X2Go Bug report logs - #335
Users can inject arbitrary data into Pyhoca-GUI via .bashrc

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: "Dan Halbert" <halbert@halwitz.org>

Date: Mon, 21 Oct 2013 12:48:02 UTC

Severity: grave

Tags: confirmed, pending

Fixed in version 0.4.0.9

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #77 received at control@bugs.x2go.org (full text, mbox, reply):

Received: (at control) by bugs.x2go.org; 29 Oct 2013 17:36:50 +0000
From x2go@ymir  Tue Oct 29 18:36:41 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS,
	URIBL_BLOCKED autolearn=unavailable version=3.3.2
Received: by ymir (Postfix, from userid 1005)
	id A1E3E3BC43; Tue, 29 Oct 2013 18:36:41 +0100 (CET)
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 335-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 335@bugs.x2go.org
Subject: X2Go issue (in src:python-x2go) has been marked as pending for release
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Mailer: http://snipr.com/post-receive-tag-pending
Message-Id: <20131029173641.A1E3E3BC43@ymir>
Date: Tue, 29 Oct 2013 18:36:41 +0100 (CET)
tag #335 pending
fixed #335 0.4.0.9
thanks

Hello,

X2Go issue #335 (src:python-x2go) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=5b8164d

The issue will most likely be fixed in src:python-x2go (0.4.0.9).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit 5b8164de3596bd79e89de18e574252b2730b0916
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Tue Oct 29 18:36:06 2013 +0100

    Handle echoing ~/.*shrc files gracefully via SSH client connections. Do not allow data injections via ~/.*shrc files. (Fixes: #335).

diff --git a/debian/changelog b/debian/changelog
index eb4b587..cee5b48 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,6 +19,8 @@ python-x2go (0.4.0.9-0~x2go1) UNRELEASED; urgency=low
     - Implement two-factor authentication.
     - Compat fix in _paramiko monkey patch module to also work with early Paramiko
       versions.
+    - Handle echoing ~/.*shrc files gracefully via SSH client connections. Do not allow
+      data injections via ~/.*shrc files. (Fixes: #335).
 
   [ Orion Poplawski ]
   * debian/control:


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 21:02:33 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.