X2Go Bug report logs - #335
Users can inject arbitrary data into Pyhoca-GUI via .bashrc

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: "Dan Halbert" <halbert@halwitz.org>

Date: Mon, 21 Oct 2013 12:48:02 UTC

Severity: grave

Tags: confirmed, pending

Fixed in version 0.4.0.9

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.502 (Entity 5.502)
X-Loop: owner@bugs.x2go.org
From: owner@bugs.x2go.org (X2Go Bug Tracking System)
Subject: Bug#335 closed by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 (X2Go issue (in src:python-x2go) has been marked as closed)
Message-ID: <handler.335.c.138919142327244.notifdone@bugs.x2go.org>
References: <20140108142934.8C04E5DCD5@ymir>
X-X2go-PR-Keywords: confirmed pending
X-X2go-PR-Message: they-closed 335
X-X2go-PR-Package: python-x2go
X-X2go-PR-Source: python-x2go
Date: Wed, 08 Jan 2014 14:35:03 +0000
Content-Type: multipart/mixed; boundary="----------=_1389191703-766-0"
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your Bug report
which was filed against the python-x2go package:

#335: Users can inject arbitrary data into Pyhoca-GUI via .bashrc

It has been closed by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mike Gabriel <mike.gabriel@das-netzwerkteam.de> by
replying to this email.


-- 
X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems
[Message part 2 (message/rfc822, inline)]
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 335-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 335@bugs.x2go.org
Subject: X2Go issue (in src:python-x2go) has been marked as closed
Date: Wed, 8 Jan 2014 15:29:34 +0100 (CET)
close #335
thanks

Hello,

we are very hopeful that X2Go issue #335 reported by you
has been resolved in the new release (0.4.0.9) of the
X2Go source project »src:python-x2go«.

You can view the complete changelog entry of src:python-x2go (0.4.0.9)
below, and you can use the following link to view all the code changes
between this and the last release of src:python-x2go.

    http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=62f82b9324d1ed8240af1ad0bf0e5ff82f08ee49;hp=000e5e38e26713f485314365486d05b93100a189

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:python-x2go.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:python-x2go
Version: 0.4.0.9-0x2go1
Status: RELEASE
Date: Wed, 08 Jan 2014 15:14:16 +0100
Fixes: 329 330 335
Changes: 
 python-x2go (0.4.0.9-0x2go1) RELEASED; urgency=low
 .
   [ Mike Gabriel ]
   * New upstream version (0.4.0.9):
     - Agent channels in Paramiko can raise an EOFError if the connection
       has got disrupted. Ignoring this.
     - Store the session password in base64 encoded string in order to make
       it harder spotting the long term stored (for the duration of the session)
       plain text password.
     - Support encryption passphrases on SSH private key files (X2Go SSH
       connections as well as SSH proxy connections).
     - Invalidate SSH private keys (filename, pkey object) when look_for_keys is
       requested.
     - Keep private key information even if force_password_auth is set in the
       control session's connect() method.
     - Fix parameter handling in X2GoSession.connect().
     - Rewrite passwords that are not string/unicode to an empty string.
     - No Unicode chars in log messages. Eliminated one more in checkhosts.py.
     - Implement two-factor authentication.
     - Compat fix in _paramiko monkey patch module to also work with early
       Paramiko versions.
     - Handle echoing ~/.*shrc files gracefully via SSH client connections. Do
       not allow data injections via ~/.*shrc files. (Fixes: #335).
     - Properly handle (=expand) the "~" character in key filenames. (Brought to
       attention by Eldamir on IRC. Thanks!).
     - Differentiate between desktop sharing errors and desktop sharing access
       that gets denied by the other/remote user.
     - Report about found session window / session window retitling in debug
       mode.
     - Fix session window detection when local session manager is the i3 session
       manager (which uses _NET_CLIENT_LIST_STACKING instead of
       _NET_CLIENT_LIST).
     - Check for pulse cookie file in old (~/.pulse-cookie) and new
       (~/.config/pulse/cookie) location.
     - Import python-x2go-py3.patch from Fedora. Thanks to Orion!!!
     - Improve setup.py script: make it run with Python3 and older Python2
       versions.
     - Fix tests for two-factor authentication in control session and SSH proxy
       code.
     - Fix regression: Make password logins with PyHoca-CLI succeed again.
     - Make channel compression to all authentication methods.
     - Set keepalive on proxy channel.
     - Only use [<host>]:<port> if <port> is not 22.
     - Handle host key checks for hosts that do not have a port specified.
   * debian/source/format:
     + Switch to format 1.0.
   * python-x2go.spec:
     + Ship python-x2go.spec (RPM package definitions) in upstream project.
       (Thanks to the Fedora package maintainers).
     + Clear (Fedora package) changelog.
     + Drop dependency on python-cups.
 .
   [ Orion Poplawski ]
   * debian/control:
     + Drop python-cups from Depends: field. Python CUPS is no dependency if
       Python X2Go. (Fixes: #329).
 .
   [ Kenneth Pedersen ]
   * New upstream version (0.4.0.9):
     - Color depth detection: Stop using win32api.GetSystemMetrics(2) which actually
       returns the width of a vertical scroll bar in pixels. Instead, create a screen
       display context and query it for the color depth. (Fixes: #330).

[Message part 3 (message/rfc822, inline)]
From: "Dan Halbert" <halbert@halwitz.org>
To: submit@bugs.x2go.org
Subject: x2go client crashes if .bashrc prints anything
Date: Sat, 19 Oct 2013 12:22:43 -0400 (EDT)
[Message part 4 (text/plain, inline)]
Package: x2goclient
Version: 4.0.0.3
 
If I put an
echo "testing"   # exact text doesn't matter
 
at the top of my .bashrc, then the x2goclient crashes immediately when trying to start a session.
 
(The crash does not occur if I put a similar statement in .bash_login.)
 
I have reproduced this on the Windows client; I believe a colleague saw it on both the Windows and Linux clients.
 
The x2go server being used is  4.0.1.6-0~712~precise1.

[Message part 5 (text/html, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sun Sep 20 08:46:12 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.