X2Go Bug report logs - #335
Users can inject arbitrary data into Pyhoca-GUI via .bashrc

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: "Dan Halbert" <halbert@halwitz.org>

Date: Mon, 21 Oct 2013 12:48:02 UTC

Severity: grave

Tags: confirmed, pending

Fixed in version 0.4.0.9

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#335: X2Go issue (in src:python-x2go) has been marked as pending for release
Reply-To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 335-quiet@bugs.x2go.org
Resent-To: "Dan Halbert" <halbert@halwitz.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Tue, 29 Oct 2013 17:48:02 +0000
Resent-Message-ID: <handler.335.U335.138306820213661@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 335
X-X2Go-PR-Package: python-x2go
X-X2Go-PR-Keywords: confirmed pending
Received: via spool by 335-submitter@bugs.x2go.org id=U335.138306820213661
          (code U ref 335); Tue, 29 Oct 2013 17:48:02 +0000
Received: (at 335-submitter) by bugs.x2go.org; 29 Oct 2013 17:36:42 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS,
	URIBL_BLOCKED autolearn=ham version=3.3.2
Received: by ymir (Postfix, from userid 1005)
	id A1E3E3BC43; Tue, 29 Oct 2013 18:36:41 +0100 (CET)
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 335-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 335@bugs.x2go.org
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Mailer: http://snipr.com/post-receive-tag-pending
Message-Id: <20131029173641.A1E3E3BC43@ymir>
Date: Tue, 29 Oct 2013 18:36:41 +0100 (CET)

tag #335 pending
fixed #335 0.4.0.9
thanks

Hello,

X2Go issue #335 (src:python-x2go) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=5b8164d

The issue will most likely be fixed in src:python-x2go (0.4.0.9).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit 5b8164de3596bd79e89de18e574252b2730b0916
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Tue Oct 29 18:36:06 2013 +0100

    Handle echoing ~/.*shrc files gracefully via SSH client connections. Do not allow data injections via ~/.*shrc files. (Fixes: #335).

diff --git a/debian/changelog b/debian/changelog
index eb4b587..cee5b48 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,6 +19,8 @@ python-x2go (0.4.0.9-0~x2go1) UNRELEASED; urgency=low
     - Implement two-factor authentication.
     - Compat fix in _paramiko monkey patch module to also work with early Paramiko
       versions.
+    - Handle echoing ~/.*shrc files gracefully via SSH client connections. Do not allow
+      data injections via ~/.*shrc files. (Fixes: #335).
 
   [ Orion Poplawski ]
   * debian/control:

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Apr 18 22:38:14 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.