X2Go Bug report logs - #336
Don't allow users to override X2Go commands via ~/bin (or similar)

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Tue, 29 Oct 2013 12:41:16 UTC

Severity: important

Tags: pending

Fixed in version 4.0.2.1

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#334; Package x2goclient. (Tue, 29 Oct 2013 12:41:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Tue, 29 Oct 2013 12:41:16 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Subject: Don't allow users to override X2Go commands via ~/bin (or similar)
Date: Tue, 29 Oct 2013 12:41:06 +0000
[Message part 1 (text/plain, inline)]
Package: x2goclient
Severity: important

In X2Go it is currently possible to replace every command in X2Go  
Server by a command of the same name in ~/bin.

An attacker could use this to infiltrate X2Go Client with arbitrary data.

IMHO, we should make sure, X2Go Client only uses system-wide paths  
when evoking commands on X2Go Servers.

This, of course, will boycott installing X2Go Server into ~<user>  
space, but actually, I prefer a safe setup to such custom installation  
tweaks.

Feedback?!?

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#334; Package x2goclient. (Tue, 29 Oct 2013 13:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Tue, 29 Oct 2013 13:48:02 GMT) Full text and rfc822 format available.

Message #10 received at 334@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 334@bugs.x2go.org
Cc: control@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#334: Don't allow users to override X2Go commands via ~/bin (or similar)
Date: Tue, 29 Oct 2013 13:43:08 +0000
[Message part 1 (text/plain, inline)]
clone #334 -1
reassign #334 python-x2go
thanks

Hi all,

On  Di 29 Okt 2013 13:41:06 CET, Mike Gabriel wrote:

> Package: x2goclient
> Severity: important
>
> In X2Go it is currently possible to replace every command in X2Go  
> Server by a command of the same name in ~/bin.
>
> An attacker could use this to infiltrate X2Go Client with arbitrary data.
>
> IMHO, we should make sure, X2Go Client only uses system-wide paths  
> when evoking commands on X2Go Servers.
>
> This, of course, will boycott installing X2Go Server into ~<user>  
> space, but actually, I prefer a safe setup to such custom  
> installation tweaks.
>
> Feedback?!?
>
> Mike

This issue also applies to Python X2Go.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]

Bug 334 cloned as bug 336 Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Tue, 29 Oct 2013 13:48:03 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#336; Package x2goclient. (Mon, 16 Jun 2014 06:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 16 Jun 2014 06:45:02 GMT) Full text and rfc822 format available.

Message #17 received at 336@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 336-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 336@bugs.x2go.org
Subject: X2Go issue (in src:x2goclient) has been marked as pending for release
Date: Mon, 16 Jun 2014 08:41:53 +0200 (CEST)
tag #336 pending
fixed #336 4.0.2.1
thanks

Hello,

X2Go issue #336 (src:x2goclient) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=4eb1fd1

The issue will most likely be fixed in src:x2goclient (4.0.2.1).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit 4eb1fd18370a692ff962e99dec5d60d93302783e
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Mon Jun 16 08:40:41 2014 +0200

    Disallow server-side users to override X2Go Server commands via ~/bin (or similar). (Fixes: #336).

diff --git a/debian/changelog b/debian/changelog
index 5bfb7a7..14f29b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,8 @@ x2goclient (4.0.2.1-0x2go1) UNRELEASED; urgency=low
       we force X2Go client to only use the default "accelerated X" as
       system tray icon (and prohibit usage of the session's icon as
       tray icon). (Fixes: #365).
+    - Disallow server-side users to override X2Go Server commands via
+      ~/bin (or similar). (Fixes: #336).
   * debian/control:
     + Add dbg:package x2goplugin-dbg.
 


Added tag(s) pending. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Mon, 16 Jun 2014 06:45:02 GMT) Full text and rfc822 format available.

Marked as fixed in versions 4.0.2.1. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Mon, 16 Jun 2014 06:45:02 GMT) Full text and rfc822 format available.

Message sent on to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Bug#336. (Mon, 16 Jun 2014 06:45:03 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#336; Package x2goclient. (Tue, 21 Oct 2014 11:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 21 Oct 2014 11:30:05 GMT) Full text and rfc822 format available.

Message #29 received at 336@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 336-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 336@bugs.x2go.org
Subject: X2Go issue (in src:x2goclient) has been marked as closed
Date: Tue, 21 Oct 2014 13:26:09 +0200 (CEST)
close #336
thanks

Hello,

we are very hopeful that X2Go issue #336 reported by you
has been resolved in the new release (4.0.3.0) of the
X2Go source project »src:x2goclient«.

You can view the complete changelog entry of src:x2goclient (4.0.3.0)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goclient.

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=04ed56d4162f000b093bea13aa2582c2de718144;hp=85bf0c6e7539910fff779689528009a897cdceb4

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goclient.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:x2goclient
Version: 4.0.3.0-0x2go1
Status: RELEASE
Date: Tue, 21 Oct 2014 12:38:56 +0200
Fixes: 108 159 253 258 336 474 522 525 566 568 571 580 587 590 597 603 607 608 609 612 636
Changes: 
 x2goclient (4.0.3.0-0x2go1) RELEASED; urgency=low
 .
   [ Mike Gabriel ]
   * New upstream release (4.0.3.0):
     - Disallow server-side users to override X2Go Server commands via
       ~/bin (or similar). (Fixes: #336).
     - Avoid unitialised variables on early calls of ONMainWindow::closeEvent()
       or ONMainWindow::closeClient(). (Fixes: #253).
     - Update translation files. Add empty Portuguese translation. Update
       qt_<lang>.qm files from Debian unstable as of today.
     - Update German translation file (after session folder feature got added).
     - Makefile.man2html: Test if man2html exists. If not, don't fail.
     - Honor exports (client-side shared folders) from broker session profiles.
       Thanks to Ming Song for providing a patch for this (Fixes: 612).
   * debian/control:
     + Add B-D: apache2-dev. On squeeze / lucid builds, this is a superfluous
       B-D, but for later Debian/Ubuntu versions, this smoothes the installation
       of the x2goplugin-provide bin:package.
     + Update B-D: apache2-dev | libc6-dev. The apache2-dev package does not
       exist on all Debian/Ubuntu versions.
   * x2goclient.spec:
     + Adapt to building for openSUSE/SLES.
     + openSUSE: Make Qt4 Linguist tools available for Makefile.
     + Upgrade versioned BR for libssh-devel (0.6.3 or patched 0.5.5).
     + The libqt4-linguist split off happened in openSUSE 13.1.
     + Add x2goclient-rpmlintrc file.
     + In openSUSE, it is openldap2-devel, in Fedora/RHEL it is openldap-devel.
     + In openSUSE, openssh is openssh (not openssh-clients / openssh-server).
 .
   [ Oleksandr Shneyder ]
   * New upstream release (4.0.3.0):
     - Fix running x2goclient without arguments on Windows. (Fixes: #522).
     - Save proxy output in $HOME/S-$SESSION-ID/session.log if debugging is
       enabled.
     - Fork x2goclient on windows and terminate child processes if X2Go Client
       crashed. (Fixes: #159).
     - Add "clipboard" parameter to session profile and to command line options.
       (Fixes: #258).
     - Replace qCritical() with printError() by argument parsing.
     - Update translation files.
     - Update russian translation.
     - Update string "&Clipboard Mode" and translate in russian translation file.
     - Grammar fix in russian translation.
     - Add x2gohelper to start X2Go Client on Windows and clean child processes
       if X2Go Client crashes. (Fixes: #525).
     - On Windows rename x2goclient.exe to x2goclient-mainprocess.exe and
       x2gohelper.exe to x2goclient.exe.
     - Start x2gohelper from X2Go Client. Revert name changing of X2Go Client and
       x2gohelper.
     - Add Makefile for x2gohelper.
     - Add support for sessions folders.
     - Add folder explorer: a GUI to manage of session subfolders.
     - Support for sessions subfolders in sessionmanagedialog.
     - Session name autocompletion only for sessions in current folder.
     - Support for session subfolders and command-line options "--session"
       and "--sessionid".
     - Disable session explorer "back" button if user sessions are disabled.
     - Include <QDir> in sessionexplorer.cpp.
     - Remove deprecated workaround in wapi.cpp.
     - Save folder icons Base64 coded. Save icons under General\icon_<PATH>.
       (Fixes: #580).
     - Fix placing sessions folders in broker mode.
     - Fix onmainwindow.cpp after 76ae96781f1d2d5754ee4751539d5de47f1d0297.
     - Add support for session selection in broker mode.
 .
   [ Mike DePaulo ]
   * New upstream release (4.0.3.0):
     - Make X2Go Client aware of the Cinnamon (CINNAMON) desktop environment.
       (Fixes: #571)
     - Make X2Go Client aware of the Trinity (TRINITY) desktop environment.
       (Fixes: #609)
     - Make X2Go Client aware of the Openbox (OPENBOX) window manager.
       (Fixes: #607)
     - Make X2Go Client aware of the IceWM (ICEWM) window manager.
       (Fixes: #608)
     - Windows: Fix not being able to add the server to the known_hosts file when
       the username has non-English characters. (Fixes: #566)
       (NOTE: This fix only works when the non-English characters are in the same
       language as the Windows "system locale" AKA "Language for non-Unicode
       programs." Bug #611 was written for fixing the issue for languages other
       than the system locale.)
       Thanks George Trakatelis (uom.edu.gr) for submitting part of this fix.
     - Windows: Install VcXsrv "misc" fonts by default, and make all 4 font
       groups optional: misc, 75dpi, 100dpi and others (Fixes: #108)
       Note: The fact that all the fonts are included makes the installer about
       30MB larger.
     - Windows: Bundle new version of VcXsrv: 1.15.2.1-xp+vc2013+x2go1
       This new version is based on upstream VcXsrv 1.15.2.0, but still
       compatible with Windows XP. It also has its bundled OpenSSL updated to
       1.0.1j. It is compiled with Microsoft Visual C++ 2013 and contains 1
       X2Go-specific change, winmultiwindow.patch. This patch fixes an issue
       when resizing the NX-proxy window on specific multiple monitor setups.
       (Thanks Oleksandr Shneyder for the patch) (Fixes: #568) (Fixes: #594)
     - Windows: Port from MinGW 4.4 + Qt 4.8.5 to MinGW 4.8.2 + Qt 4.8.6,
       including fix for QTBUG-38706 (Fixes: #474, #603)
     - Windows: Fix missing VcXsrv/zlib1.dll . The impact of this bug was that
       VcXsrv would not start if the cwd was changed from the x2goclient
       directory. (The start menu and desktop shortcuts do have the x2goclient
       directory as the cwd. So they were not affected.) (Fixes: #587)
     - Windows: Make the desktop shortcut optional during install,
       but still the default.
     - Windows: Upgrade libssh from 0.5.5 to 0.6.3. This fixes connecting to
       hpn-enabled SSH servers. The Pageant support patch from the KDE Windows
       project was ported to 0.6.3 by myself and Mike Frederick.
       (Gmail: psududemike) (Fixes: #590)
     - Windows: Win32 OpenSSL updated from 1.0.1h to 1.0.1j, which fixes the
       CVEs announced on 2014-08-06 & 2014-10-15.
     - Windows: Replace Cygwin Bash (sh.exe) with Cygwin Dash (ash.exe renamed
       to sh.exe). This also means fewer Cygwin .DLLs are bundled.
       (Fixes: #636)
     - Windows: cygwin packages (excluding OpenSSH, which is at the patched
       version of 6.6.1p1-3-x2go1) updated from latest versions as of 2014-06-09
       to latest versions as of 2014-10-18. This includes openssl 1.0.1j-1, which
       fixes the CVEs announced on 2014-08-06 & 2014-10.15.
       (Cygwin openssl was also individually updated in 4.0.2.1+hotfix1+build2,
       but only to 1.0.1i-1.)
     - Windows: Build nxproxy.exe with Cygwin's libpng 1.5.x rather than 1.2.x.
       (This may improve performance when PNG compression is selected.)
     - Windows: Build cygwin openssh without krb5 or tcp_wrappers support because
       X2Go Client for Windows does not use either feature.
       (On Windows, Kerberos 5 (GSSAPI) support is provided by PuTTY.)
     - Windows: Fix text not being rendered properly at end of NSIS installer
       (Fixes: #597)
 .
   [ Stefan Baur ]
   * New upstream version (4.0.3.0):
     - Update German translation file.
 .
   [ Ricardo Díaz Martín ]
   * New upstream version (4.0.3.0):
     - Update Spanish translation file.
 .
   [ Martti Pitkanen ]
   * New upstream version (4.0.3.0):
     - Update Finnish translation file.
 .
   [ Jos Wolfram ]
   * New upstream version (4.0.3.0):
     - Update Dutch translation file.
 .
   [ Robert Parts ]
   * New upstream version (4.0.3.0):
     - Add Estonian translation file.
 .
   [ Klaus Ade Johnstad ]
   * New upstream version (4.0.3.0):
     - Update Bokmal (Norway) translation file.
 .
   [ Daniel Lindgren ]
   * New upstream version (4.0.3.0):
     - Update Swedish translation file.
 .
   * Translation status:
     OK - Updating 'x2goclient/x2goclient_de.qm'...
       Generated 566 translation(s) (566 finished and 0 unfinished)
     INCOMPLETE - Updating 'x2goclient/x2goclient_da.qm'...
       Generated 536 translation(s) (526 finished and 10 unfinished)
       Ignored 30 untranslated source text(s)
     OK - Updating 'x2goclient/x2goclient_es.qm'...
       Generated 566 translation(s) (566 finished and 0 unfinished)
     OK - Updating 'x2goclient/x2goclient_et.qm'...
       Generated 566 translation(s) (566 finished and 0 unfinished)
     OK - Updating 'x2goclient/x2goclient_fi.qm'...
       Generated 566 translation(s) (566 finished and 0 unfinished)
     INCOMPLETE - Updating 'x2goclient/x2goclient_fr.qm'...
       Generated 254 translation(s) (201 finished and 53 unfinished)
       Ignored 312 untranslated source text(s)
     OK - Updating 'x2goclient/x2goclient_nb_no.qm'...
        Generated 566 translation(s) (566 finished and 0 unfinished)
     OK - Updating 'x2goclient/x2goclient_nl.qm'...
       Generated 566 translation(s) (566 finished and 0 unfinished)
     UNTRANSLATED - Updating 'x2goclient/x2goclient_pt.qm'...
       Generated 0 translation(s) (0 finished and 0 unfinished)
       Ignored 566 untranslated source text(s)
     INCOMPLETE - Updating 'x2goclient/x2goclient_ru.qm'...
       Generated 552 translation(s) (543 finished and 9 unfinished)
       Ignored 14 untranslated source text(s)
     OK - Updating 'x2goclient/x2goclient_sv.qm'...
       Generated 566 translation(s) (566 finished and 0 unfinished)
     INCOMPLETE - Updating 'x2goclient/x2goclient_zh_tw.qm'...
       Generated 397 translation(s) (372 finished and 25 unfinished)
       Ignored 169 untranslated source text(s)


Marked Bug as done Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Tue, 21 Oct 2014 11:30:35 GMT) Full text and rfc822 format available.

Notification sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Bug acknowledged by developer. (Tue, 21 Oct 2014 11:30:35 GMT) Full text and rfc822 format available.

Message sent on to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Bug#336. (Tue, 21 Oct 2014 11:30:40 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.x2go.org> to internal_control@bugs.x2go.org. (Wed, 19 Nov 2014 06:24:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sun Jul 21 17:06:46 2019; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.