X2Go Bug report logs - #335
Users can inject arbitrary data into Pyhoca-GUI via .bashrc

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: "Dan Halbert" <halbert@halwitz.org>

Date: Mon, 21 Oct 2013 12:48:02 UTC

Severity: grave

Tags: confirmed, pending

Fixed in version 0.4.0.9

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #87 received at control@bugs.x2go.org (full text, mbox, reply):

Received: (at control) by bugs.x2go.org; 8 Jan 2014 14:30:23 +0000
From x2go@ymir  Wed Jan  8 15:29:34 2014
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS
	autolearn=unavailable version=3.3.2
Received: by ymir (Postfix, from userid 1005)
	id 8C04E5DCD5; Wed,  8 Jan 2014 15:29:34 +0100 (CET)
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 335-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 335@bugs.x2go.org
Subject: X2Go issue (in src:python-x2go) has been marked as closed
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Message-Id: <20140108142934.8C04E5DCD5@ymir>
Date: Wed,  8 Jan 2014 15:29:34 +0100 (CET)
close #335
thanks

Hello,

we are very hopeful that X2Go issue #335 reported by you
has been resolved in the new release (0.4.0.9) of the
X2Go source project »src:python-x2go«.

You can view the complete changelog entry of src:python-x2go (0.4.0.9)
below, and you can use the following link to view all the code changes
between this and the last release of src:python-x2go.

    http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=62f82b9324d1ed8240af1ad0bf0e5ff82f08ee49;hp=000e5e38e26713f485314365486d05b93100a189

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:python-x2go.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:python-x2go
Version: 0.4.0.9-0x2go1
Status: RELEASE
Date: Wed, 08 Jan 2014 15:14:16 +0100
Fixes: 329 330 335
Changes: 
 python-x2go (0.4.0.9-0x2go1) RELEASED; urgency=low
 .
   [ Mike Gabriel ]
   * New upstream version (0.4.0.9):
     - Agent channels in Paramiko can raise an EOFError if the connection
       has got disrupted. Ignoring this.
     - Store the session password in base64 encoded string in order to make
       it harder spotting the long term stored (for the duration of the session)
       plain text password.
     - Support encryption passphrases on SSH private key files (X2Go SSH
       connections as well as SSH proxy connections).
     - Invalidate SSH private keys (filename, pkey object) when look_for_keys is
       requested.
     - Keep private key information even if force_password_auth is set in the
       control session's connect() method.
     - Fix parameter handling in X2GoSession.connect().
     - Rewrite passwords that are not string/unicode to an empty string.
     - No Unicode chars in log messages. Eliminated one more in checkhosts.py.
     - Implement two-factor authentication.
     - Compat fix in _paramiko monkey patch module to also work with early
       Paramiko versions.
     - Handle echoing ~/.*shrc files gracefully via SSH client connections. Do
       not allow data injections via ~/.*shrc files. (Fixes: #335).
     - Properly handle (=expand) the "~" character in key filenames. (Brought to
       attention by Eldamir on IRC. Thanks!).
     - Differentiate between desktop sharing errors and desktop sharing access
       that gets denied by the other/remote user.
     - Report about found session window / session window retitling in debug
       mode.
     - Fix session window detection when local session manager is the i3 session
       manager (which uses _NET_CLIENT_LIST_STACKING instead of
       _NET_CLIENT_LIST).
     - Check for pulse cookie file in old (~/.pulse-cookie) and new
       (~/.config/pulse/cookie) location.
     - Import python-x2go-py3.patch from Fedora. Thanks to Orion!!!
     - Improve setup.py script: make it run with Python3 and older Python2
       versions.
     - Fix tests for two-factor authentication in control session and SSH proxy
       code.
     - Fix regression: Make password logins with PyHoca-CLI succeed again.
     - Make channel compression to all authentication methods.
     - Set keepalive on proxy channel.
     - Only use [<host>]:<port> if <port> is not 22.
     - Handle host key checks for hosts that do not have a port specified.
   * debian/source/format:
     + Switch to format 1.0.
   * python-x2go.spec:
     + Ship python-x2go.spec (RPM package definitions) in upstream project.
       (Thanks to the Fedora package maintainers).
     + Clear (Fedora package) changelog.
     + Drop dependency on python-cups.
 .
   [ Orion Poplawski ]
   * debian/control:
     + Drop python-cups from Depends: field. Python CUPS is no dependency if
       Python X2Go. (Fixes: #329).
 .
   [ Kenneth Pedersen ]
   * New upstream version (0.4.0.9):
     - Color depth detection: Stop using win32api.GetSystemMetrics(2) which actually
       returns the width of a vertical scroll bar in pixels. Instead, create a screen
       display context and query it for the color depth. (Fixes: #330).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sun Nov 24 13:11:51 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.