X2Go Bug report logs -
#336
Don't allow users to override X2Go commands via ~/bin (or similar)
Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Tue, 29 Oct 2013 12:41:16 UTC
Severity: important
Tags: pending
Fixed in version 4.0.2.1
Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#334
; Package x2goclient
.
(Tue, 29 Oct 2013 12:41:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Tue, 29 Oct 2013 12:41:16 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: x2goclient
Severity: important
In X2Go it is currently possible to replace every command in X2Go
Server by a command of the same name in ~/bin.
An attacker could use this to infiltrate X2Go Client with arbitrary data.
IMHO, we should make sure, X2Go Client only uses system-wide paths
when evoking commands on X2Go Servers.
This, of course, will boycott installing X2Go Server into ~<user>
space, but actually, I prefer a safe setup to such custom installation
tweaks.
Feedback?!?
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded
to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>
:
Bug#334
; Package x2goclient
.
(Tue, 29 Oct 2013 13:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>
.
(Tue, 29 Oct 2013 13:48:02 GMT) (full text, mbox, link).
Message #10 received at 334@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
clone #334 -1
reassign #334 python-x2go
thanks
Hi all,
On Di 29 Okt 2013 13:41:06 CET, Mike Gabriel wrote:
> Package: x2goclient
> Severity: important
>
> In X2Go it is currently possible to replace every command in X2Go
> Server by a command of the same name in ~/bin.
>
> An attacker could use this to infiltrate X2Go Client with arbitrary data.
>
> IMHO, we should make sure, X2Go Client only uses system-wide paths
> when evoking commands on X2Go Servers.
>
> This, of course, will boycott installing X2Go Server into ~<user>
> space, but actually, I prefer a safe setup to such custom
> installation tweaks.
>
> Feedback?!?
>
> Mike
This issue also applies to Python X2Go.
Mike
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]
Bug 334 cloned as bug 336
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Tue, 29 Oct 2013 13:48:03 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>
:
Bug#336
; Package x2goclient
.
(Mon, 16 Jun 2014 06:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>
.
(Mon, 16 Jun 2014 06:45:02 GMT) (full text, mbox, link).
Message #17 received at 336@bugs.x2go.org (full text, mbox, reply):
tag #336 pending
fixed #336 4.0.2.1
thanks
Hello,
X2Go issue #336 (src:x2goclient) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:
http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=4eb1fd1
The issue will most likely be fixed in src:x2goclient (4.0.2.1).
light+love
X2Go Git Admin (on behalf of the sender of this mail)
---
commit 4eb1fd18370a692ff962e99dec5d60d93302783e
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Mon Jun 16 08:40:41 2014 +0200
Disallow server-side users to override X2Go Server commands via ~/bin (or similar). (Fixes: #336).
diff --git a/debian/changelog b/debian/changelog
index 5bfb7a7..14f29b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,8 @@ x2goclient (4.0.2.1-0x2go1) UNRELEASED; urgency=low
we force X2Go client to only use the default "accelerated X" as
system tray icon (and prohibit usage of the session's icon as
tray icon). (Fixes: #365).
+ - Disallow server-side users to override X2Go Server commands via
+ ~/bin (or similar). (Fixes: #336).
* debian/control:
+ Add dbg:package x2goplugin-dbg.
Added tag(s) pending.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Mon, 16 Jun 2014 06:45:02 GMT) (full text, mbox, link).
Marked as fixed in versions 4.0.2.1.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Mon, 16 Jun 2014 06:45:02 GMT) (full text, mbox, link).
Message sent on
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Bug#336.
(Mon, 16 Jun 2014 06:45:03 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>
:
Bug#336
; Package x2goclient
.
(Tue, 21 Oct 2014 11:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>
.
(Tue, 21 Oct 2014 11:30:05 GMT) (full text, mbox, link).
Message #29 received at 336@bugs.x2go.org (full text, mbox, reply):
close #336
thanks
Hello,
we are very hopeful that X2Go issue #336 reported by you
has been resolved in the new release (4.0.3.0) of the
X2Go source project »src:x2goclient«.
You can view the complete changelog entry of src:x2goclient (4.0.3.0)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goclient.
http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=04ed56d4162f000b093bea13aa2582c2de718144;hp=85bf0c6e7539910fff779689528009a897cdceb4
If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goclient.
Thanks a lot for contributing to X2Go!!!
light+love
X2Go Git Admin (on behalf of the sender of this mail)
---
X2Go Component: src:x2goclient
Version: 4.0.3.0-0x2go1
Status: RELEASE
Date: Tue, 21 Oct 2014 12:38:56 +0200
Fixes: 108 159 253 258 336 474 522 525 566 568 571 580 587 590 597 603 607 608 609 612 636
Changes:
x2goclient (4.0.3.0-0x2go1) RELEASED; urgency=low
.
[ Mike Gabriel ]
* New upstream release (4.0.3.0):
- Disallow server-side users to override X2Go Server commands via
~/bin (or similar). (Fixes: #336).
- Avoid unitialised variables on early calls of ONMainWindow::closeEvent()
or ONMainWindow::closeClient(). (Fixes: #253).
- Update translation files. Add empty Portuguese translation. Update
qt_<lang>.qm files from Debian unstable as of today.
- Update German translation file (after session folder feature got added).
- Makefile.man2html: Test if man2html exists. If not, don't fail.
- Honor exports (client-side shared folders) from broker session profiles.
Thanks to Ming Song for providing a patch for this (Fixes: 612).
* debian/control:
+ Add B-D: apache2-dev. On squeeze / lucid builds, this is a superfluous
B-D, but for later Debian/Ubuntu versions, this smoothes the installation
of the x2goplugin-provide bin:package.
+ Update B-D: apache2-dev | libc6-dev. The apache2-dev package does not
exist on all Debian/Ubuntu versions.
* x2goclient.spec:
+ Adapt to building for openSUSE/SLES.
+ openSUSE: Make Qt4 Linguist tools available for Makefile.
+ Upgrade versioned BR for libssh-devel (0.6.3 or patched 0.5.5).
+ The libqt4-linguist split off happened in openSUSE 13.1.
+ Add x2goclient-rpmlintrc file.
+ In openSUSE, it is openldap2-devel, in Fedora/RHEL it is openldap-devel.
+ In openSUSE, openssh is openssh (not openssh-clients / openssh-server).
.
[ Oleksandr Shneyder ]
* New upstream release (4.0.3.0):
- Fix running x2goclient without arguments on Windows. (Fixes: #522).
- Save proxy output in $HOME/S-$SESSION-ID/session.log if debugging is
enabled.
- Fork x2goclient on windows and terminate child processes if X2Go Client
crashed. (Fixes: #159).
- Add "clipboard" parameter to session profile and to command line options.
(Fixes: #258).
- Replace qCritical() with printError() by argument parsing.
- Update translation files.
- Update russian translation.
- Update string "&Clipboard Mode" and translate in russian translation file.
- Grammar fix in russian translation.
- Add x2gohelper to start X2Go Client on Windows and clean child processes
if X2Go Client crashes. (Fixes: #525).
- On Windows rename x2goclient.exe to x2goclient-mainprocess.exe and
x2gohelper.exe to x2goclient.exe.
- Start x2gohelper from X2Go Client. Revert name changing of X2Go Client and
x2gohelper.
- Add Makefile for x2gohelper.
- Add support for sessions folders.
- Add folder explorer: a GUI to manage of session subfolders.
- Support for sessions subfolders in sessionmanagedialog.
- Session name autocompletion only for sessions in current folder.
- Support for session subfolders and command-line options "--session"
and "--sessionid".
- Disable session explorer "back" button if user sessions are disabled.
- Include <QDir> in sessionexplorer.cpp.
- Remove deprecated workaround in wapi.cpp.
- Save folder icons Base64 coded. Save icons under General\icon_<PATH>.
(Fixes: #580).
- Fix placing sessions folders in broker mode.
- Fix onmainwindow.cpp after 76ae96781f1d2d5754ee4751539d5de47f1d0297.
- Add support for session selection in broker mode.
.
[ Mike DePaulo ]
* New upstream release (4.0.3.0):
- Make X2Go Client aware of the Cinnamon (CINNAMON) desktop environment.
(Fixes: #571)
- Make X2Go Client aware of the Trinity (TRINITY) desktop environment.
(Fixes: #609)
- Make X2Go Client aware of the Openbox (OPENBOX) window manager.
(Fixes: #607)
- Make X2Go Client aware of the IceWM (ICEWM) window manager.
(Fixes: #608)
- Windows: Fix not being able to add the server to the known_hosts file when
the username has non-English characters. (Fixes: #566)
(NOTE: This fix only works when the non-English characters are in the same
language as the Windows "system locale" AKA "Language for non-Unicode
programs." Bug #611 was written for fixing the issue for languages other
than the system locale.)
Thanks George Trakatelis (uom.edu.gr) for submitting part of this fix.
- Windows: Install VcXsrv "misc" fonts by default, and make all 4 font
groups optional: misc, 75dpi, 100dpi and others (Fixes: #108)
Note: The fact that all the fonts are included makes the installer about
30MB larger.
- Windows: Bundle new version of VcXsrv: 1.15.2.1-xp+vc2013+x2go1
This new version is based on upstream VcXsrv 1.15.2.0, but still
compatible with Windows XP. It also has its bundled OpenSSL updated to
1.0.1j. It is compiled with Microsoft Visual C++ 2013 and contains 1
X2Go-specific change, winmultiwindow.patch. This patch fixes an issue
when resizing the NX-proxy window on specific multiple monitor setups.
(Thanks Oleksandr Shneyder for the patch) (Fixes: #568) (Fixes: #594)
- Windows: Port from MinGW 4.4 + Qt 4.8.5 to MinGW 4.8.2 + Qt 4.8.6,
including fix for QTBUG-38706 (Fixes: #474, #603)
- Windows: Fix missing VcXsrv/zlib1.dll . The impact of this bug was that
VcXsrv would not start if the cwd was changed from the x2goclient
directory. (The start menu and desktop shortcuts do have the x2goclient
directory as the cwd. So they were not affected.) (Fixes: #587)
- Windows: Make the desktop shortcut optional during install,
but still the default.
- Windows: Upgrade libssh from 0.5.5 to 0.6.3. This fixes connecting to
hpn-enabled SSH servers. The Pageant support patch from the KDE Windows
project was ported to 0.6.3 by myself and Mike Frederick.
(Gmail: psududemike) (Fixes: #590)
- Windows: Win32 OpenSSL updated from 1.0.1h to 1.0.1j, which fixes the
CVEs announced on 2014-08-06 & 2014-10-15.
- Windows: Replace Cygwin Bash (sh.exe) with Cygwin Dash (ash.exe renamed
to sh.exe). This also means fewer Cygwin .DLLs are bundled.
(Fixes: #636)
- Windows: cygwin packages (excluding OpenSSH, which is at the patched
version of 6.6.1p1-3-x2go1) updated from latest versions as of 2014-06-09
to latest versions as of 2014-10-18. This includes openssl 1.0.1j-1, which
fixes the CVEs announced on 2014-08-06 & 2014-10.15.
(Cygwin openssl was also individually updated in 4.0.2.1+hotfix1+build2,
but only to 1.0.1i-1.)
- Windows: Build nxproxy.exe with Cygwin's libpng 1.5.x rather than 1.2.x.
(This may improve performance when PNG compression is selected.)
- Windows: Build cygwin openssh without krb5 or tcp_wrappers support because
X2Go Client for Windows does not use either feature.
(On Windows, Kerberos 5 (GSSAPI) support is provided by PuTTY.)
- Windows: Fix text not being rendered properly at end of NSIS installer
(Fixes: #597)
.
[ Stefan Baur ]
* New upstream version (4.0.3.0):
- Update German translation file.
.
[ Ricardo Díaz Martín ]
* New upstream version (4.0.3.0):
- Update Spanish translation file.
.
[ Martti Pitkanen ]
* New upstream version (4.0.3.0):
- Update Finnish translation file.
.
[ Jos Wolfram ]
* New upstream version (4.0.3.0):
- Update Dutch translation file.
.
[ Robert Parts ]
* New upstream version (4.0.3.0):
- Add Estonian translation file.
.
[ Klaus Ade Johnstad ]
* New upstream version (4.0.3.0):
- Update Bokmal (Norway) translation file.
.
[ Daniel Lindgren ]
* New upstream version (4.0.3.0):
- Update Swedish translation file.
.
* Translation status:
OK - Updating 'x2goclient/x2goclient_de.qm'...
Generated 566 translation(s) (566 finished and 0 unfinished)
INCOMPLETE - Updating 'x2goclient/x2goclient_da.qm'...
Generated 536 translation(s) (526 finished and 10 unfinished)
Ignored 30 untranslated source text(s)
OK - Updating 'x2goclient/x2goclient_es.qm'...
Generated 566 translation(s) (566 finished and 0 unfinished)
OK - Updating 'x2goclient/x2goclient_et.qm'...
Generated 566 translation(s) (566 finished and 0 unfinished)
OK - Updating 'x2goclient/x2goclient_fi.qm'...
Generated 566 translation(s) (566 finished and 0 unfinished)
INCOMPLETE - Updating 'x2goclient/x2goclient_fr.qm'...
Generated 254 translation(s) (201 finished and 53 unfinished)
Ignored 312 untranslated source text(s)
OK - Updating 'x2goclient/x2goclient_nb_no.qm'...
Generated 566 translation(s) (566 finished and 0 unfinished)
OK - Updating 'x2goclient/x2goclient_nl.qm'...
Generated 566 translation(s) (566 finished and 0 unfinished)
UNTRANSLATED - Updating 'x2goclient/x2goclient_pt.qm'...
Generated 0 translation(s) (0 finished and 0 unfinished)
Ignored 566 untranslated source text(s)
INCOMPLETE - Updating 'x2goclient/x2goclient_ru.qm'...
Generated 552 translation(s) (543 finished and 9 unfinished)
Ignored 14 untranslated source text(s)
OK - Updating 'x2goclient/x2goclient_sv.qm'...
Generated 566 translation(s) (566 finished and 0 unfinished)
INCOMPLETE - Updating 'x2goclient/x2goclient_zh_tw.qm'...
Generated 397 translation(s) (372 finished and 25 unfinished)
Ignored 169 untranslated source text(s)
Marked Bug as done
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Tue, 21 Oct 2014 11:30:35 GMT) (full text, mbox, link).
Notification sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Bug acknowledged by developer.
(Tue, 21 Oct 2014 11:30:35 GMT) (full text, mbox, link).
Message sent on
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Bug#336.
(Tue, 21 Oct 2014 11:30:40 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.x2go.org>
to internal_control@bugs.x2go.org
.
(Wed, 19 Nov 2014 06:24:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Sat Nov 2 07:35:36 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.