiCAbT6F83e08ioF5+AqBs9PsI5XwohW9DPjtRApYlUiQgofe9 0t9F/77hPTafypycks9buJHvWKRy7NZ+ZtYv3bQMPFXVmDG7FXJqI65uZh2jH9jeJ+YyGnBX j82XHHtiRoR7+2XVnDZiFNYPhFVBEML7X0IGICMbtWUd/jECMJ6g8V7KMyi321GP3ijC9ygh 3SeT+Z+mJNkMmq2ii6Q2OkE12gelw1p0wzf7XF4Pl014pDp/j+A99/VLGyJK52VoNc8OMO5o gZE0DldJzzEmf+xX7fopNVE3NYtldJWG6QV+tZr3DN5KcHIOQ7JRAFlYuROywQAFrQb7TG0M S/iVEngg2DssRQ0sq9HkHahxCFyelBYKGAaljBJ4A4T8DcP2DoPVG5cm9qe4jKlJMmM1JtZz jNlEH4qp6ZzdpYT/FSWQWg57S6ISDryf6Cn+YAg14VWm0saE8NkJXTaOZjA+7qI/uOLLTUaa aGjSEsXFE7po6KDjx+BkyOrp3i/LBWcyClfY/OUvpyKT5+mDE5H0x074MTBcH9p7Zdy8DatA Jryb0vt2YeEe3vE4e1+M0kn8QfDlB9/VAAOmUKUvGTdvVlRNdwARAQABtB9NaWhhaSBNb2xk b3ZhbiA8aW9uaWNAaW9uaWMuZGU+iQJfBBMBCABJAhsjAh4BAheAAhkBCwsKDQkMCAsHAQMC BxUKCQgLAwIFFgIDAQAWIQRuEdCPdTOBx0TxyDwf1i7ZbiU6hwUCXXpwdAUJFobW2QAKCRAf 1i7ZbiU6h1jEEACbB5FC6bqrLEWwqG2du2md+OoJQkTiuBaC4iv+CtiB5dJclteJWEszryVx zAeHmegCQH5JXgZB7KQiZs1V+tH2KFF9z1dUArnL8dygD8wvDWUbhVbRx3HdU25qfHOmmCdH xy5GKBqLXAiwYowIEudJiPwKm59OzsLBj6aDHLq2GmPdgs0f270g2lvUY0rNTYfUh7NAw0Zg DyVvknhekOgL4cPX9U43cqVcE6nNa5mcSSCSeBwSQGIdpcIGQK+msShXVQ1FjoEQbYUPCkpg R+M6qpsTTv18CiMCyoA2bGMthGcX2zy+CY1W5/UgRNcgzb1mS5uzWV7QCU17qo9d+3LsFYhI 2PHHoE3LjZYUMI03nAmcJxqmg6l2frdzukn5B+Pn5Xwc0+3Q5AEoab0mY9j0AlcZoODoBoqr lrgjls4pMlB4Ye+sUx7NVU3kFOprRv8vA/P3LsuJfSm9TniDN/BN+dOo1K2miNBnEErEO3D2 iFeFPihpSirv5Yf+qN8ClixJMGFHrvB/gxlNTz4GfvdgQjTjxzoeeIPwT8F4FwVm6wSFFlvc LsVprvPktqr+zEJU+5FIUXvBluKToCPVtazab3LKYi6JGUjVBUUrqsJAUwnxCe3ClIxl43w9 FGiGVzo70ZL3lAfSCoI3TR91EUMs90Ct7zQaTxCzHuhR//SgrbQWSW9uaWMgPGlvbmljQGlv bmljLmRlPokCXAQTAQgARgIbIwIeAQIXgAsLCg0JDAgLBwEDAgcVCgkICwMCBRYCAwEAFiEE bhHQj3UzgcdE8cg8H9Yu2W4lOocFAl16cHUFCRaG1tkACgkQH9Yu2W4lOofrQQ/9EnYF6/ug GYMdBbz4DDQmL07N0rEFjPu0XyhNjEKBNkvh8YuoIOWdPZ92xUDuiIMA1rTGEBWQAjKK0khs eV/c0boiojBp4LvELhbYEZCVKYl2gW/NnRF/ifLf6IZ0i6mOCe6A1UE+tn64JLzE36N9Rxaa VNgnnAVJdIWehR7iJ3RnPC7ryDp4I69qHnpPpPh5ga/kGaBGrbQRkk8FqNGSxVrO7dq9rr3q BGFPe3r08mE0d9MehOok5efogjSxIubKYJT4M7vz+m/D5d9Dze1RCKMs6BCh2028d7BYXcr2 Xk0j2JUxrDwe9zk0LR7P17l59l6Msyinf1F7j5gRysaE0ncVcA6JL7T638db4Z/4oJefXZPF 4bdqclCscADcT8L7gCtW3F8GR7KCyUWReS243E3sdL/jqFnlcKb5Rs2I8G4Vebfx3N1DuvdM v+DOy/XJvUTviWxBFyLkgwrfiFRJwGhOAgFm3aeSwelnZBiAdDwosvjx4rW6wxoMA9lKwKFr 92uTiH1A/X3JhUXpGU7EOjnf+ynXuL3bwsS1jQGS22jmPiKbudwHUQ5ZqJXkHYvtBUP5rWCT S8cqQNLC2pHdQR2ruAwtkfDpp00FcnGcrxYDy/CewiOXnIem53r4dzHk34CjeVwqdjfGyDnB YgrCp8gKjCRIq+vzlLYxUtX5NxC5Ag0ESOiTmwEQAPD65JnvgT8EampZZpjVLlgvGLfiel42 AB/lH9JPx+jCwO2fmS/AB0PtDd9Oq/2BVZ8Nko4Wgzg8IUaDL3TiraCHCWfS9C0ALYs4WTGx wm/gjLXHsxmV2pl16ZNdE862yPYJ0Ts9cQZ05M6bjpIKONx0cexrmMvopjOC8Yf4X4ETOjBY 0JXCLFHdFBkQsbqvEJsUakKUaLoAsD3l43znjEZGkFCOwPJCye205ks4wfX0gb+t2+22o4RR 4ndQjmBntxGTmEYtUU825U56thXb/gTf73v/QXWYAKX0Ul/EJLi7LmRfTlh8SLN8MKb6haMg V0dvQqoK3EBRQPy5t4v3Xt5BblyVFRU2DOLS8FfOSfchrSup1LAP7+i13Gkxq0PT96yd4lT2 CrshdsPCDKrxU5x7uvpwrwScS8pjrGCRTeFv+U2HVpNYXSGJpjZTPzx/kVi/M/tVlmYGTgTx SdBUEGw70zD+ptPxmU9WRVFaARvxQIiEPVA5fIEbBn3tMEuoM5Nnr13gGUMmQootw54uw4ti o2j6Z5f9Re2Xpbnm+1W4HaD0ZjQ/axYsSOmxQuMo5Upy+YsCIlCw5CwyTeZXERyORTv+m88F UoB5iPnjJTQP4crHU7afQIxO1ZFcXgvUyfpBGQ7+VVE0sVKTbFo/dtj5F/u/BGDzxkzhuMce zzKnABEBAAGJAjwEGAEIACYCGwwWIQRuEdCPdTOBx0TxyDwf1i7ZbiU6hwUCXXpwzgUJFobX MwAKCRAf1i7ZbiU6hyjNEADVXKjr9oeRgKlizeeflbqXb8rNzNFnB9bDYiFWwC1j49ACI46H OXaattvEAKlfYOMMyhbsYsICwat0jTFifXbXe65/BEWe7LHyRNj8d5k0fxUq5IicRmxvmMOC Ov2pwk1uIMdOD1KFpIK73vB2EIC1EJVBenFyz2WOW1saelfnL5dwhDMAck2yVIppXe+QKfVH zEIfyun9MaRBoBG3eqA3mSE+nyuJvbaIa6/VMXUCgkEzbAzzTts9sc6+3AAjmy7ruwE5q58i 72uWq2P0x/hf12c4MbISCxGz1kDBH1xSdy4Gu5JrIdlMbnB5m+s/25/DJUTFHKBadHKjyVCW 2py32fsgW06XJWrxFU9YIvgtkqpPILgNP+ey9Leuw85ugxFDNooaloDRHhoZ01B6HxbVmnoO wRv9oh9tohIbgg0EjEfCiismsysWeXdQh6QIMrMQbmjrfPtBpCApy5kYjtOBs16EOfBVJwno E11rVGq34LsEGx1fqJMr82awMI6u50tz7F1MQcVMvWoLDnkwyE5YviKHy1xmV793ByprMcbH z4/sc61J4EHABPxM+OTjrD1tniaMkLHVa5daJJoxVwKetu7voqhS1WKYUiYYezUUzQNoV7lQ O3CFNqnsEZNUM2wyub2f02n0pdzJazBP2zbdJHjTAP14TT9s/dPH9VNQ7bkCDQRI6JObARAA 8Prkme+BPwRqallmmNUuWC8Yt+J6XjYAH+Uf0k/H6MLA7Z+ZL8AHQ+0N306r/YFVnw2SjhaD ODwhRoMvdOKtoIcJZ9L0LQAtizhZMbHCb+CMtcezGZXamXXpk10TzrbI9gnROz1xBnTkzpuO kgo43HRx7GuYy+imM4Lxh/hfgRM6MFjQlcIsUd0UGRCxuq8QmxRqQpRougCwPeXjfOeMRkaQ UI7A8kLJ7bTmSzjB9fSBv63b7bajhFHid1COYGe3EZOYRi1RTzblTnq2Fdv+BN/ve/9BdZgA pfRSX8QkuLsuZF9OWHxIs3wwpvqFoyBXR29CqgrcQFFA/Lm3i/de3kFuXJUVFTYM4tLwV85J 9yGtK6nUsA/v6LXcaTGrQ9P3rJ3iVPYKuyF2w8IMqvFTnHu6+nCvBJxLymOsYJFN4W/5TYdW k1hdIYmmNlM/PH+RWL8z+1WWZgZOBPFJ0FQQbDvTMP6m0/GZT1ZFUVoBG/FAiIQ9UDl8gRsG fe0wS6gzk2evXeAZQyZCii3Dni7Di2KjaPpnl/1F7Zelueb7VbgdoPRmND9rFixI6bFC4yjl SnL5iwIiULDkLDJN5lcRHI5FO/6bzwVSgHmI+eMlNA/hysdTtp9AjE7VkVxeC9TJ+kEZDv5V UTSxUpNsWj922PkX+78EYPPGTOG4xx7PMqcAEQEAAYkCPAQYAQgAJgIbDBYhBG4R0I91M4HH RPHIPB/WLtluJTqHBQJdenDOBQkWhtczAAoJEB/WLtluJTqHKM0QANVcqOv2h5GAqWLN55+V updvys3M0WcH1sNiIVbALWPj0AIjjoc5dpq228QAqV9g4wzKFuxiwgLBq3SNMWJ9dtd7rn8E RZ7ssfJE2Px3mTR/FSrkiJxGbG+Yw4I6/anCTW4gx04PUoWkgrve8HYQgLUQlUF6cXLPZY5b Wxp6V+cvl3CEMwByTbJUimld75Ap9UfMQh/K6f0xpEGgEbd6oDeZIT6fK4m9tohrr9UxdQKC QTNsDPNO2z2xzr7cACObLuu7ATmrnyLva5arY/TH+F/XZzgxshILEbPWQMEfXFJ3Lga7kmsh 2UxucHmb6z/bn8MlRMUcoFp0cqPJUJbanLfZ+yBbTpclavEVT1gi+C2Sqk8guA0/57L0t67D zm6DEUM2ihqWgNEeGhnTUHofFtWaeg7BG/2iH22iEhuCDQSMR8KKKyazKxZ5d1CHpAgysxBu aOt8+0GkICnLmRiO04GzXoQ58FUnCegTXWtUarfguwQbHV+okyvzZrAwjq7nS3PsXUxBxUy9 agsOeTDITli+IofLXGZXv3cHKmsxxsfPj+xzrUngQcAE/Ez45OOsPW2eJoyQsdVrl1okmjFX Ap627u+iqFLVYphSJhh7NRTNA2hXuVA7cIU2qewRk1QzbDK5vZ/TafSl3MlrME/bNt0keNMA /XhNP2z908f1U1DtuQINBEjok5sBEADw+uSZ74E/BGpqWWaY1S5YLxi34npeNgAf5R/ST8fo wsDtn5kvwAdD7Q3fTqv9gVWfDZKOFoM4PCFGgy904q2ghwln0vQtAC2LOFkxscJv4Iy1x7MZ ldqZdemTXRPOtsj2CdE7PXEGdOTOm46SCjjcdHHsa5jL6KYzgvGH+F+BEzowWNCVwixR3RQZ ELG6rxCbFGpClGi6ALA95eN854xGRpBQjsDyQsnttOZLOMH19IG/rdvttqOEUeJ3UI5gZ7cR k5hGLVFPNuVOerYV2/4E3+97/0F1mACl9FJfxCS4uy5kX05YfEizfDCm+oWjIFdHb0KqCtxA UUD8ubeL917eQW5clRUVNgzi0vBXzkn3Ia0rqdSwD+/otdxpMatD0/esneJU9gq7IXbDwgyq 8VOce7r6cK8EnEvKY6xgkU3hb/lNh1aTWF0hiaY2Uz88f5FYvzP7VZZmBk4E8UnQVBBsO9Mw /qbT8ZlPVkVRWgEb8UCIhD1QOXyBGwZ97TBLqDOTZ69d4BlDJkKKLcOeLsOLYqNo+meX/UXt l6W55vtVuB2g9GY0P2sWLEjpsULjKOVKcvmLAiJQsOQsMk3mVxEcjkU7/pvPBVKAeYj54yU0 D+HKx1O2n0CMTtWRXF4L1Mn6QRkO/lVRNLFSk2xaP3bY+Rf7vwRg88ZM4bjHHs8ypwARAQAB iQI8BBgBCAAmAhsMFiEEbhHQj3UzgcdE8cg8H9Yu2W4lOocFAl16cM4FCRaG1zMACgkQH9Yu 2W4lOocozRAA1Vyo6/aHkYCpYs3nn5W6l2/KzczRZwfWw2IhVsAtY+PQAiOOhzl2mrbbxACp X2DjDMoW7GLCAsGrdI0xYn1213uufwRFnuyx8kTY/HeZNH8VKuSInEZsb5jDgjr9qcJNbiDH Tg9ShaSCu97wdhCAtRCVQXpxcs9ljltbGnpX5y+XcIQzAHJNslSKaV3vkCn1R8xCH8rp/TGk QaARt3qgN5khPp8rib22iGuv1TF1AoJBM2wM807bPbHOvtwAI5su67sBOaufIu9rlqtj9Mf4 X9dnODGyEgsRs9ZAwR9cUncuBruSayHZTG5weZvrP9ufwyVExRygWnRyo8lQltqct9n7IFtO lyVq8RVPWCL4LZKqTyC4DT/nsvS3rsPOboMRQzaKGpaA0R4aGdNQeh8W1Zp6DsEb/aIfbaIS G4INBIxHwoorJrMrFnl3UIekCDKzEG5o63z7QaQgKcuZGI7TgbNehDnwVScJ6BNda1Rqt+C7 BBsdX6iTK/NmsDCOrudLc+xdTEHFTL1qCw55MMhOWL4ih8tcZle/dwcqazHGx8+P7HOtSeBB wAT8TPjk46w9bZ4mjJCx1WuXWiSaMVcCnrbu76KoUtVimFImGHs1FM0DaFe5UDtwhTap7BGT VDNsMrm9n9Np9KXcyWswT9s23SR40wD9eE0/bP3Tx/VTUO25Ag0ESOiTmwEQAPD65JnvgT8E ampZZpjVLlgvGLfiel42AB/lH9JPx+jCwO2fmS/AB0PtDd9Oq/2BVZ8Nko4Wgzg8IUaDL3Ti raCHCWfS9C0ALYs4WTGxwm/gjLXHsxmV2pl16ZNdE862yPYJ0Ts9cQZ05M6bjpIKONx0cexr mMvopjOC8Yf4X4ETOjBY0JXCLFHdFBkQsbqvEJsUakKUaLoAsD3l43znjEZGkFCOwPJCye20 5ks4wfX0gb+t2+22o4RR4ndQjmBntxGTmEYtUU825U56thXb/gTf73v/QXWYAKX0Ul/EJLi7 LmRfTlh8SLN8MKb6haMgV0dvQqoK3EBRQPy5t4v3Xt5BblyVFRU2DOLS8FfOSfchrSup1LAP 7+i13Gkxq0PT96yd4lT2CrshdsPCDKrxU5x7uvpwrwScS8pjrGCRTeFv+U2HVpNYXSGJpjZT Pzx/kVi/M/tVlmYGTgTxSdBUEGw70zD+ptPxmU9WRVFaARvxQIiEPVA5fIEbBn3tMEuoM5Nn r13gGUMmQootw54uw4tio2j6Z5f9Re2Xpbnm+1W4HaD0ZjQ/axYsSOmxQuMo5Upy+YsCIlCw 5CwyTeZXERyORTv+m88FUoB5iPnjJTQP4crHU7afQIxO1ZFcXgvUyfpBGQ7+VVE0sVKTbFo/ dtj5F/u/BGDzxkzhuMcezzKnABEBAAGJAjwEGAEIACYCGwwWIQRuEdCPdTOBx0TxyDwf1i7Z biU6hwUCXXpwzgUJFobXMwAKCRAf1i7ZbiU6hyjNEADVXKjr9oeRgKlizeeflbqXb8rNzNFn B9bDYiFWwC1j49ACI46HOXaattvEAKlfYOMMyhbsYsICwat0jTFifXbXe65/BEWe7LHyRNj8 d5k0fxUq5IicRmxvmMOCOv2pwk1uIMdOD1KFpIK73vB2EIC1EJVBenFyz2WOW1saelfnL5dw hDMAck2yVIppXe+QKfVHzEIfyun9MaRBoBG3eqA3mSE+nyuJvbaIa6/VMXUCgkEzbAzzTts9 sc6+3AAjmy7ruwE5q58i72uWq2P0x/hf12c4MbISCxGz1kDBH1xSdy4Gu5JrIdlMbnB5m+s/ 25/DJUTFHKBadHKjyVCW2py32fsgW06XJWrxFU9YIvgtkqpPILgNP+ey9Leuw85ugxFDNooa loDRHhoZ01B6HxbVmnoOwRv9oh9tohIbgg0EjEfCiismsysWeXdQh6QIMrMQbmjrfPtBpCAp y5kYjtOBs16EOfBVJwnoE11rVGq34LsEGx1fqJMr82awMI6u50tz7F1MQcVMvWoLDnkwyE5Y viKHy1xmV793ByprMcbHz4/sc61J4EHABPxM+OTjrD1tniaMkLHVa5daJJoxVwKetu7voqhS 1WKYUiYYezUUzQNoV7lQO3CFNqnsEZNUM2wyub2f02n0pdzJazBP2zbdJHjTAP14TT9s/dPH 9VNQ7bkCDQRI6JObARAA8Prkme+BPwRqallmmNUuWC8Yt+J6XjYAH+Uf0k/H6MLA7Z+ZL8AH Q+0N306r/YFVnw2SjhaDODwhRoMvdOKtoIcJZ9L0LQAtizhZMbHCb+CMtcezGZXamXXpk10T zrbI9gnROz1xBnTkzpuOkgo43HRx7GuYy+imM4Lxh/hfgRM6MFjQlcIsUd0UGRCxuq8QmxRq QpRougCwPeXjfOeMRkaQUI7A8kLJ7bTmSzjB9fSBv63b7bajhFHid1COYGe3EZOYRi1RTzbl Tnq2Fdv+BN/ve/9BdZgApfRSX8QkuLsuZF9OWHxIs3wwpvqFoyBXR29CqgrcQFFA/Lm3i/de 3kFuXJUVFTYM4tLwV85J9yGtK6nUsA/v6LXcaTGrQ9P3rJ3iVPYKuyF2w8IMqvFTnHu6+nCv BJxLymOsYJFN4W/5TYdWk1hdIYmmNlM/PH+RWL8z+1WWZgZOBPFJ0FQQbDvTMP6m0/GZT1ZF UVoBG/FAiIQ9UDl8gRsGfe0wS6gzk2evXeAZQyZCii3Dni7Di2KjaPpnl/1F7Zelueb7Vbgd oPRmND9rFixI6bFC4yjlSnL5iwIiULDkLDJN5lcRHI5FO/6bzwVSgHmI+eMlNA/hysdTtp9A jE7VkVxeC9TJ+kEZDv5VUTSxUpNsWj922PkX+78EYPPGTOG4xx7PMqcAEQEAAYkCPAQYAQgA JgIbDBYhBG4R0I91M4HHRPHIPB/WLtluJTqHBQJdenDOBQkWhtczAAoJEB/WLtluJTqHKM0Q ANVcqOv2h5GAqWLN55+Vupdvys3M0WcH1sNiIVbALWPj0AIjjoc5dpq228QAqV9g4wzKFuxi wgLBq3SNMWJ9dtd7rn8ERZ7ssfJE2Px3mTR/FSrkiJxGbG+Yw4I6/anCTW4gx04PUoWkgrve 8HYQgLUQlUF6cXLPZY5bWxp6V+cvl3CEMwByTbJUimld75Ap9UfMQh/K6f0xpEGgEbd6oDeZ IT6fK4m9tohrr9UxdQKCQTNsDPNO2z2xzr7cACObLuu7ATmrnyLva5arY/TH+F/XZzgxshIL EbPWQMEfXFJ3Lga7kmsh2UxucHmb6z/bn8MlRMUcoFp0cqPJUJbanLfZ+yBbTpclavEVT1gi +C2Sqk8guA0/57L0t67Dzm6DEUM2ihqWgNEeGhnTUHofFtWaeg7BG/2iH22iEhuCDQSMR8KK KyazKxZ5d1CHpAgysxBuaOt8+0GkICnLmRiO04GzXoQ58FUnCegTXWtUarfguwQbHV+okyvz ZrAwjq7nS3PsXUxBxUy9agsOeTDITli+IofLXGZXv3cHKmsxxsfPj+xzrUngQcAE/Ez45OOs PW2eJoyQsdVrl1okmjFXAp627u+iqFLVYphSJhh7NRTNA2hXuVA7cIU2qewRk1QzbDK5vZ/T afSl3MlrME/bNt0keNMA/XhNP2z908f1U1DtuQINBEjok5sBEADw+uSZ74E/BGpqWWaY1S5Y Lxi34npeNgAf5R/ST8fowsDtn5kvwAdD7Q3fTqv9gVWfDZKOFoM4PCFGgy904q2ghwln0vQt AC2LOFkxscJv4Iy1x7MZldqZdemTXRPOtsj2CdE7PXEGdOTOm46SCjjcdHHsa5jL6KYzgvGH +F+BEzowWNCVwixR3RQZELG6rxCbFGpClGi6ALA95eN854xGRpBQjsDyQsnttOZLOMH19IG/ rdvttqOEUeJ3UI5gZ7cRk5hGLVFPNuVOerYV2/4E3+97/0F1mACl9FJfxCS4uy5kX05YfEiz fDCm+oWjIFdHb0KqCtxAUUD8ubeL917eQW5clRUVNgzi0vBXzkn3Ia0rqdSwD+/otdxpMatD 0/esneJU9gq7IXbDwgyq8VOce7r6cK8EnEvKY6xgkU3hb/lNh1aTWF0hiaY2Uz88f5FYvzP7 VZZmBk4E8UnQVBBsO9Mw/qbT8ZlPVkVRWgEb8UCIhD1QOXyBGwZ97TBLqDOTZ69d4BlDJkKK LcOeLsOLYqNo+meX/UXtl6W55vtVuB2g9GY0P2sWLEjpsULjKOVKcvmLAiJQsOQsMk3mVxEc jkU7/pvPBVKAeYj54yU0D+HKx1O2n0CMTtWRXF4L1Mn6QRkO/lVRNLFSk2xaP3bY+Rf7vwRg 88ZM4bjHHs8ypwARAQABiQI8BBgBCAAmAhsMFiEEbhHQj3UzgcdE8cg8H9Yu2W4lOocFAl16 cM8FCRaG1zMACgkQH9Yu2W4lOoeg2g//bEUXU3+TEu30Viix530A9zSkA0ScIuoYsywVy9rY 2TU8hrAvjhNjQTDQqxL2Qk4ijzkubKB+gUEu2defsJY8P2g3CtEU5BGeKD6rUdDfwGdm+cra +w13rcQVDZgDLtLXPA4hpLF/7f8zr0MB6I+c+TO3ePSOGYY4FiwhMan/2uqHPG4aknDe4DIe CTyokt4kMY2yYAaWkv9fJfl4FoHi5nlMwoAUPYtDSbg2J4ln83DIRMzLopL0FSct0KQxEwn+ 9ZA1xUBV9ldXvpqa5bMkqih3Nq/sWRAHk/HieVjkCQOL/2RPs0zBggGVaFq7suxxfNHDaS6V KEkhk55mzl88C9MdcxODfLW4emjSKLbLwmMW16TlGEP37WpctaU5+y46TnFUp0J2tlQtJZjO XQYBOYExP3UwykxB8qqHnV6oxGTXDa+vVYJOOH/oEG423O2wx7ZrZkwn3EFgMR5KctagtR9p yY8VZnXP0FWSNqmbluA57drBPFrbKu5VvBfdx2ByJ5CYif88mA7lLcUix7PNqurgpblDsHzJ yH/c7rtlS/Tre/63adLfr8dco2iJo0UH8QIlC1h1439u19eDKtLvJh12ps7FHfUgDnJvxSVG PfSwPH9prRd3coBHIi5w72U5Bzh4C/0M1/qZaffKDMZi+9bssC22gY6adAaqWd1AoLu5Ag0E SOiTmwEQAPD65JnvgT8EampZZpjVLlgvGLfiel42AB/lH9JPx+jCwO2fmS/AB0PtDd9Oq/2B VZ8Nko4Wgzg8IUaDL3TiraCHCWfS9C0ALYs4WTGxwm/gjLXHsxmV2pl16ZNdE862yPYJ0Ts9 cQZ05M6bjpIKONx0cexrmMvopjOC8Yf4X4ETOjBY0JXCLFHdFBkQsbqvEJsUakKUaLoAsD3l 43znjEZGkFCOwPJCye205ks4wfX0gb+t2+22o4RR4ndQjmBntxGTmEYtUU825U56thXb/gTf 73v/QXWYAKX0Ul/EJLi7LmRfTlh8SLN8MKb6haMgV0dvQqoK3EBRQPy5t4v3Xt5BblyVFRU2 DOLS8FfOSfchrSup1LAP7+i13Gkxq0PT96yd4lT2CrshdsPCDKrxU5x7uvpwrwScS8pjrGCR TeFv+U2HVpNYXSGJpjZTPzx/kVi/M/tVlmYGTgTxSdBUEGw70zD+ptPxmU9WRVFaARvxQIiE PVA5fIEbBn3tMEuoM5Nnr13gGUMmQootw54uw4tio2j6Z5f9Re2Xpbnm+1W4HaD0ZjQ/axYs SOmxQuMo5Upy+YsCIlCw5CwyTeZXERyORTv+m88FUoB5iPnjJTQP4crHU7afQIxO1ZFcXgvU yfpBGQ7+VVE0sVKTbFo/dtj5F/u/BGDzxkzhuMcezzKnABEBAAGJAjwEGAEIACYCGwwWIQRu EdCPdTOBx0TxyDwf1i7ZbiU6hwUCXXpwzwUJFobXMwAKCRAf1i7ZbiU6h6DaD/9sRRdTf5MS 7fRWKLHnfQD3NKQDRJwi6hizLBXL2tjZNTyGsC+OE2NBMNCrEvZCTiKPOS5soH6BQS7Z15+w ljw/aDcK0RTkEZ4oPqtR0N/AZ2b5ytr7DXetxBUNmAMu0tc8DiGksX/t/zOvQwHoj5z5M7d4 9I4ZhjgWLCExqf/a6oc8bhqScN7gMh4JPKiS3iQxjbJgBpaS/18l+XgWgeLmeUzCgBQ9i0NJ uDYniWfzcMhEzMuikvQVJy3QpDETCf71kDXFQFX2V1e+mprlsySqKHc2r+xZEAeT8eJ5WOQJ A4v/ZE+zTMGCAZVoWruy7HF80cNpLpUoSSGTnmbOXzwL0x1zE4N8tbh6aNIotsvCYxbXpOUY Q/ftaly1pTn7LjpOcVSnQna2VC0lmM5dBgE5gTE/dTDKTEHyqoedXqjEZNcNr69Vgk44f+gQ bjbc7bDHtmtmTCfcQWAxHkpy1qC1H2nJjxVmdc/QVZI2qZuW4Dnt2sE8Wtsq7lW8F93HYHIn kJiJ/zyYDuUtxSLHs82q6uCluUOwfMnIf9zuu2VL9Ot7/rdp0t+vx1yjaImjRQfxAiULWHXj f27X14Mq0u8mHXamzsUd9SAOcm/FJUY99LA8f2mtF3dygEciLnDvZTkHOHgL/QzX+plp98oM xmL71uywLbaBjpp0BqpZ3UCguw== Subject: Re: [X2Go-Dev] Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889 Message-ID: <5c04ddf5-0cb9-eff2-0346-d37115f7c07e@ionic.de> Date: Fri, 20 Dec 2019 19:06:14 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="6wZAro9kJQTRxDRbjfNY4BZabW0Y7AO3w" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --6wZAro9kJQTRxDRbjfNY4BZabW0Y7AO3w Content-Type: multipart/mixed; boundary="0agULLclg0aJ7nF61KQjoDvmqoVkqbIcG"; protected-headers="v1" From: Mihai Moldovan To: Sylvain Cuaz , 1429@bugs.x2go.org Message-ID: <5c04ddf5-0cb9-eff2-0346-d37115f7c07e@ionic.de> Subject: Re: [X2Go-Dev] Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889 References: In-Reply-To: --0agULLclg0aJ7nF61KQjoDvmqoVkqbIcG Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Control: reassign -1 x2goclient 4.1.2.1 Control: forcemerge -1 1428 * On 12/20/19 6:21 PM, Sylvain Cuaz wrote: > SSH key fails to be copied to the remote side because the path use a ti= lde, so neither file sharing nor client-side printing works. > [...] > After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterCo= nnection::copyFile() with dst=3D"~"+uname +"/.x2go/ssh/"+dst; > which is ultimately passed to libssh. But following CVE-2019-14889 the = path is now literal (quoted), see > https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh= logs and > https://usn.ubuntu.com/4219-1/ for the ubuntu packages Yes, I think that this change has been intentional. I'll have to fix that= in X2Go Client and I know how to do this easily to retain support for pre-pa= tched and patched versions. I will, however, probably not be able to provide new release versions wit= h that fix (and others) for about a months. I'll let you know when fixed nightly versions are available, though. > As a workaround I reinstalled an old version of the libssh-4 package an= d the bug went away. Please don't do that OR recommend that. You're essentially now running wi= thout the CVE fix, which is probably worse than a broken client. Mihai --0agULLclg0aJ7nF61KQjoDvmqoVkqbIcG-- --6wZAro9kJQTRxDRbjfNY4BZabW0Y7AO3w Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCgAdFiEEbhHQj3UzgcdE8cg8H9Yu2W4lOocFAl39DZYACgkQH9Yu2W4l OoftKw//fGWM1yQUubhYb0+A+m9WuqLzVQqSRb5Bc2/ApIgYYPHSVN0fg8bUSRSe 1rRVvoHm8pJ0zjo/gGfn5yy69N2hsRMk94mKr4tsqdvn0SObbwnBkFsGrbX5ES/9 elgs9QxjN2IKwWX82rEDKdDSGj7CA8FLfwNw51N3aOWGHIpJEKxXUQNy4BZylofA SzTee0xs42zWD0tBRzdcADa6nUHRuZUSB08gB51Y20RFZCHgbSPC0ZiNxmZorxpC N6WCJ78LYLpATqCCmisp2UikR2syRwYBpik2hTLOu6n50Y19nPqIY5Rup/lBcnq9 1CRIv8zWLFQrgL5CwI2yz5rgubb+GmvKrkLxDl40Y8XyjsTCkpHJxdegWI5HY/Q1 QAGc/6GIS91GNaxziCamh35f69nxm3Ch4RDlkt2uR5xl5ENQNuucIbmHfQxOSOlS DaY7E3BfWNQWIaU/JGtAxIH/TmQEcH8mm3pJ1YbBAxdXSF6Xi7lxIyR49CfGQkPk fuOYe+GLt5KPYrRrE38XAQAnAEK5pi3Up1oX3h4IVdr1s/CNO1xiwFW+ibAVaTWq 1+TCGuQPgiCZvt2HGUDYWdmf1QBhtKZerheHkHc6MnrwhHv+oRUTjbiKs9Jm8uC3 oBR81kjcFsFtBaSHp1KpcjtaUe+LC1/Z5e4f6qcExc/ZFUgduMc= =bNmJ -----END PGP SIGNATURE----- --6wZAro9kJQTRxDRbjfNY4BZabW0Y7AO3w-- From x2go@ymir.das-netzwerkteam.de Fri Dec 20 20:32:51 2019 Received: (at control) by bugs.x2go.org; 20 Dec 2019 19:32:54 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,NO_RELAYS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id A9F595DAF7; Fri, 20 Dec 2019 20:32:49 +0100 (CET) From: =?utf-8?q?Mihai_Moldovan?= To: 1428-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 1428@bugs.x2go.org Subject: X2Go issue (in src:x2goclient) has been marked as pending for release Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Mailer: http://snipr.com/post-receive-tag-pending Message-Id: <20191220193249.A9F595DAF7@ymir.das-netzwerkteam.de> Date: Fri, 20 Dec 2019 20:32:49 +0100 (CET) tag #1428 pending fixed #1428 4.1.2.2 thanks Hello, X2Go issue #1428 (src:x2goclient) reported by you has been fixed in X2Go Git. You can see the changelog below, and you can check the diff of the fix at: http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 The issue will most likely be fixed in src:x2goclient (4.1.2.2). light+love X2Go Git Admin (on behalf of the sender of this mail) --- commit ce559d163a943737fe4160f7233925df2eee1f9a Author: Mihai Moldovan Date: Fri Dec 20 20:27:31 2019 +0100 src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-based Windows solution for Kerberos support), but newer libssh versions with the CVE-2019-14889 also interpret paths as literal strings. diff --git a/debian/changelog b/debian/changelog index 504d6ae..9f84281 100644 --- a/debian/changelog +++ b/debian/changelog @@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium sound weird first, but this behavior is consistent between all applications - tray icons can be clicked via either button and will always trigger a context menu. Let X2Go Client behave the same way. + - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from + destination paths in scp mode. Fixes: #1428. This was already necessary + for pascp (PuTTY-based Windows solution for Kerberos support), but newer + libssh versions with the CVE-2019-14889 also interpret paths as literal + strings. * debian/control: + Add build-depend on pkg-config. * x2goclient.spec: From sylvain@ilm-informatique.fr Fri Dec 20 21:44:11 2019 Received: (at 1429) by bugs.x2go.org; 20 Dec 2019 20:44:13 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from 20.mo6.mail-out.ovh.net (20.mo6.mail-out.ovh.net [178.32.124.17]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 5D8695DAE7 for <1429@bugs.x2go.org>; Fri, 20 Dec 2019 21:44:10 +0100 (CET) Received: from player711.ha.ovh.net (unknown [10.108.16.182]) by mo6.mail-out.ovh.net (Postfix) with ESMTP id 06DB01F5DD9 for <1429@bugs.x2go.org>; Fri, 20 Dec 2019 21:44:09 +0100 (CET) Received: from ilm-informatique.fr (38.233.153.77.rev.sfr.net [77.153.233.38]) (Authenticated sender: sylvain@ilm-informatique.fr) by player711.ha.ovh.net (Postfix) with ESMTPSA id 5D141D6EFA39; Fri, 20 Dec 2019 20:44:08 +0000 (UTC) Subject: Re: [X2Go-Dev] Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889 To: Mihai Moldovan , 1429@bugs.x2go.org References: <5c04ddf5-0cb9-eff2-0346-d37115f7c07e@ionic.de> From: Sylvain Cuaz Message-ID: Date: Fri, 20 Dec 2019 21:44:07 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: <5c04ddf5-0cb9-eff2-0346-d37115f7c07e@ionic.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: fr X-Ovh-Tracer-Id: 3645945377423568677 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedrvddufedgudefkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecunecujfgurhepuffvfhfhkffffgggjggtgfesthekredttdefjeenucfhrhhomhepufihlhhvrghinhcuvehurgiiuceoshihlhhvrghinhesihhlmhdqihhnfhhorhhmrghtihhquhgvrdhfrheqnecuffhomhgrihhnpehusghunhhtuhdrtghomhdplhhisghsshhhrdhorhhgnecukfhppedtrddtrddtrddtpdejjedrudehfedrvdeffedrfeeknecurfgrrhgrmhepmhhouggvpehsmhhtphdqohhuthdphhgvlhhopehplhgrhigvrhejuddurdhhrgdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepshihlhhvrghinhesihhlmhdqihhnfhhorhhmrghtihhquhgvrdhfrhdprhgtphhtthhopedugedvleessghughhsrdigvdhgohdrohhrghenucevlhhushhtvghrufhiiigvpedt Le 20/12/2019 à 19:06, Mihai Moldovan a écrit : > Control: reassign -1 x2goclient 4.1.2.1 > Control: forcemerge -1 1428 > > * On 12/20/19 6:21 PM, Sylvain Cuaz wrote: >> SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works. >> [...] >> After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst; >> which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see >> https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and >> https://usn.ubuntu.com/4219-1/ for the ubuntu packages > Yes, I think that this change has been intentional. I'll have to fix that in > X2Go Client and I know how to do this easily to retain support for pre-patched > and patched versions. > > I will, however, probably not be able to provide new release versions with that > fix (and others) for about a months. > > I'll let you know when fixed nightly versions are available, though. OK thanks >> As a workaround I reinstalled an old version of the libssh-4 package and the bug went away. > Please don't do that OR recommend that. You're essentially now running without > the CVE fix, which is probably worse than a broken client. Yes, 'workaround' was not the right word. I meant while investigating to confirm my findings. From ionic@ionic.de Sat Dec 21 00:30:56 2019 Received: (at 1429) by bugs.x2go.org; 20 Dec 2019 23:30:59 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail.ionic.de (ionic.de [87.98.244.45]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id CA2F35DAE7 for <1429@bugs.x2go.org>; Sat, 21 Dec 2019 00:30:53 +0100 (CET) Received: from [10.30.44.19] (178.162.222.41.adsl.inet-telecom.org [178.162.222.41]) by mail.ionic.de (Postfix) with ESMTPSA id 32ED24F07479; Fri, 20 Dec 2019 23:30:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ionic.de; s=default; t=1576884652; bh=HbzG0wtD/gHHZ9zQx4u8UWJYWW7JmlfGrtdUrSBnGhM=; h=Subject:To:References:From:Date:In-Reply-To:From; b=h8ICxcJrZxX1+ewbyvzMqutZ5FJv7znc7RBSt3RoHmz8sNlmI08BeWCmpchRN12+T OMiSReL+N5RxCvjSeTYaeEQmvFC5cyYfZiTF1yHizOiWDmEyAxvqrIQhDH0Ma4T1Jc k7fix5lykGjEkVsAtbrOzdO+TROdYlLSGvimoBmA= Subject: Re: [X2Go-Dev] Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889 To: Sylvain Cuaz , 1429@bugs.x2go.org References: <5c04ddf5-0cb9-eff2-0346-d37115f7c07e@ionic.de> From: Mihai Moldovan Autocrypt: addr=ionic@ionic.de; prefer-encrypt=mutual; keydata= mQINBEjok5sBEADlDP0MwtucH6BJN2pUuvLLuRgVo2rBG2TsE/Ijht8/C4QZ6v91pXEs02m0 y/q3L/FzDSdcKddY6mWqplOiCAbT6F83e08ioF5+AqBs9PsI5XwohW9DPjtRApYlUiQgofe9 0t9F/77hPTafypycks9buJHvWKRy7NZ+ZtYv3bQMPFXVmDG7FXJqI65uZh2jH9jeJ+YyGnBX j82XHHtiRoR7+2XVnDZiFNYPhFVBEML7X0IGICMbtWUd/jECMJ6g8V7KMyi321GP3ijC9ygh 3SeT+Z+mJNkMmq2ii6Q2OkE12gelw1p0wzf7XF4Pl014pDp/j+A99/VLGyJK52VoNc8OMO5o gZE0DldJzzEmf+xX7fopNVE3NYtldJWG6QV+tZr3DN5KcHIOQ7JRAFlYuROywQAFrQb7TG0M S/iVEngg2DssRQ0sq9HkHahxCFyelBYKGAaljBJ4A4T8DcP2DoPVG5cm9qe4jKlJMmM1JtZz jNlEH4qp6ZzdpYT/FSWQWg57S6ISDryf6Cn+YAg14VWm0saE8NkJXTaOZjA+7qI/uOLLTUaa aGjSEsXFE7po6KDjx+BkyOrp3i/LBWcyClfY/OUvpyKT5+mDE5H0x074MTBcH9p7Zdy8DatA Jryb0vt2YeEe3vE4e1+M0kn8QfDlB9/VAAOmUKUvGTdvVlRNdwARAQABtB9NaWhhaSBNb2xk b3ZhbiA8aW9uaWNAaW9uaWMuZGU+iQJfBBMBCABJAhsjAh4BAheAAhkBCwsKDQkMCAsHAQMC BxUKCQgLAwIFFgIDAQAWIQRuEdCPdTOBx0TxyDwf1i7ZbiU6hwUCXXpwdAUJFobW2QAKCRAf 1i7ZbiU6h1jEEACbB5FC6bqrLEWwqG2du2md+OoJQkTiuBaC4iv+CtiB5dJclteJWEszryVx zAeHmegCQH5JXgZB7KQiZs1V+tH2KFF9z1dUArnL8dygD8wvDWUbhVbRx3HdU25qfHOmmCdH xy5GKBqLXAiwYowIEudJiPwKm59OzsLBj6aDHLq2GmPdgs0f270g2lvUY0rNTYfUh7NAw0Zg DyVvknhekOgL4cPX9U43cqVcE6nNa5mcSSCSeBwSQGIdpcIGQK+msShXVQ1FjoEQbYUPCkpg R+M6qpsTTv18CiMCyoA2bGMthGcX2zy+CY1W5/UgRNcgzb1mS5uzWV7QCU17qo9d+3LsFYhI 2PHHoE3LjZYUMI03nAmcJxqmg6l2frdzukn5B+Pn5Xwc0+3Q5AEoab0mY9j0AlcZoODoBoqr lrgjls4pMlB4Ye+sUx7NVU3kFOprRv8vA/P3LsuJfSm9TniDN/BN+dOo1K2miNBnEErEO3D2 iFeFPihpSirv5Yf+qN8ClixJMGFHrvB/gxlNTz4GfvdgQjTjxzoeeIPwT8F4FwVm6wSFFlvc LsVprvPktqr+zEJU+5FIUXvBluKToCPVtazab3LKYi6JGUjVBUUrqsJAUwnxCe3ClIxl43w9 FGiGVzo70ZL3lAfSCoI3TR91EUMs90Ct7zQaTxCzHuhR//SgrbQWSW9uaWMgPGlvbmljQGlv bmljLmRlPokCXAQTAQgARgIbIwIeAQIXgAsLCg0JDAgLBwEDAgcVCgkICwMCBRYCAwEAFiEE bhHQj3UzgcdE8cg8H9Yu2W4lOocFAl16cHUFCRaG1tkACgkQH9Yu2W4lOofrQQ/9EnYF6/ug GYMdBbz4DDQmL07N0rEFjPu0XyhNjEKBNkvh8YuoIOWdPZ92xUDuiIMA1rTGEBWQAjKK0khs eV/c0boiojBp4LvELhbYEZCVKYl2gW/NnRF/ifLf6IZ0i6mOCe6A1UE+tn64JLzE36N9Rxaa VNgnnAVJdIWehR7iJ3RnPC7ryDp4I69qHnpPpPh5ga/kGaBGrbQRkk8FqNGSxVrO7dq9rr3q BGFPe3r08mE0d9MehOok5efogjSxIubKYJT4M7vz+m/D5d9Dze1RCKMs6BCh2028d7BYXcr2 Xk0j2JUxrDwe9zk0LR7P17l59l6Msyinf1F7j5gRysaE0ncVcA6JL7T638db4Z/4oJefXZPF 4bdqclCscADcT8L7gCtW3F8GR7KCyUWReS243E3sdL/jqFnlcKb5Rs2I8G4Vebfx3N1DuvdM v+DOy/XJvUTviWxBFyLkgwrfiFRJwGhOAgFm3aeSwelnZBiAdDwosvjx4rW6wxoMA9lKwKFr 92uTiH1A/X3JhUXpGU7EOjnf+ynXuL3bwsS1jQGS22jmPiKbudwHUQ5ZqJXkHYvtBUP5rWCT S8cqQNLC2pHdQR2ruAwtkfDpp00FcnGcrxYDy/CewiOXnIem53r4dzHk34CjeVwqdjfGyDnB YgrCp8gKjCRIq+vzlLYxUtX5NxC5Ag0ESOiTmwEQAPD65JnvgT8EampZZpjVLlgvGLfiel42 AB/lH9JPx+jCwO2fmS/AB0PtDd9Oq/2BVZ8Nko4Wgzg8IUaDL3TiraCHCWfS9C0ALYs4WTGx wm/gjLXHsxmV2pl16ZNdE862yPYJ0Ts9cQZ05M6bjpIKONx0cexrmMvopjOC8Yf4X4ETOjBY 0JXCLFHdFBkQsbqvEJsUakKUaLoAsD3l43znjEZGkFCOwPJCye205ks4wfX0gb+t2+22o4RR 4ndQjmBntxGTmEYtUU825U56thXb/gTf73v/QXWYAKX0Ul/EJLi7LmRfTlh8SLN8MKb6haMg V0dvQqoK3EBRQPy5t4v3Xt5BblyVFRU2DOLS8FfOSfchrSup1LAP7+i13Gkxq0PT96yd4lT2 CrshdsPCDKrxU5x7uvpwrwScS8pjrGCRTeFv+U2HVpNYXSGJpjZTPzx/kVi/M/tVlmYGTgTx SdBUEGw70zD+ptPxmU9WRVFaARvxQIiEPVA5fIEbBn3tMEuoM5Nnr13gGUMmQootw54uw4ti o2j6Z5f9Re2Xpbnm+1W4HaD0ZjQ/axYsSOmxQuMo5Upy+YsCIlCw5CwyTeZXERyORTv+m88F UoB5iPnjJTQP4crHU7afQIxO1ZFcXgvUyfpBGQ7+VVE0sVKTbFo/dtj5F/u/BGDzxkzhuMce zzKnABEBAAGJAjwEGAEIACYCGwwWIQRuEdCPdTOBx0TxyDwf1i7ZbiU6hwUCXXpwzgUJFobX MwAKCRAf1i7ZbiU6hyjNEADVXKjr9oeRgKlizeeflbqXb8rNzNFnB9bDYiFWwC1j49ACI46H OXaattvEAKlfYOMMyhbsYsICwat0jTFifXbXe65/BEWe7LHyRNj8d5k0fxUq5IicRmxvmMOC Ov2pwk1uIMdOD1KFpIK73vB2EIC1EJVBenFyz2WOW1saelfnL5dwhDMAck2yVIppXe+QKfVH zEIfyun9MaRBoBG3eqA3mSE+nyuJvbaIa6/VMXUCgkEzbAzzTts9sc6+3AAjmy7ruwE5q58i 72uWq2P0x/hf12c4MbISCxGz1kDBH1xSdy4Gu5JrIdlMbnB5m+s/25/DJUTFHKBadHKjyVCW 2py32fsgW06XJWrxFU9YIvgtkqpPILgNP+ey9Leuw85ugxFDNooaloDRHhoZ01B6HxbVmnoO wRv9oh9tohIbgg0EjEfCiismsysWeXdQh6QIMrMQbmjrfPtBpCApy5kYjtOBs16EOfBVJwno E11rVGq34LsEGx1fqJMr82awMI6u50tz7F1MQcVMvWoLDnkwyE5YviKHy1xmV793ByprMcbH z4/sc61J4EHABPxM+OTjrD1tniaMkLHVa5daJJoxVwKetu7voqhS1WKYUiYYezUUzQNoV7lQ O3CFNqnsEZNUM2wyub2f02n0pdzJazBP2zbdJHjTAP14TT9s/dPH9VNQ7bkCDQRI6JObARAA 8Prkme+BPwRqallmmNUuWC8Yt+J6XjYAH+Uf0k/H6MLA7Z+ZL8AHQ+0N306r/YFVnw2SjhaD ODwhRoMvdOKtoIcJZ9L0LQAtizhZMbHCb+CMtcezGZXamXXpk10TzrbI9gnROz1xBnTkzpuO kgo43HRx7GuYy+imM4Lxh/hfgRM6MFjQlcIsUd0UGRCxuq8QmxRqQpRougCwPeXjfOeMRkaQ UI7A8kLJ7bTmSzjB9fSBv63b7bajhFHid1COYGe3EZOYRi1RTzblTnq2Fdv+BN/ve/9BdZgA pfRSX8QkuLsuZF9OWHxIs3wwpvqFoyBXR29CqgrcQFFA/Lm3i/de3kFuXJUVFTYM4tLwV85J 9yGtK6nUsA/v6LXcaTGrQ9P3rJ3iVPYKuyF2w8IMqvFTnHu6+nCvBJxLymOsYJFN4W/5TYdW k1hdIYmmNlM/PH+RWL8z+1WWZgZOBPFJ0FQQbDvTMP6m0/GZT1ZFUVoBG/FAiIQ9UDl8gRsG fe0wS6gzk2evXeAZQyZCii3Dni7Di2KjaPpnl/1F7Zelueb7VbgdoPRmND9rFixI6bFC4yjl SnL5iwIiULDkLDJN5lcRHI5FO/6bzwVSgHmI+eMlNA/hysdTtp9AjE7VkVxeC9TJ+kEZDv5V UTSxUpNsWj922PkX+78EYPPGTOG4xx7PMqcAEQEAAYkCPAQYAQgAJgIbDBYhBG4R0I91M4HH RPHIPB/WLtluJTqHBQJdenDOBQkWhtczAAoJEB/WLtluJTqHKM0QANVcqOv2h5GAqWLN55+V updvys3M0WcH1sNiIVbALWPj0AIjjoc5dpq228QAqV9g4wzKFuxiwgLBq3SNMWJ9dtd7rn8E RZ7ssfJE2Px3mTR/FSrkiJxGbG+Yw4I6/anCTW4gx04PUoWkgrve8HYQgLUQlUF6cXLPZY5b Wxp6V+cvl3CEMwByTbJUimld75Ap9UfMQh/K6f0xpEGgEbd6oDeZIT6fK4m9tohrr9UxdQKC QTNsDPNO2z2xzr7cACObLuu7ATmrnyLva5arY/TH+F/XZzgxshILEbPWQMEfXFJ3Lga7kmsh 2UxucHmb6z/bn8MlRMUcoFp0cqPJUJbanLfZ+yBbTpclavEVT1gi+C2Sqk8guA0/57L0t67D zm6DEUM2ihqWgNEeGhnTUHofFtWaeg7BG/2iH22iEhuCDQSMR8KKKyazKxZ5d1CHpAgysxBu aOt8+0GkICnLmRiO04GzXoQ58FUnCegTXWtUarfguwQbHV+okyvzZrAwjq7nS3PsXUxBxUy9 agsOeTDITli+IofLXGZXv3cHKmsxxsfPj+xzrUngQcAE/Ez45OOsPW2eJoyQsdVrl1okmjFX Ap627u+iqFLVYphSJhh7NRTNA2hXuVA7cIU2qewRk1QzbDK5vZ/TafSl3MlrME/bNt0keNMA /XhNP2z908f1U1DtuQINBEjok5sBEADw+uSZ74E/BGpqWWaY1S5YLxi34npeNgAf5R/ST8fo wsDtn5kvwAdD7Q3fTqv9gVWfDZKOFoM4PCFGgy904q2ghwln0vQtAC2LOFkxscJv4Iy1x7MZ ldqZdemTXRPOtsj2CdE7PXEGdOTOm46SCjjcdHHsa5jL6KYzgvGH+F+BEzowWNCVwixR3RQZ ELG6rxCbFGpClGi6ALA95eN854xGRpBQjsDyQsnttOZLOMH19IG/rdvttqOEUeJ3UI5gZ7cR k5hGLVFPNuVOerYV2/4E3+97/0F1mACl9FJfxCS4uy5kX05YfEizfDCm+oWjIFdHb0KqCtxA UUD8ubeL917eQW5clRUVNgzi0vBXzkn3Ia0rqdSwD+/otdxpMatD0/esneJU9gq7IXbDwgyq 8VOce7r6cK8EnEvKY6xgkU3hb/lNh1aTWF0hiaY2Uz88f5FYvzP7VZZmBk4E8UnQVBBsO9Mw /qbT8ZlPVkVRWgEb8UCIhD1QOXyBGwZ97TBLqDOTZ69d4BlDJkKKLcOeLsOLYqNo+meX/UXt l6W55vtVuB2g9GY0P2sWLEjpsULjKOVKcvmLAiJQsOQsMk3mVxEcjkU7/pvPBVKAeYj54yU0 D+HKx1O2n0CMTtWRXF4L1Mn6QRkO/lVRNLFSk2xaP3bY+Rf7vwRg88ZM4bjHHs8ypwARAQAB iQI8BBgBCAAmAhsMFiEEbhHQj3UzgcdE8cg8H9Yu2W4lOocFAl16cM4FCRaG1zMACgkQH9Yu 2W4lOocozRAA1Vyo6/aHkYCpYs3nn5W6l2/KzczRZwfWw2IhVsAtY+PQAiOOhzl2mrbbxACp X2DjDMoW7GLCAsGrdI0xYn1213uufwRFnuyx8kTY/HeZNH8VKuSInEZsb5jDgjr9qcJNbiDH Tg9ShaSCu97wdhCAtRCVQXpxcs9ljltbGnpX5y+XcIQzAHJNslSKaV3vkCn1R8xCH8rp/TGk QaARt3qgN5khPp8rib22iGuv1TF1AoJBM2wM807bPbHOvtwAI5su67sBOaufIu9rlqtj9Mf4 X9dnODGyEgsRs9ZAwR9cUncuBruSayHZTG5weZvrP9ufwyVExRygWnRyo8lQltqct9n7IFtO lyVq8RVPWCL4LZKqTyC4DT/nsvS3rsPOboMRQzaKGpaA0R4aGdNQeh8W1Zp6DsEb/aIfbaIS G4INBIxHwoorJrMrFnl3UIekCDKzEG5o63z7QaQgKcuZGI7TgbNehDnwVScJ6BNda1Rqt+C7 BBsdX6iTK/NmsDCOrudLc+xdTEHFTL1qCw55MMhOWL4ih8tcZle/dwcqazHGx8+P7HOtSeBB wAT8TPjk46w9bZ4mjJCx1WuXWiSaMVcCnrbu76KoUtVimFImGHs1FM0DaFe5UDtwhTap7BGT VDNsMrm9n9Np9KXcyWswT9s23SR40wD9eE0/bP3Tx/VTUO25Ag0ESOiTmwEQAPD65JnvgT8E ampZZpjVLlgvGLfiel42AB/lH9JPx+jCwO2fmS/AB0PtDd9Oq/2BVZ8Nko4Wgzg8IUaDL3Ti raCHCWfS9C0ALYs4WTGxwm/gjLXHsxmV2pl16ZNdE862yPYJ0Ts9cQZ05M6bjpIKONx0cexr mMvopjOC8Yf4X4ETOjBY0JXCLFHdFBkQsbqvEJsUakKUaLoAsD3l43znjEZGkFCOwPJCye20 5ks4wfX0gb+t2+22o4RR4ndQjmBntxGTmEYtUU825U56thXb/gTf73v/QXWYAKX0Ul/EJLi7 LmRfTlh8SLN8MKb6haMgV0dvQqoK3EBRQPy5t4v3Xt5BblyVFRU2DOLS8FfOSfchrSup1LAP 7+i13Gkxq0PT96yd4lT2CrshdsPCDKrxU5x7uvpwrwScS8pjrGCRTeFv+U2HVpNYXSGJpjZT Pzx/kVi/M/tVlmYGTgTxSdBUEGw70zD+ptPxmU9WRVFaARvxQIiEPVA5fIEbBn3tMEuoM5Nn r13gGUMmQootw54uw4tio2j6Z5f9Re2Xpbnm+1W4HaD0ZjQ/axYsSOmxQuMo5Upy+YsCIlCw 5CwyTeZXERyORTv+m88FUoB5iPnjJTQP4crHU7afQIxO1ZFcXgvUyfpBGQ7+VVE0sVKTbFo/ dtj5F/u/BGDzxkzhuMcezzKnABEBAAGJAjwEGAEIACYCGwwWIQRuEdCPdTOBx0TxyDwf1i7Z biU6hwUCXXpwzgUJFobXMwAKCRAf1i7ZbiU6hyjNEADVXKjr9oeRgKlizeeflbqXb8rNzNFn B9bDYiFWwC1j49ACI46HOXaattvEAKlfYOMMyhbsYsICwat0jTFifXbXe65/BEWe7LHyRNj8 d5k0fxUq5IicRmxvmMOCOv2pwk1uIMdOD1KFpIK73vB2EIC1EJVBenFyz2WOW1saelfnL5dw hDMAck2yVIppXe+QKfVHzEIfyun9MaRBoBG3eqA3mSE+nyuJvbaIa6/VMXUCgkEzbAzzTts9 sc6+3AAjmy7ruwE5q58i72uWq2P0x/hf12c4MbISCxGz1kDBH1xSdy4Gu5JrIdlMbnB5m+s/ 25/DJUTFHKBadHKjyVCW2py32fsgW06XJWrxFU9YIvgtkqpPILgNP+ey9Leuw85ugxFDNooa loDRHhoZ01B6HxbVmnoOwRv9oh9tohIbgg0EjEfCiismsysWeXdQh6QIMrMQbmjrfPtBpCAp y5kYjtOBs16EOfBVJwnoE11rVGq34LsEGx1fqJMr82awMI6u50tz7F1MQcVMvWoLDnkwyE5Y viKHy1xmV793ByprMcbHz4/sc61J4EHABPxM+OTjrD1tniaMkLHVa5daJJoxVwKetu7voqhS 1WKYUiYYezUUzQNoV7lQO3CFNqnsEZNUM2wyub2f02n0pdzJazBP2zbdJHjTAP14TT9s/dPH 9VNQ7bkCDQRI6JObARAA8Prkme+BPwRqallmmNUuWC8Yt+J6XjYAH+Uf0k/H6MLA7Z+ZL8AH Q+0N306r/YFVnw2SjhaDODwhRoMvdOKtoIcJZ9L0LQAtizhZMbHCb+CMtcezGZXamXXpk10T zrbI9gnROz1xBnTkzpuOkgo43HRx7GuYy+imM4Lxh/hfgRM6MFjQlcIsUd0UGRCxuq8QmxRq QpRougCwPeXjfOeMRkaQUI7A8kLJ7bTmSzjB9fSBv63b7bajhFHid1COYGe3EZOYRi1RTzbl Tnq2Fdv+BN/ve/9BdZgApfRSX8QkuLsuZF9OWHxIs3wwpvqFoyBXR29CqgrcQFFA/Lm3i/de 3kFuXJUVFTYM4tLwV85J9yGtK6nUsA/v6LXcaTGrQ9P3rJ3iVPYKuyF2w8IMqvFTnHu6+nCv BJxLymOsYJFN4W/5TYdWk1hdIYmmNlM/PH+RWL8z+1WWZgZOBPFJ0FQQbDvTMP6m0/GZT1ZF UVoBG/FAiIQ9UDl8gRsGfe0wS6gzk2evXeAZQyZCii3Dni7Di2KjaPpnl/1F7Zelueb7Vbgd oPRmND9rFixI6bFC4yjlSnL5iwIiULDkLDJN5lcRHI5FO/6bzwVSgHmI+eMlNA/hysdTtp9A jE7VkVxeC9TJ+kEZDv5VUTSxUpNsWj922PkX+78EYPPGTOG4xx7PMqcAEQEAAYkCPAQYAQgA JgIbDBYhBG4R0I91M4HHRPHIPB/WLtluJTqHBQJdenDOBQkWhtczAAoJEB/WLtluJTqHKM0Q ANVcqOv2h5GAqWLN55+Vupdvys3M0WcH1sNiIVbALWPj0AIjjoc5dpq228QAqV9g4wzKFuxi wgLBq3SNMWJ9dtd7rn8ERZ7ssfJE2Px3mTR/FSrkiJxGbG+Yw4I6/anCTW4gx04PUoWkgrve 8HYQgLUQlUF6cXLPZY5bWxp6V+cvl3CEMwByTbJUimld75Ap9UfMQh/K6f0xpEGgEbd6oDeZ IT6fK4m9tohrr9UxdQKCQTNsDPNO2z2xzr7cACObLuu7ATmrnyLva5arY/TH+F/XZzgxshIL EbPWQMEfXFJ3Lga7kmsh2UxucHmb6z/bn8MlRMUcoFp0cqPJUJbanLfZ+yBbTpclavEVT1gi +C2Sqk8guA0/57L0t67Dzm6DEUM2ihqWgNEeGhnTUHofFtWaeg7BG/2iH22iEhuCDQSMR8KK KyazKxZ5d1CHpAgysxBuaOt8+0GkICnLmRiO04GzXoQ58FUnCegTXWtUarfguwQbHV+okyvz ZrAwjq7nS3PsXUxBxUy9agsOeTDITli+IofLXGZXv3cHKmsxxsfPj+xzrUngQcAE/Ez45OOs PW2eJoyQsdVrl1okmjFXAp627u+iqFLVYphSJhh7NRTNA2hXuVA7cIU2qewRk1QzbDK5vZ/T afSl3MlrME/bNt0keNMA/XhNP2z908f1U1DtuQINBEjok5sBEADw+uSZ74E/BGpqWWaY1S5Y Lxi34npeNgAf5R/ST8fowsDtn5kvwAdD7Q3fTqv9gVWfDZKOFoM4PCFGgy904q2ghwln0vQt AC2LOFkxscJv4Iy1x7MZldqZdemTXRPOtsj2CdE7PXEGdOTOm46SCjjcdHHsa5jL6KYzgvGH +F+BEzowWNCVwixR3RQZELG6rxCbFGpClGi6ALA95eN854xGRpBQjsDyQsnttOZLOMH19IG/ rdvttqOEUeJ3UI5gZ7cRk5hGLVFPNuVOerYV2/4E3+97/0F1mACl9FJfxCS4uy5kX05YfEiz fDCm+oWjIFdHb0KqCtxAUUD8ubeL917eQW5clRUVNgzi0vBXzkn3Ia0rqdSwD+/otdxpMatD 0/esneJU9gq7IXbDwgyq8VOce7r6cK8EnEvKY6xgkU3hb/lNh1aTWF0hiaY2Uz88f5FYvzP7 VZZmBk4E8UnQVBBsO9Mw/qbT8ZlPVkVRWgEb8UCIhD1QOXyBGwZ97TBLqDOTZ69d4BlDJkKK LcOeLsOLYqNo+meX/UXtl6W55vtVuB2g9GY0P2sWLEjpsULjKOVKcvmLAiJQsOQsMk3mVxEc jkU7/pvPBVKAeYj54yU0D+HKx1O2n0CMTtWRXF4L1Mn6QRkO/lVRNLFSk2xaP3bY+Rf7vwRg 88ZM4bjHHs8ypwARAQABiQI8BBgBCAAmAhsMFiEEbhHQj3UzgcdE8cg8H9Yu2W4lOocFAl16 cM8FCRaG1zMACgkQH9Yu2W4lOoeg2g//bEUXU3+TEu30Viix530A9zSkA0ScIuoYsywVy9rY 2TU8hrAvjhNjQTDQqxL2Qk4ijzkubKB+gUEu2defsJY8P2g3CtEU5BGeKD6rUdDfwGdm+cra +w13rcQVDZgDLtLXPA4hpLF/7f8zr0MB6I+c+TO3ePSOGYY4FiwhMan/2uqHPG4aknDe4DIe CTyokt4kMY2yYAaWkv9fJfl4FoHi5nlMwoAUPYtDSbg2J4ln83DIRMzLopL0FSct0KQxEwn+ 9ZA1xUBV9ldXvpqa5bMkqih3Nq/sWRAHk/HieVjkCQOL/2RPs0zBggGVaFq7suxxfNHDaS6V KEkhk55mzl88C9MdcxODfLW4emjSKLbLwmMW16TlGEP37WpctaU5+y46TnFUp0J2tlQtJZjO XQYBOYExP3UwykxB8qqHnV6oxGTXDa+vVYJOOH/oEG423O2wx7ZrZkwn3EFgMR5KctagtR9p yY8VZnXP0FWSNqmbluA57drBPFrbKu5VvBfdx2ByJ5CYif88mA7lLcUix7PNqurgpblDsHzJ yH/c7rtlS/Tre/63adLfr8dco2iJo0UH8QIlC1h1439u19eDKtLvJh12ps7FHfUgDnJvxSVG PfSwPH9prRd3coBHIi5w72U5Bzh4C/0M1/qZaffKDMZi+9bssC22gY6adAaqWd1AoLu5Ag0E SOiTmwEQAPD65JnvgT8EampZZpjVLlgvGLfiel42AB/lH9JPx+jCwO2fmS/AB0PtDd9Oq/2B VZ8Nko4Wgzg8IUaDL3TiraCHCWfS9C0ALYs4WTGxwm/gjLXHsxmV2pl16ZNdE862yPYJ0Ts9 cQZ05M6bjpIKONx0cexrmMvopjOC8Yf4X4ETOjBY0JXCLFHdFBkQsbqvEJsUakKUaLoAsD3l 43znjEZGkFCOwPJCye205ks4wfX0gb+t2+22o4RR4ndQjmBntxGTmEYtUU825U56thXb/gTf 73v/QXWYAKX0Ul/EJLi7LmRfTlh8SLN8MKb6haMgV0dvQqoK3EBRQPy5t4v3Xt5BblyVFRU2 DOLS8FfOSfchrSup1LAP7+i13Gkxq0PT96yd4lT2CrshdsPCDKrxU5x7uvpwrwScS8pjrGCR TeFv+U2HVpNYXSGJpjZTPzx/kVi/M/tVlmYGTgTxSdBUEGw70zD+ptPxmU9WRVFaARvxQIiE PVA5fIEbBn3tMEuoM5Nnr13gGUMmQootw54uw4tio2j6Z5f9Re2Xpbnm+1W4HaD0ZjQ/axYs SOmxQuMo5Upy+YsCIlCw5CwyTeZXERyORTv+m88FUoB5iPnjJTQP4crHU7afQIxO1ZFcXgvU yfpBGQ7+VVE0sVKTbFo/dtj5F/u/BGDzxkzhuMcezzKnABEBAAGJAjwEGAEIACYCGwwWIQRu EdCPdTOBx0TxyDwf1i7ZbiU6hwUCXXpwzwUJFobXMwAKCRAf1i7ZbiU6h6DaD/9sRRdTf5MS 7fRWKLHnfQD3NKQDRJwi6hizLBXL2tjZNTyGsC+OE2NBMNCrEvZCTiKPOS5soH6BQS7Z15+w ljw/aDcK0RTkEZ4oPqtR0N/AZ2b5ytr7DXetxBUNmAMu0tc8DiGksX/t/zOvQwHoj5z5M7d4 9I4ZhjgWLCExqf/a6oc8bhqScN7gMh4JPKiS3iQxjbJgBpaS/18l+XgWgeLmeUzCgBQ9i0NJ uDYniWfzcMhEzMuikvQVJy3QpDETCf71kDXFQFX2V1e+mprlsySqKHc2r+xZEAeT8eJ5WOQJ A4v/ZE+zTMGCAZVoWruy7HF80cNpLpUoSSGTnmbOXzwL0x1zE4N8tbh6aNIotsvCYxbXpOUY Q/ftaly1pTn7LjpOcVSnQna2VC0lmM5dBgE5gTE/dTDKTEHyqoedXqjEZNcNr69Vgk44f+gQ bjbc7bDHtmtmTCfcQWAxHkpy1qC1H2nJjxVmdc/QVZI2qZuW4Dnt2sE8Wtsq7lW8F93HYHIn kJiJ/zyYDuUtxSLHs82q6uCluUOwfMnIf9zuu2VL9Ot7/rdp0t+vx1yjaImjRQfxAiULWHXj f27X14Mq0u8mHXamzsUd9SAOcm/FJUY99LA8f2mtF3dygEciLnDvZTkHOHgL/QzX+plp98oM xmL71uywLbaBjpp0BqpZ3UCguw== Message-ID: <49a3da90-9646-7d24-1d12-2187700bc730@ionic.de> Date: Sat, 21 Dec 2019 00:30:51 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="MqSvusG155LSNgaQs8GgHJBydnnDm5AFO" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MqSvusG155LSNgaQs8GgHJBydnnDm5AFO Content-Type: multipart/mixed; boundary="ZhVHu9RxIfwNXeDrckr9vpxV2f7O6uBFa"; protected-headers="v1" From: Mihai Moldovan To: Sylvain Cuaz , 1429@bugs.x2go.org Message-ID: <49a3da90-9646-7d24-1d12-2187700bc730@ionic.de> Subject: Re: [X2Go-Dev] Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889 References: <5c04ddf5-0cb9-eff2-0346-d37115f7c07e@ionic.de> In-Reply-To: --ZhVHu9RxIfwNXeDrckr9vpxV2f7O6uBFa Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable * On 12/20/19 9:44 PM, Sylvain Cuaz wrote: > Le 20/12/2019 =C3=A0 19:06, Mihai Moldovan a =C3=A9crit=C2=A0: >> I'll let you know when fixed nightly versions are available, though. >=20 > OK thanks Nightly builds should incorporate the fix now. Mihai --ZhVHu9RxIfwNXeDrckr9vpxV2f7O6uBFa-- --MqSvusG155LSNgaQs8GgHJBydnnDm5AFO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCgAdFiEEbhHQj3UzgcdE8cg8H9Yu2W4lOocFAl39WasACgkQH9Yu2W4l OofdHxAAq6FrbuykE8tvG4npOdsPb1WEET6MvVQ+9ICspT4Sk/bg5KdQPw6tuYKX fjdn5QxLq5c7AfVCX2mLyik5S37stRK4i/9/B2izhxLTwZ/uzaD3i8YoEYpzAkQJ HYvsrxidYYd1NAxm5vhq0Y+k9yHWhLlpojhsTHR1bsDkweOyhNj+luNJ2/ZJh3Dm YXg/ctZd/tHeAIF15f5tmt/5bGOAPAQHvbI3yCUjoQxZT+E0WJ8pwUf2w87Jch7C tHUuqRfT6HDXWD1KztvfvxhiBbyM4+gvmHVubyktrGFR/IXWritXWIOkP8wXGvxN VjbC1U/bHcJHOC3iV3EM7HmfG6fgvuyJ/9Bl0xEjcYal4/04pvjH5pY/iQnlgaZI 1UgL1Uv4ivKVSbpgwOfu+Hp5w98KB3Avh5pVI7DgAHQihOiVDtxRrS9mEROvyJP3 WeZ+3RAGy3lVh8stAAIha4V8S9+JwiHKo4e3P6KuzNhGh8WzWNPQEFFtK0o+u5M1 N96apHnJL+Lw+2tQEYeAOotqs9bEJWKSIktLG3n75DRXJMBM09wikcA6MQa+2hPj SqL1wz2AKACAu5bPHa856CypJnEO5DkPZN23iyDWLh0S/6zn0uTdV89vJZTyBLAo z2/J/yeGQUQ39fOT7eCuwxtYfScz/2Am4RVXvoA784E4SWpI+vY= =rIYE -----END PGP SIGNATURE----- --MqSvusG155LSNgaQs8GgHJBydnnDm5AFO-- From x2go@ymir.das-netzwerkteam.de Wed Feb 12 22:47:02 2020 Received: (at control) by bugs.x2go.org; 12 Feb 2020 21:47:44 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.2 required=3.0 tests=BAYES_00,NO_RELAYS, PDS_OTHER_BAD_TLD,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id 4A6245DD12; Wed, 12 Feb 2020 22:46:57 +0100 (CET) From: =?utf-8?q?X2Go_Release_Manager?= X2Go Release Manager To: 1428-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 1428@bugs.x2go.org Subject: X2Go issue (in src:x2goclient) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20200212214702.4A6245DD12@ymir.das-netzwerkteam.de> Date: Wed, 12 Feb 2020 22:46:57 +0100 (CET) close #1428 thanks Hello, we are very hopeful that X2Go issue #1428 reported by you has been resolved in the new release (4.1.2.2) of the X2Go source project »src:x2goclient«. You can view the complete changelog entry of src:x2goclient (4.1.2.2) below, and you can use the following link to view all the code changes between this and the last release of src:x2goclient. http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=e70a27961cf391406c13e52fa54f4731fa8ca189;hp=84dcac55b72c6c09f2cdddcd5bde5137a441223d If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:x2goclient. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:x2goclient Version: 4.1.2.2-0x2go1 Status: RELEASE Timestamp: 1581543720 Date: Wed, 12 Feb 2020 22:42:00 +0100 Fixes: 1307 1320 1393 1418 1425 1428 Changes: x2goclient (4.1.2.2-0x2go1) RELEASED; urgency=medium . [ Oleksandr Shneyder ] * New upstream version (4.1.2.2): - Add SSH instruction to list of errors if keyboard-interactive auth has failed. - Add new brocker feature. Broker can send to client some configuration in the section START_CLIENT_CONFIG - END_CLIENT_CONFIG. For the moment is supported option events=bool. If true, client sending to broker events: CONNECTING, CONNECTED, SUSPENDING, TERMINATING, FINISHED. It's not a real session state, but rather the state of X2Go Client. - Save session command in resumingSession.command. - Send in broker event the duration of session on client. - If client is configured to send events, the broker can ask client to send ALIVE events. To do this, broker should send config option "liveevent" (int). It means, if liveevent=10, client will send ALIVE event to broker every 10 seconds when the client connected to X2Go Session. - Broker can send to client command to suspend or terminate the session as an answer to the client event message. For this broker should send to client SUSPEND ID or TERMINATE ID. - Client now sends "login" parameter to the broker when executing task "selectsession". Before client just sent a username on the broker and it was imposiible to find out user name on X2Go server, which is not always the same as broker username. This won't break a compatibility with previous broker as they just will ignore this parameter. - X2Gokdrive support for X2GoClient. - Fix authentification on http broker when sending event. - Fix resuming sessions on multiple servers. - Initializing sessionId, command and display for direct RDP to complay with standard sessions. - Direct RDP sesion send to broker event CONNECTED instead of CONNECTING at start of RDP client. - Fixing setting correct session command when resuming the session. - Don't exit if sending event to http broker has failed. - If using x2go broker and ssh proxy check for the option "usebrokeruserforproxy" in the session file. If it's "true", use the same username for the proxy as broker login. - Broker can send to client the number of suspended and running sessions for each session type. Client will display this information to user on session button. - update copyright years in about dialog. - Do not show password in debug output of HTTP broker. - Fix crashing if the path for automount in the session config file in wrong format. Supporting both Windows and Linux path in automount format. Check if path exists before mounting. - Do not show Pulseaudio warning on Windows, if Pulseaudio is disabled in settings or by command line. - Improve request handling in HTTP broker. - Add possibility to suspend and terminate sessions from session selection dialog in broker mode. - Do not delete session from list if terminating of session is canceled. . [ Mihai Moldovan ] * New upstream version (4.1.2.2): - src/printwidget.cpp: add QButtonGroup include, fixes compile errors with Qt 5.11+. Fixes: #1307. - macbuild.sh: switch to bundling PulseAudio 12.1 since it's now available in MacPorts. - x2goclient.pro: detect libssh and libssh_threads via pkgconfig on UNIX-based platforms. libssh_threads is optional if the libssh version is high enough. - x2goclient.pro: let static Linux configuration override the new pkgconfig-based libssh usage. - x2goclient.pro: make system a non-variable call. - x2goclient.pro: fix qmake control flow for libssh logic, we really wanted to use else if for the Windows section and have the general else section being the general fallback. - x2goclient.pro: fix quoting issue in system() call. Qmake's quoting rules are really weird. - macbuild.sh: switch to bundling PulseAudio 12.2 since it's now available in MacPorts. - res/i18n/x2goclient_cs.ts: whitespace and other fixups. - src/x2goclient.cpp: change HTTP to HTTPS links where needed. - src/x2goclient.cpp: do not spawn UNIX cleanup helper if arguments that let X2Go Client terminate right away have been passed. More work is needed here, but that should cover the most basic bits. - src/onmainwindow.{cpp,h}: remove left-over references to agentCheckTimer and slotCheckAgentProcess (). - src/onmainwindow.cpp: fix various broken qCritical () calls. - src/{onmainwindow.{cpp,h},{sshmasterconnection,help}.cpp}: let users control libssh debugging via the new parameters --libssh-debug and --libssh-packetlog. Properly document the new switches and their implications. - src/sshmasterconnection.cpp: drop DEBUG preprocessor conditional blocks. We have never actually disabled it and x2goDebug () will not write out anything if debugging has not been requested, so we already have a soft condition check for every x2goDebug () call. - src/x2goclient.cpp: do not use std::array since that's a C++11 feature, just live with plain C arrays for now. - x2goclient.pro: fix libssh_threads logic again. Ubuntu Bionic/18.04 ships a pre-release version of 0.8.0, which is tagged as that version, but really based upon 0.7.x and still has/needs a libssh_threads library. Big "Wat?" to you, Canonical. Fixes: #1320. - src/x2goclient.cpp: fix array length calculation. - Windows: Update PuTTY from 0.70 to 0.71. Fixes quite a list of issues discovered through the EU-funded bug bounty programme. Not all are relevant to X2Go Client. - Windows: upgrade bundled VcXsrv to 1.20.1.4. - src/sshmasterconnection.cpp: use info (protocol) log level with --libssh-debug and debug (packet) log level with --libssh-packetlog. - src/sshmasterconnection.cpp: fix compiler warning due to mismatching argument with older libssh versions. - Makefile: clear out LDFLAGS, add new (cleared) LIBS variable and pass down as QMAKE_LIBS. The previous behavior was leading to compile failures on arm64 machines (albeit only old distro versions, apparently), because QMAKE_LFLAGS is being put on the command line *before* the actual object files to be included/linked, which is an error for system libraries. Builds will still fail after this commit, but that's okay. - x2goclient.pro: add libraries that we always want to use on Linux correctly to LIBS and use a bigger catch clause. That should work much better, since linux-g++ and linux-g++-64 are x86-specific, while there are way more potentially useful targets like linux-aarch64-gnu-g++, clang, llvm, icc etc. - x2goclient.pro: while a linux scope seems to work fine with Qt5, Qt4 doesn't recognize that, so add another linux-* catch. - Windows: add support for x3270-fonts, including adding a pretty nasty but necessary fonts.* file regeneration hook. - {x2goclient,help,onmainwindow}.cpp: implement new --bypass-cleanup-helper parameter. - src/onmainwindow.cpp: fix building with Qt 4.6, currently the latest version available in EPEL 6. - src/onmainwindow.cpp: unbreak builds by fixing syntax error. - src/onmainwindow.cpp: also unbreak old EPEL 6 builds. - src/onmainwindow.cpp: add (and prefer) non-compat-symlink scp server location for 64-bit-based Gentoo distros (17.1+ profiles). Fixes: #1393. - res/i18n/x2goclient_*.ts: replace changed source strings, no retranslations required. - src/httpbrokerclient.cpp: do not leak password length in debug output either. - src/sessionwidget.cpp: stop parsing proxy address as "host:port: if the address contains a colon. Fixes: #1418. We don't do this for the "normal" host address and this behavior clashes with IPv6 addresses. We COULD, theoretically, keep it, but that would require writing an arbitrary address parser. Too much effort for little gain. - src/onmainwindow.cpp: also remove proxy "host:port" parsing at connect time. Fixes: #1418. - macbuild.sh: switch to bundling PulseAudio 13.0 since it's now available in MacPorts. - src/onmainwindow.cpp: disable "left click" action on OS X/macOS. This platform always gets a left click event, even when right clicked. May sound weird first, but this behavior is consistent between all applications - tray icons can be clicked via either button and will always trigger a context menu. Let X2Go Client behave the same way. - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-based Windows solution for Kerberos support), but newer libssh versions with the CVE-2019-14889 also interpret paths as literal strings. - src/SVGFrame.cpp: simplify implementation a lot. Only paint data onto the widget in the paintEvent () function. Drop setting a palette based upon the rendered SVG image, which has been very wrong to do from the beginning and only lead to visual glitches. Correctly repaint single-frame SVG files. - src/sshmasterconnection.cpp: work around lupdate warning by adding another block in the #else preprocessor branch. - res/i18n/x2goclient_*.ts: update translation files. - Windows: Update PuTTY from 0.71 to 0.73. Fixes another round of issues discovered through the EU-funded bug bounty programme and other security problems. - src/onmainwindow.cpp: stop PulseAudio from spamming logs after a client disconnects. Fixes: #1425. Patch based on one submitted by Ville Salmela. - src/onmainwindow.cpp: instead of searching for "sftp-binary", try to look for "sftp-server" in the Qt 5.x code path. Luckily this only affects cases where we bundle sftp-server (which we don't) or where sftp-server is actually part of $PATH (which it usually shouldn't be). - Windows: upgrade bundled VcXsrv to 1.20.6.0. - Windows: upgrade PulseAudio from 7.1 to 13.0. - Windows: remove libz. Was previously used by libzip, which has not been shipped for quite some time. - Windows: Update Win32 OpenSSL from 1.0.2n to 1.0.2u. Implicit. - Windows: Upgrade libssh from 0.7.4 to 0.9.3 (while maintaining Pageant support). Drop libssh_threads library not provided (or used) any longer. - x2goclient.pro: update comment mentioning that libssh does not provide pkgconfig files on non-UNIX/Windows platforms any longer and drop libssh_thread linkage. - res/i18n/x2goclient_nl.ts: add missing singular form to a multi-form entry. - res/i18n/x2goclient_cs.ts: fix up whitespace and mark actually finished translation string as such, also removing my previous comment. - res/i18n/x2goclient_nb_no.ts: fix up whitespace and typos. - res/i18n/x2goclient_de.ts: better translate UNIX cleanup helper and fix "X2Go Client" as "X2GoClient" globally. - misc: pre-release copyright update. - src/onmainwindow.cpp: update in-code copyright notice. - res/i18n/x2goclient_*.ts: update copyright notice in about dialog manually. - src/onmainwindow.cpp: add comment for translators encouraging them to add themselves to copyright notice. - res/i18n/x2goclient_*.ts: update after source code changes and comment addition. - res/i18n/x2goclient_*.ts: mark copyright translation string as unfinished for already translated languages (but Finnish) to alert translators of the new comment. - man/man1/x2goclient.1: pre-release date update. * debian/control: + Add build-depend on pkg-config. * x2goclient.spec: + Build-depend on pkg-config. + EPEL packages need to depend upon pkgconfig for now, not pkg-config. + Pull in redhat-rpm-config manually. This should probably be done by something else, like... gcc or qmake or qt(4)-dev, but it isn't. + Try to ignore gettext-tools-mini on *SuSE to force installation of the new/renamed gettext-runtime-mini package. + It's %endif, not %fi. + Revert the gettext-tools-mini change, was caused by an outdated obs-build version. . [ Mike Gabriel ] * New upstream version (4.1.2.2): - Add support for Nix OS for common_sftp_dirs's hard-coded sftp-server paths. - src/sessionwidget.cpp: Rename shadowing sessiontype to 'X2Go/X11 Desktop Sharing'. - man/man1/x2goclient.1: Add explanation for the --broker-name option. - res/resources.qrc: Add Czech translation file. - Update qt_.qm files from Qt5 v5.11.2. - Rename radion button lables for xfreerdp options' style. * debian/control: + In x2goclient R, prefer freerdp2-x11 over rdesktop over freerdp-x11 (which is broken these days anyway). + In x2goclient D, add x2gokdriveclient. + In x2goclient D, add hello as an alternative to x2gokdriveclient. Works around non-available x2gokdriveclient on Debian jessie. . [ Tom Ruzicka ] * New upstream release (4.1.2.2): - Add new translation: Czech. - Second update round of Czech translation + enable it in x2goclient.pro. . [ Ulrich Sibiller ] * New upstream release (4.1.2.2): - src/sshmasterconnection.cpp: close channel on failure in checkLogin (). - src/sshmasterconnection.{cpp,h}: skip checkLogin() if hostname starts with "!". Some special ssh proxies will not allow arbitrary commands. checkLogin() will break these sessions because it tries to run the echo command on the proxy. By specifying a "!" as the first character of the (proxy) hostname you can instruct x2goclient ot skip the checkLogin() call altogether. Note that this will break proxies that require you to change you password or some other type of interaction. As this is added to SshMasterConnection it is also valid to specify that for the server hostname although this is not very useful. . [ Jos Wolfkamp ] * New upstream version (4.1.2.2): - res/i18n/x2goclient_nl.ts: update Dutch translation file. . [ Sébastien Ducoulombier ] * New upstream version (4.1.2.2): - res/i18n/x2goclient_fr.ts: update French translation file. - res/i18n/x2goclient_fr.ts: add missing sentence and UTF-8-ize entries. . [ Ruda Vallo ] * New upstream version (4.1.2.2): - res/i18n/x2goclient_cs.ts: update Czech translation file. . [ Klaus Ade Johnstad ] * New upstream version (4.1.2.2): - res/i18n/x2goclient_nb_no.ts: update Bokmål (Norway) translation file. - res/i18n/x2goclient_nb_no.ts: update Bokmål (Norway) translation file. . [ Stefan Baur ] * New upstream release (4.1.2.2): - res/i18n/x2goclient_de.ts: update German translation file. From unknown Fri Mar 29 13:11:38 2024 MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#1429 closed by X2Go Release Manager X2Go Release Manager (X2Go issue (in src:x2goclient) has been marked as closed) Message-ID: References: <20200212214702.4A6245DD12@ymir.das-netzwerkteam.de> X-X2go-PR-Keywords: pending X-X2go-PR-Message: they-closed 1429 X-X2go-PR-Package: x2goclient X-X2go-PR-Source: x2goclient Date: Wed, 12 Feb 2020 21:50:13 +0000 Content-Type: multipart/mixed; boundary="----------=_1581544213-17092-1" This is a multi-part message in MIME format... ------------=_1581544213-17092-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This is an automatic notification regarding your Bug report which was filed against the x2goclient package: #1429: Tilde expansion no longer performed by libssh after CVE-2019-14889 It has been closed by X2Go Release Manager X2Go Release Manager . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact X2Go Release Manager X= 2Go Release Manager by replying to this email. --=20 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems ------------=_1581544213-17092-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at control) by bugs.x2go.org; 12 Feb 2020 21:47:44 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.2 required=3.0 tests=BAYES_00,NO_RELAYS, PDS_OTHER_BAD_TLD,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id 4A6245DD12; Wed, 12 Feb 2020 22:46:57 +0100 (CET) From: =?utf-8?q?X2Go_Release_Manager?= X2Go Release Manager To: 1428-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 1428@bugs.x2go.org Subject: X2Go issue (in src:x2goclient) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20200212214702.4A6245DD12@ymir.das-netzwerkteam.de> Date: Wed, 12 Feb 2020 22:46:57 +0100 (CET) close #1428 thanks Hello, we are very hopeful that X2Go issue #1428 reported by you has been resolved in the new release (4.1.2.2) of the X2Go source project »src:x2goclient«. You can view the complete changelog entry of src:x2goclient (4.1.2.2) below, and you can use the following link to view all the code changes between this and the last release of src:x2goclient. http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=e70a27961cf391406c13e52fa54f4731fa8ca189;hp=84dcac55b72c6c09f2cdddcd5bde5137a441223d If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:x2goclient. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:x2goclient Version: 4.1.2.2-0x2go1 Status: RELEASE Timestamp: 1581543720 Date: Wed, 12 Feb 2020 22:42:00 +0100 Fixes: 1307 1320 1393 1418 1425 1428 Changes: x2goclient (4.1.2.2-0x2go1) RELEASED; urgency=medium . [ Oleksandr Shneyder ] * New upstream version (4.1.2.2): - Add SSH instruction to list of errors if keyboard-interactive auth has failed. - Add new brocker feature. Broker can send to client some configuration in the section START_CLIENT_CONFIG - END_CLIENT_CONFIG. For the moment is supported option events=bool. If true, client sending to broker events: CONNECTING, CONNECTED, SUSPENDING, TERMINATING, FINISHED. It's not a real session state, but rather the state of X2Go Client. - Save session command in resumingSession.command. - Send in broker event the duration of session on client. - If client is configured to send events, the broker can ask client to send ALIVE events. To do this, broker should send config option "liveevent" (int). It means, if liveevent=10, client will send ALIVE event to broker every 10 seconds when the client connected to X2Go Session. - Broker can send to client command to suspend or terminate the session as an answer to the client event message. For this broker should send to client SUSPEND ID or TERMINATE ID. - Client now sends "login" parameter to the broker when executing task "selectsession". Before client just sent a username on the broker and it was imposiible to find out user name on X2Go server, which is not always the same as broker username. This won't break a compatibility with previous broker as they just will ignore this parameter. - X2Gokdrive support for X2GoClient. - Fix authentification on http broker when sending event. - Fix resuming sessions on multiple servers. - Initializing sessionId, command and display for direct RDP to complay with standard sessions. - Direct RDP sesion send to broker event CONNECTED instead of CONNECTING at start of RDP client. - Fixing setting correct session command when resuming the session. - Don't exit if sending event to http broker has failed. - If using x2go broker and ssh proxy check for the option "usebrokeruserforproxy" in the session file. If it's "true", use the same username for the proxy as broker login. - Broker can send to client the number of suspended and running sessions for each session type. Client will display this information to user on session button. - update copyright years in about dialog. - Do not show password in debug output of HTTP broker. - Fix crashing if the path for automount in the session config file in wrong format. Supporting both Windows and Linux path in automount format. Check if path exists before mounting. - Do not show Pulseaudio warning on Windows, if Pulseaudio is disabled in settings or by command line. - Improve request handling in HTTP broker. - Add possibility to suspend and terminate sessions from session selection dialog in broker mode. - Do not delete session from list if terminating of session is canceled. . [ Mihai Moldovan ] * New upstream version (4.1.2.2): - src/printwidget.cpp: add QButtonGroup include, fixes compile errors with Qt 5.11+. Fixes: #1307. - macbuild.sh: switch to bundling PulseAudio 12.1 since it's now available in MacPorts. - x2goclient.pro: detect libssh and libssh_threads via pkgconfig on UNIX-based platforms. libssh_threads is optional if the libssh version is high enough. - x2goclient.pro: let static Linux configuration override the new pkgconfig-based libssh usage. - x2goclient.pro: make system a non-variable call. - x2goclient.pro: fix qmake control flow for libssh logic, we really wanted to use else if for the Windows section and have the general else section being the general fallback. - x2goclient.pro: fix quoting issue in system() call. Qmake's quoting rules are really weird. - macbuild.sh: switch to bundling PulseAudio 12.2 since it's now available in MacPorts. - res/i18n/x2goclient_cs.ts: whitespace and other fixups. - src/x2goclient.cpp: change HTTP to HTTPS links where needed. - src/x2goclient.cpp: do not spawn UNIX cleanup helper if arguments that let X2Go Client terminate right away have been passed. More work is needed here, but that should cover the most basic bits. - src/onmainwindow.{cpp,h}: remove left-over references to agentCheckTimer and slotCheckAgentProcess (). - src/onmainwindow.cpp: fix various broken qCritical () calls. - src/{onmainwindow.{cpp,h},{sshmasterconnection,help}.cpp}: let users control libssh debugging via the new parameters --libssh-debug and --libssh-packetlog. Properly document the new switches and their implications. - src/sshmasterconnection.cpp: drop DEBUG preprocessor conditional blocks. We have never actually disabled it and x2goDebug () will not write out anything if debugging has not been requested, so we already have a soft condition check for every x2goDebug () call. - src/x2goclient.cpp: do not use std::array since that's a C++11 feature, just live with plain C arrays for now. - x2goclient.pro: fix libssh_threads logic again. Ubuntu Bionic/18.04 ships a pre-release version of 0.8.0, which is tagged as that version, but really based upon 0.7.x and still has/needs a libssh_threads library. Big "Wat?" to you, Canonical. Fixes: #1320. - src/x2goclient.cpp: fix array length calculation. - Windows: Update PuTTY from 0.70 to 0.71. Fixes quite a list of issues discovered through the EU-funded bug bounty programme. Not all are relevant to X2Go Client. - Windows: upgrade bundled VcXsrv to 1.20.1.4. - src/sshmasterconnection.cpp: use info (protocol) log level with --libssh-debug and debug (packet) log level with --libssh-packetlog. - src/sshmasterconnection.cpp: fix compiler warning due to mismatching argument with older libssh versions. - Makefile: clear out LDFLAGS, add new (cleared) LIBS variable and pass down as QMAKE_LIBS. The previous behavior was leading to compile failures on arm64 machines (albeit only old distro versions, apparently), because QMAKE_LFLAGS is being put on the command line *before* the actual object files to be included/linked, which is an error for system libraries. Builds will still fail after this commit, but that's okay. - x2goclient.pro: add libraries that we always want to use on Linux correctly to LIBS and use a bigger catch clause. That should work much better, since linux-g++ and linux-g++-64 are x86-specific, while there are way more potentially useful targets like linux-aarch64-gnu-g++, clang, llvm, icc etc. - x2goclient.pro: while a linux scope seems to work fine with Qt5, Qt4 doesn't recognize that, so add another linux-* catch. - Windows: add support for x3270-fonts, including adding a pretty nasty but necessary fonts.* file regeneration hook. - {x2goclient,help,onmainwindow}.cpp: implement new --bypass-cleanup-helper parameter. - src/onmainwindow.cpp: fix building with Qt 4.6, currently the latest version available in EPEL 6. - src/onmainwindow.cpp: unbreak builds by fixing syntax error. - src/onmainwindow.cpp: also unbreak old EPEL 6 builds. - src/onmainwindow.cpp: add (and prefer) non-compat-symlink scp server location for 64-bit-based Gentoo distros (17.1+ profiles). Fixes: #1393. - res/i18n/x2goclient_*.ts: replace changed source strings, no retranslations required. - src/httpbrokerclient.cpp: do not leak password length in debug output either. - src/sessionwidget.cpp: stop parsing proxy address as "host:port: if the address contains a colon. Fixes: #1418. We don't do this for the "normal" host address and this behavior clashes with IPv6 addresses. We COULD, theoretically, keep it, but that would require writing an arbitrary address parser. Too much effort for little gain. - src/onmainwindow.cpp: also remove proxy "host:port" parsing at connect time. Fixes: #1418. - macbuild.sh: switch to bundling PulseAudio 13.0 since it's now available in MacPorts. - src/onmainwindow.cpp: disable "left click" action on OS X/macOS. This platform always gets a left click event, even when right clicked. May sound weird first, but this behavior is consistent between all applications - tray icons can be clicked via either button and will always trigger a context menu. Let X2Go Client behave the same way. - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-based Windows solution for Kerberos support), but newer libssh versions with the CVE-2019-14889 also interpret paths as literal strings. - src/SVGFrame.cpp: simplify implementation a lot. Only paint data onto the widget in the paintEvent () function. Drop setting a palette based upon the rendered SVG image, which has been very wrong to do from the beginning and only lead to visual glitches. Correctly repaint single-frame SVG files. - src/sshmasterconnection.cpp: work around lupdate warning by adding another block in the #else preprocessor branch. - res/i18n/x2goclient_*.ts: update translation files. - Windows: Update PuTTY from 0.71 to 0.73. Fixes another round of issues discovered through the EU-funded bug bounty programme and other security problems. - src/onmainwindow.cpp: stop PulseAudio from spamming logs after a client disconnects. Fixes: #1425. Patch based on one submitted by Ville Salmela. - src/onmainwindow.cpp: instead of searching for "sftp-binary", try to look for "sftp-server" in the Qt 5.x code path. Luckily this only affects cases where we bundle sftp-server (which we don't) or where sftp-server is actually part of $PATH (which it usually shouldn't be). - Windows: upgrade bundled VcXsrv to 1.20.6.0. - Windows: upgrade PulseAudio from 7.1 to 13.0. - Windows: remove libz. Was previously used by libzip, which has not been shipped for quite some time. - Windows: Update Win32 OpenSSL from 1.0.2n to 1.0.2u. Implicit. - Windows: Upgrade libssh from 0.7.4 to 0.9.3 (while maintaining Pageant support). Drop libssh_threads library not provided (or used) any longer. - x2goclient.pro: update comment mentioning that libssh does not provide pkgconfig files on non-UNIX/Windows platforms any longer and drop libssh_thread linkage. - res/i18n/x2goclient_nl.ts: add missing singular form to a multi-form entry. - res/i18n/x2goclient_cs.ts: fix up whitespace and mark actually finished translation string as such, also removing my previous comment. - res/i18n/x2goclient_nb_no.ts: fix up whitespace and typos. - res/i18n/x2goclient_de.ts: better translate UNIX cleanup helper and fix "X2Go Client" as "X2GoClient" globally. - misc: pre-release copyright update. - src/onmainwindow.cpp: update in-code copyright notice. - res/i18n/x2goclient_*.ts: update copyright notice in about dialog manually. - src/onmainwindow.cpp: add comment for translators encouraging them to add themselves to copyright notice. - res/i18n/x2goclient_*.ts: update after source code changes and comment addition. - res/i18n/x2goclient_*.ts: mark copyright translation string as unfinished for already translated languages (but Finnish) to alert translators of the new comment. - man/man1/x2goclient.1: pre-release date update. * debian/control: + Add build-depend on pkg-config. * x2goclient.spec: + Build-depend on pkg-config. + EPEL packages need to depend upon pkgconfig for now, not pkg-config. + Pull in redhat-rpm-config manually. This should probably be done by something else, like... gcc or qmake or qt(4)-dev, but it isn't. + Try to ignore gettext-tools-mini on *SuSE to force installation of the new/renamed gettext-runtime-mini package. + It's %endif, not %fi. + Revert the gettext-tools-mini change, was caused by an outdated obs-build version. . [ Mike Gabriel ] * New upstream version (4.1.2.2): - Add support for Nix OS for common_sftp_dirs's hard-coded sftp-server paths. - src/sessionwidget.cpp: Rename shadowing sessiontype to 'X2Go/X11 Desktop Sharing'. - man/man1/x2goclient.1: Add explanation for the --broker-name option. - res/resources.qrc: Add Czech translation file. - Update qt_.qm files from Qt5 v5.11.2. - Rename radion button lables for xfreerdp options' style. * debian/control: + In x2goclient R, prefer freerdp2-x11 over rdesktop over freerdp-x11 (which is broken these days anyway). + In x2goclient D, add x2gokdriveclient. + In x2goclient D, add hello as an alternative to x2gokdriveclient. Works around non-available x2gokdriveclient on Debian jessie. . [ Tom Ruzicka ] * New upstream release (4.1.2.2): - Add new translation: Czech. - Second update round of Czech translation + enable it in x2goclient.pro. . [ Ulrich Sibiller ] * New upstream release (4.1.2.2): - src/sshmasterconnection.cpp: close channel on failure in checkLogin (). - src/sshmasterconnection.{cpp,h}: skip checkLogin() if hostname starts with "!". Some special ssh proxies will not allow arbitrary commands. checkLogin() will break these sessions because it tries to run the echo command on the proxy. By specifying a "!" as the first character of the (proxy) hostname you can instruct x2goclient ot skip the checkLogin() call altogether. Note that this will break proxies that require you to change you password or some other type of interaction. As this is added to SshMasterConnection it is also valid to specify that for the server hostname although this is not very useful. . [ Jos Wolfkamp ] * New upstream version (4.1.2.2): - res/i18n/x2goclient_nl.ts: update Dutch translation file. . [ Sébastien Ducoulombier ] * New upstream version (4.1.2.2): - res/i18n/x2goclient_fr.ts: update French translation file. - res/i18n/x2goclient_fr.ts: add missing sentence and UTF-8-ize entries. . [ Ruda Vallo ] * New upstream version (4.1.2.2): - res/i18n/x2goclient_cs.ts: update Czech translation file. . [ Klaus Ade Johnstad ] * New upstream version (4.1.2.2): - res/i18n/x2goclient_nb_no.ts: update Bokmål (Norway) translation file. - res/i18n/x2goclient_nb_no.ts: update Bokmål (Norway) translation file. . [ Stefan Baur ] * New upstream release (4.1.2.2): - res/i18n/x2goclient_de.ts: update German translation file. ------------=_1581544213-17092-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.x2go.org; 20 Dec 2019 17:21:30 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=BAYES_20,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from 7.mo179.mail-out.ovh.net (7.mo179.mail-out.ovh.net [46.105.61.94]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 58EBE5DAE7 for ; Fri, 20 Dec 2019 18:21:26 +0100 (CET) Received: from player796.ha.ovh.net (unknown [10.108.54.94]) by mo179.mail-out.ovh.net (Postfix) with ESMTP id D3B09152F1A for ; Fri, 20 Dec 2019 18:21:25 +0100 (CET) Received: from ilm-informatique.fr (38.233.153.77.rev.sfr.net [77.153.233.38]) (Authenticated sender: sylvain@ilm-informatique.fr) by player796.ha.ovh.net (Postfix) with ESMTPSA id 437A4D696DC2 for ; Fri, 20 Dec 2019 17:21:25 +0000 (UTC) From: Sylvain Cuaz Subject: Tilde expansion no longer performed by libssh after CVE-2019-14889 To: submit@bugs.x2go.org Message-ID: Date: Fri, 20 Dec 2019 18:21:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB X-Ovh-Tracer-Id: 222083760637030345 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedrvddufedgleekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhuffvkffffgggtgfgsehtjeertddtfeejnecuhfhrohhmpefuhihlvhgrihhnucevuhgriicuoehshihlvhgrihhnsehilhhmqdhinhhfohhrmhgrthhiqhhuvgdrfhhrqeenucffohhmrghinhepuhgsuhhnthhurdgtohhmpdhlihgsshhshhdrohhrghenucfkpheptddrtddrtddrtddpjeejrdduheefrddvfeefrdefkeenucfrrghrrghmpehmohguvgepshhmthhpqdhouhhtpdhhvghlohepphhlrgihvghrjeeliedrhhgrrdhovhhhrdhnvghtpdhinhgvtheptddrtddrtddrtddpmhgrihhlfhhrohhmpehshihlvhgrihhnsehilhhmqdhinhhfohhrmhgrthhiqhhuvgdrfhhrpdhrtghpthhtohepshhusghmihhtsegsuhhgshdrgidvghhordhorhhgnecuvehluhhsthgvrhfuihiivgeptd Package: x2goclient Version: 4.1.1.1 SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works. Client OS Ubuntu 18.04.3 LTS with libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.5 Server OS Ubuntu 16.04.6 LTS Since december, 10th on Ubuntu, every time I connect to a server with either file sharing or printing enabled I have this error message : "Cannot create remote file ~ilm/.x2go/ssh/key.jdT502" - "SCP: Warning: status code 1 received: scp: ~ilm/.x2go/ssh: No such file or directory\n" But the directory does exist. After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst; which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and https://usn.ubuntu.com/4219-1/ for the ubuntu packages A similar issue is handled for Windows in SshProcess::start_cp() As a workaround I reinstalled an old version of the libssh-4 package and the bug went away. ------------=_1581544213-17092-1-- From unknown Fri Mar 29 13:11:38 2024 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@bugs.x2go.org From: Debbugs Internal Request Subject: Internal Control Message-Id: Bug archived. Date: Thu, 12 Mar 2020 06:24:02 +0000 User-Agent: Fakemail v42.6.9 # A New Hope # A long time ago, in a galaxy far, far away # something happened. # # Magically this resulted in the following # action being taken, but this fake control # message doesn't tell you why it happened # # The action: # Bug archived. thanks # This fakemail brought to you by your local debbugs # administrator