From mike.gabriel@das-netzwerkteam.de Tue Oct 29 13:41:07 2013 Received: (at submit) by bugs.x2go.org; 29 Oct 2013 12:41:08 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 913DA5DA6C for ; Tue, 29 Oct 2013 13:41:07 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 221F8BBE for ; Tue, 29 Oct 2013 13:41:07 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 161983BA6D for ; Tue, 29 Oct 2013 13:41:07 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUpYCMDwqQbT for ; Tue, 29 Oct 2013 13:41:07 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id DD3C53BB68 for ; Tue, 29 Oct 2013 13:41:06 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id C21CA3BA6D for ; Tue, 29 Oct 2013 13:41:06 +0100 (CET) Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Tue, 29 Oct 2013 12:41:06 +0000 Date: Tue, 29 Oct 2013 12:41:06 +0000 Message-ID: <20131029124106.Horde.xagnkAt_UswgeDkpr-Foog9@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org Subject: Don't allow users to override X2Go commands via ~/bin (or similar) User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.47 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_lGfiq-QSA4JmQ6s5KBI2Hg1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_lGfiq-QSA4JmQ6s5KBI2Hg1 Content-Type: multipart/mixed; boundary="=_vmLATebcaT7eOQOkde9xKg1" This message is in MIME format. --=_vmLATebcaT7eOQOkde9xKg1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Package: x2goclient Severity: important In X2Go it is currently possible to replace every command in X2Go Server by a command of the same name in ~/bin. An attacker could use this to infiltrate X2Go Client with arbitrary data. IMHO, we should make sure, X2Go Client only uses system-wide paths when evoking commands on X2Go Servers. This, of course, will boycott installing X2Go Server into ~ space, but actually, I prefer a safe setup to such custom installation tweaks. Feedback?!? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_vmLATebcaT7eOQOkde9xKg1 Content-Type: application/pgp-keys Content-Description: =?utf-8?b?w5ZmZmVudGxpY2hlciA=?= =?utf-8?b?UEdQLVNjaGzDvHNzZWw=?= -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.14 (GNU/Linux) mQINBFAI/RwBEAC882z9DZ0OqvdoswfZD6sWlHH43iTc2QUibyHEhz/Jov8UQLPK qUncNd9QMcQ3zp2NnU9tS4j5IY/QPcBMR96ZNdl9PWpV/Ubs6yZ9PK2/DBt3Noos FZUN2KrHbnbED5zf9sEHyRuBTnDtVRtskQlaFreX5NSZ1ndqJrC1Uqm64Mf+0mC8 7D1QRlNkH7OQmMK+u6EN8a1IZae7mDzzStgzvbvm1BZ6XDJ6ThNckvGEhgSbPF16 9zfW6a0mdlOjkmW50VIQg3wjtVHxlIYqFnH4KGp2kYslJR3SIB7ntbNW1wVQm8d2 vAnnnzXWNFFuIqOj7z6ylIL9lVTPEBen3rgDsha7/YCR5d4Kez4piKKbAMBxeSxZ yzz90YRtp/zIqjotfQt6Q05mAi9xVfvbi+XKBcGtoU89g5aekFi7bkrpxDB/JCAA VaLz0Mrpz0/33Pffhnf5a9JUvk6UhNmYBEknLn7fuO3WF0Q6Q58QvMYvHxpxAr3X nywyYFic8o71lxWB8D/Y2bhwHE3098BJhI80DLznx7cmuInORg0AnV5AArkdCBNa p+bh0rVbQXxOzKT3ETPkKBKbMRhAWtCiQfGGzOzVvtGzMw+yZMnGIEfJ7Dqe5URF rvRPJYlIJLPsa3josVtIMjaeK6xIG2o7c8qN/H89nNyplQkt+Vx28x3dewARAQAB tC9NaWtlIEdhYnJpZWwgPG1pa2UuZ2FicmllbEBkYXMtbmV0endlcmt0ZWFtLmRl PokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMAUJCsIk hAAKCRCa9GswJXcbMYLlD/9Ov0PPICrmOD5LG2W3eF/bEqSd5Lnvc0njkI0IOKhJ Ww/jjGcQpnclfxsDNIvhXtHcZHL3b50320p7neKL/MaO6NYRo+UMkOzmwsEFQL3b 6Cea70QRgvn+cxjpnDP5a5wLKyiezwE3GdlPV2+Aohlq1BrY1N3OAVby5/QylYoz Ezb4zlhg2ncvp3N4FZh7BBDkaK1d+ZObBP/uxrkwoapAXqp4S8iSE46d2/R1W20v 7edGN21+qi8DkKI69hTzo4OgyRPwF0LIQnJlGL0eI0cMA1P1SqJpLePKPPFPqHYY haBvDlGXWVwEflKBNh06CqT7fwi7nnRV7EkIP+kXDYYGxn05DsFqIbNB2fFRrPaO 4x2NCE7eCU9kf1Xazv6MRGudzTndeFGFKyqIrx4fRZHnrytL11vxxGw207mx/TCx +6zQwwGu3bMtv9QUnEjDvZWXkMU+emz7kDjg+3Bnb9lC78zKJRWXSpp3StTgMFi5 Cu+QzVVkzywEqmNzcLySIoyFqjUhhvVlXTQjzNU1JI3hRETG/sRQmftsIJNJQFf3 0/euiRD48rQvjH9s82sniUCI+l+DXUOyFkGofz5045Q7z8gky+W98q/c7Y8YG1d6 Cba1Im2tMaiR2m/jUzai1T3q+7AmdKxCVELvxpaSDSKLWR+UxVR8yjirhmGtwo1L eIkCQAQTAQgAKgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAIZAQUCUWUgKQUJ CsIkhAAKCRCa9GswJXcbMSVTEACKK4yB3eZJHV1F2bm8lvJCYsqhnuxmIGrZgXPa Apv2gItUdqiaHLTboa0MFIfhT29tJ7FYSD3xto9VX7tocegoUoRct+YVFiubiqge PTe1GU7eNER5i3UyG+b/o8jhDAQzv+GDH8jPFQ3CfbR5DyW9JMhncKbOrCtSI0Zy s2QdGjZJf22wUdkJF67Aac/Ohktjg/Lriv/swZXo4azE3BoCfPBVnxqQ0f5Cno/J NyLDRYEHvU6+vRsX0nsfmLi8AMYu0OD2/WSluRDLUK59fumBJSHNdxxnQ0aU4pZk FvLvP6XVG/RjnLiYpzTi78cSNLzcTxC2GqrZh4s6NVho70ZVhyAc8xFp2zcoD/YT iOI8cbetnxWDtMOY9i+0GKYK/FAlUkBhcKPKJfpWcBxGsUnV5XI2XDKMsL1sQafo eYz0afVcXEOnNoHiwJ2/Ez6G+TrJU8cSNsLd3eClimIoRNLUE0m4eE+SnVJSJxeq VlJhTFAtILSJ75u+N+SoP5d+PZc1aR88M3oVbjbNkQlVxqah6Ag5Tg/mOKX5lsbx Par35hhpQU1YukRDOFoAcvry79yp+Kh+OU/S3TNp2z6epTgAoSwZz+k+s9R/WG5s qUEarWQLbOM3J7740qkrvz7C949fgXO4GwLBl6p4skQZonIFNqp6QlqIUsTATlDu 94h2GLQwTWlrZSBHYWJyaWVsIDxtaWtlLmdhYnJpZWxAaXQtenVrdW5mdC1zY2h1 bGUuZGU+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJRZSAw BQkKwiSEAAoJEJr0azAldxsxfC8P/3hCWeFjbOp4tXfHTJy/C6d+vSIfUEwJ8RmV uMp7VledcGN9NffT3F1Qw+x9jX37M0kqa4RdAl2hes6h1c0fMUG/imAFpVt17E7k PT5BrTz4jMqRQAU0JHnuos0F2MiaoWc5/w22W8vwmj+NrdL8Bagu3OYUV66KGaIO YDsWLCw6Qqaj33on4AqAOcnsylvNyrV0zttB0x9ZvIY8sDPpgkfZ5iyA/eRBqlsc 1UShbbN7ucirfN5vJFnOXGTKABIVis/29o56KvlT571WRPK56H3U6U6f3402+gjW vaAYKTm5Ma8MelzPciXRVEj7CMWJ7+CvlRTUaOuPQfwDxPTLAE6K8t7Dbo8SCuai MYDLfd5cAO5Fs3zwdO0QOgnc/RUT/vKT6d/iskFdTXuMr3iNBuEOt0jW2elP3OeA OMKcITryYQZ73uOlDnns3P+WDDezMMMUHNoboy4mO7G3SKXsLCaJHXF1Meg/NWwN 0W38vLnHyqABlN2F3KwoXtCQzeJE6j3kVD76hAyL2KoSmB55UXP9mdfSwe17XUnS BEyYzdBdoJIlPKVTh8EzcNwHcxOCNMbV9FEFaNAVpBp5tDrkO6Og+XE+wohTJJAj fRSLD76+0O3jhYqbnqxsxaOMrtazxQv0mB2+ZNa4MoZWIBOzeA1SncZhAOdoqhgs eL3HVU3QtCxNaWtlIEdhYnJpZWwgPG0uZ2FicmllbEBkYXMtbmV0endlcmt0ZWFt LmRlPokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMQUJ CsIkhAAKCRCa9GswJXcbMekMD/9KeqniddnMyKAz9pLbY94YpkmRizhygOnLhxL+ Q3m68vKHfaexDGSa2SXiSOqY1DBeDbj8VQbwJfSu7TDN6JHzvoa6p9IufrkHwJzt bI4gz+GsGBlJsCD/2/tEf9AqKwnxPNK+5RmED4rKyG9uCs3Sdvte30ZF3yQia6JU zgDwCGMCWwNJUe+Diya7oOpW0R+O+T3Lyt7PGqi9xndC/pIZBPybysTzq+GLu1mj e7BNlSU8wc0AcVMIBusGPdby9uTCfN5/dPTlb5g0oOAg0lc381HsrUQYTP+pGPCJ azkz7GkTWJnarMEk1OTUVdjpXd5oW6Zn1JVI06VlpxV1D7lixtBXk1alwecj4TZP bAl4qVNloNX7J7FOWK2o58qXiNU56i9RhmurFMes4O66WvznGaUMH9RW/Agd6SVV Su+Obu7fvIg1W5tJ6wtkXWSMYebro9zmBcTnIC61VRqIgHW/miqw69Ds0KpNPW0I yxUUzuq+g+gby4PwF2RhAIKCE324JMVl7cCexobHuO/pB3PFv7Fo0lcAQ1S6W72l C+ksgQHVzpLDTRl9PYF+nmI7T/70orhN+J7zxzV2Zuu+iJSTA/DAIGN9o9CNJdwt P0Y+m3FQUYuMk7NyIdSYqYPuCa8NqOn/Z1oN/VDIstF0JuCwN+wZcr3B/+5B+tLF m+NGubQdTWlrZSBHYWJyaWVsIDxtaWtlQHVidW50dS5kZT6JAj0EEwEIACcCGwMF CwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlFlIDEFCQrCJIQACgkQmvRrMCV3GzHv SBAAsLX0Y3ov6kKk1tfYms+V51+1rqCcAn6Dm5Zj+CUnMmsxAkJoDqsStrKaEh6H aJglVg8+ddvHU7Hd9f/rALRttpMEN8crIYugv2PevK2u4+WAxyCuTqM+CQyRLaSo o0ndfDqc5NCZggKD3Xr3RNUQgmNqIaXuGeVG2BqEaPreurP2MYpakYJYTgRkj10z p+srw0RujzCOyq2t4r0JkElEJQx1eTXnxo1ByOO0E8kZkN9hQ9Jg0a34EwGvxqk4 qXfb8rQM5qFQRymOI2OCKvjb7ehkaQZR9nSobVQtFWRX5cVauZL5pmfOmHl+tjwn qSMiR9+fdulOTLZ7jsr1JBYb4czs1y7ShbbcZD1BCvF17oNGqi2up27jDD290jJU xBy7Z0RkWlPRsFO2B/9d1ic7arYIDjN4PZETMXIogVp9doaU9M+t3vWK7nEf8/1+ dNuyBLZBgFbGt9zOnoeLqFlhUQVHlJjpjjwn1CvfPIBd6eAiyfa4OE7YAkZySu2E pazJ02xDw+DJ+8NVGFqQrbOc9JN/Vc9zusrf4YTxxWRbSysR8QgrTjF5WPy4CbAo QoS8qGrWnNuOn8YJ/d5z6icOd7VGNjCRREEyAVXU1kIQUXbIJWuUjyYNWdzoaLWx qIt+CB/bcQDngqjUEDZ2CZkWNL58vd8aAXjprqRElB2hvtK0I01pa2UgR2Ficmll bCA8c3Vud2VhdmVyQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRSD+9AhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCa9GswJXcbMYtjEAClP1Fz+ID1p8RxxCeR jYjL1oeeLRwXTuIS1wQfeAoz5wbLMMn/HsKKQ2YDebxzhiroW7Moa0FMO++O9Wmd ua9rVwV1g4qShrmDzSwWmRBrowlAav0IbcCM2vcbi845tSyGWmR2i6bJZpK8NZAS Cug5hijNdXwRVfAmNGFElcIXC1aa6U2kIVuh45tG/IuO5YmZWC5LQdK8VgTLs/yk HBlNt8sdo7TgzRpKHmEZG1jCpmYRuxgJPTroPdzvwqTKamh+LIqC8Z+E9pGlZeQf 44dKpvHJuSdEy1UBTOnvCiRgFP4ZX735Arc9WA83qFzrNFjLiy3zNQp9pcCdBY2x aLhsyfG8EBtZE9GXEgc52EuTqDZSAyBi5IeRcG7FvdHvLV8zypEHK3Hn9g3Eq2OS PDOw6/EL7KnVbhvogEujPlgD3wJW0FItrE6iR05TAeK0jE0gUBNMzGnyUbFRxJZX RTHEsFyIc9oMqoNEUOSblH8cgGY+HLEWFWaqfkTLBC6kVKP/RxZOVypNvtHZn86q 85x6XucfCoBpVqRzrHmOcAXuA6YHGEamoK7OdvkOrV1Nc1OMxYWnxG/4WYjokxEc Hx2Jg7CAlzi1/NFHAQD4o9TJaAraQjy0nqFiobHHzyLmiPBDKMfjTXdsSRjjVm3k m5mV6Bpy15KNVamTcINasFCChbkCDQRQCP0cARAAocrlXanxu815kLU6zhFP6Jp3 sQHcTRXucq28BgWf7Dz8galugBPTEEdKTkrxxAiSGZ3iHEJsmW8H4XNy56Jh+jpL OqW0+4RvPc6Eemv1MzgfdAuEkKNA+3ar3ETqhVnn54olI6rMo0FulDCopNE/0LIC AjSLekPXTlPj2swClmyl35hXJYiTgtwwLCkoQHMxz2L1+igyoGdR/O3lEwQJ1pI7 oaanWV8fda4jQkLpDf1q6bY2tEdUZx2uR5J79pjpjNkxpCbD1TvGRWjekkZP9Yi7 4ZgtyTh86hAPVP1x30a7/Hb0ysfeqJ63f8sQEqLtrfjPYO0IRoaPvL/RXxXrO2nV RMmLVeeho6GHk0LqubfA8gzZ1Vu9Rfag1EMMNy6ZkvdHNJm8sSaec90tn59aPLUP taBe5d4Ji6tlpJu2ez75A6tmt3JMDrQ6crfN5eZ0ISAGHwWHN9SPDhAcVcGBZrKQ QQaKIcQ2gVbGcnO3lOCY4MkxgyCiJX+MepnWOpvB2pyv4ftJLv7rxfOQ3Z/3yewS GRfwrT+AW/i1jcW/C+c5sLZPGFtG8gBXPwUj2CYbAGI74eFhGk6Ksu3f2qxFOVDM IJdiBJatEYojN64Gzap2nzZfhUHPqOnBeI/cL+Z/YbakUuIAcva3o1UuOLvGg+Fo 9kFdPLDXRhPOqMywdDUAEQEAAYkCHwQYAQgACQUCUAj9HAIbDAAKCRCa9GswJXcb MZubEAC8GzMcU5CVNqDGOHiStowzKgU3njez9aYa70Gsmtm62WPkJSTVw7Nw6wfC val84JLqy0wL8tq90px0du/Ep7lE3laKlhREXiDLFGTccLH2XzK9CcnRygqjhPV9 yTY7YGorNbYKpwwgL889Ld6dhXlwDfR4PmvEKZjzqdhwDAXWsivkMYsEwC3oKC1m Ra3Nzf/oHUNrPwKSW55EKswc88u+T7553BUpGMyp2lktuA6jFSgbal3KdA0Ipbr7 C8elt7IapSz03MjcGTfVvnax5M8m/6dejdjKjGi8UFpaTbIiufQw8gpCFJhwRMpK MzU9qmDwOpeg5yL+a/k41wvBEZx4hHHkpcMfTF9vigZb+h8WHgwN/Zu+mCS84MyS g/oGwYs0flIPi/FJ9KrcMJFzB+d8YNYdx1mZaxY1b2gs4RtmTrhhRXbdcNeHNEH4 xHaRhSfDGW8UFuFVY4LKz4iF/mnoo6jMXds2HLKz7OaEneDbeDlZc8EViXvOtL7Q 8nS7ta8cWLCDd9n42hzf6Dw+dq4B/OLVJTFYGMrhouA6xr3GzhgcgAeUmFEPoBbU fX5Gy108fh4YQh1w+QsJxznorI+2rqOD1RxG2dxxBlHKSfDbY4gT35U4SrSfV6rW P6TFT0JSxqgibbegXJUN0jSUL4HibtLXHS2/vpV/wTceVaGB/g== =uwZl -----END PGP PUBLIC KEY BLOCK----- --=_vmLATebcaT7eOQOkde9xKg1-- --=_lGfiq-QSA4JmQ6s5KBI2Hg1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSb6ziAAoJEJr0azAldxsxAOEP/jMM855HsHbMeRsBNEKpPhI3 CF68tAXh0aTowGmIDwVFyUsCy7z/jvFWOx68bBt6axy67BAtw/x05JNoKUrIqx5i tGXZgzO4l3ikorRlvtL4gJ6QswCYaQyedr3umJZW0zeNPXCR76x38ddWAjk3k2Dn pYrBeOcBAbQgZ46ZaQh/ZzBf2r5Vhv2bB3tIgx1F1nglVvo4ifunmcXr+Ec/26BS b+QdoolEEaHUvGvmTfWDNYxZIcQjgWVgIGD1JlB3cIxkiY13eIefEZLfEMlVOi3/ 7C1dpSG11R8n4DuaHBOPabb+9K6o+T5Uk4eKTvGX1VP329cHNZFsCsICQmrPnysy Hu/vtJpfLBrxE0QWAL4wkCsIl3YwjCdb2Y9LpSwSR+XVGys7Wtk2Dx5gP+90xqJ2 9VxHd88OEEuEjq80vy/iOReVVDI+DW4q+XizBeBVd9PJxnXTNyEC7aUdpCdvPUmo CBs7HpgrXcQgMDT9vUkP3puYUuwMZsGMtQK+QJCM9++9/jrSBDvl2AQRVU6enfth zjip1HWz7PcwrmuC/KCukDeikKPiYsNZbnQLSie95duheFf1GgssWhEaW2cxz39x st/qiBSKlMxaej4LbsfgebSN9vnjpC/n7vFyg0r/VLx/5IbY1VLbbC5E+vy6nmBq QBL4r1GBMgHasKg0dT97 =26HI -----END PGP SIGNATURE----- --=_lGfiq-QSA4JmQ6s5KBI2Hg1-- From mike.gabriel@das-netzwerkteam.de Tue Oct 29 14:43:09 2013 Received: (at 334) by bugs.x2go.org; 29 Oct 2013 13:43:09 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 517CD5DA6C; Tue, 29 Oct 2013 14:43:09 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 073241333; Tue, 29 Oct 2013 14:43:09 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id F21743BB58; Tue, 29 Oct 2013 14:43:08 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaPSKxhjsF8S; Tue, 29 Oct 2013 14:43:08 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id CD4D03BB68; Tue, 29 Oct 2013 14:43:08 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id A97083BB58; Tue, 29 Oct 2013 14:43:08 +0100 (CET) Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Tue, 29 Oct 2013 13:43:08 +0000 Date: Tue, 29 Oct 2013 13:43:08 +0000 Message-ID: <20131029134308.Horde.gTVHMctGDotcg4yrnU7YKw1@mail.das-netzwerkteam.de> From: Mike Gabriel To: 334@bugs.x2go.org Cc: control@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#334: Don't allow users to override X2Go commands via ~/bin (or similar) References: <20131029124106.Horde.xagnkAt_UswgeDkpr-Foog9@mail.das-netzwerkteam.de> In-Reply-To: <20131029124106.Horde.xagnkAt_UswgeDkpr-Foog9@mail.das-netzwerkteam.de> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.47 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_cN8QfrtZKqO6KBqhYulU2w4"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_cN8QfrtZKqO6KBqhYulU2w4 Content-Type: multipart/mixed; boundary="=_-KBdQOZX2i9mlIOjxPIf0g8" This message is in MIME format. --=_-KBdQOZX2i9mlIOjxPIf0g8 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline clone #334 -1 reassign #334 python-x2go thanks Hi all, On Di 29 Okt 2013 13:41:06 CET, Mike Gabriel wrote: > Package: x2goclient > Severity: important > > In X2Go it is currently possible to replace every command in X2Go > Server by a command of the same name in ~/bin. > > An attacker could use this to infiltrate X2Go Client with arbitrary data. > > IMHO, we should make sure, X2Go Client only uses system-wide paths > when evoking commands on X2Go Servers. > > This, of course, will boycott installing X2Go Server into ~ > space, but actually, I prefer a safe setup to such custom > installation tweaks. > > Feedback?!? > > Mike This issue also applies to Python X2Go. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_-KBdQOZX2i9mlIOjxPIf0g8 Content-Type: application/pgp-keys Content-Description: =?utf-8?b?w5ZmZmVudGxpY2hlciA=?= =?utf-8?b?UEdQLVNjaGzDvHNzZWw=?= -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.14 (GNU/Linux) mQINBFAI/RwBEAC882z9DZ0OqvdoswfZD6sWlHH43iTc2QUibyHEhz/Jov8UQLPK qUncNd9QMcQ3zp2NnU9tS4j5IY/QPcBMR96ZNdl9PWpV/Ubs6yZ9PK2/DBt3Noos FZUN2KrHbnbED5zf9sEHyRuBTnDtVRtskQlaFreX5NSZ1ndqJrC1Uqm64Mf+0mC8 7D1QRlNkH7OQmMK+u6EN8a1IZae7mDzzStgzvbvm1BZ6XDJ6ThNckvGEhgSbPF16 9zfW6a0mdlOjkmW50VIQg3wjtVHxlIYqFnH4KGp2kYslJR3SIB7ntbNW1wVQm8d2 vAnnnzXWNFFuIqOj7z6ylIL9lVTPEBen3rgDsha7/YCR5d4Kez4piKKbAMBxeSxZ yzz90YRtp/zIqjotfQt6Q05mAi9xVfvbi+XKBcGtoU89g5aekFi7bkrpxDB/JCAA VaLz0Mrpz0/33Pffhnf5a9JUvk6UhNmYBEknLn7fuO3WF0Q6Q58QvMYvHxpxAr3X nywyYFic8o71lxWB8D/Y2bhwHE3098BJhI80DLznx7cmuInORg0AnV5AArkdCBNa p+bh0rVbQXxOzKT3ETPkKBKbMRhAWtCiQfGGzOzVvtGzMw+yZMnGIEfJ7Dqe5URF rvRPJYlIJLPsa3josVtIMjaeK6xIG2o7c8qN/H89nNyplQkt+Vx28x3dewARAQAB tC9NaWtlIEdhYnJpZWwgPG1pa2UuZ2FicmllbEBkYXMtbmV0endlcmt0ZWFtLmRl PokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMAUJCsIk hAAKCRCa9GswJXcbMYLlD/9Ov0PPICrmOD5LG2W3eF/bEqSd5Lnvc0njkI0IOKhJ Ww/jjGcQpnclfxsDNIvhXtHcZHL3b50320p7neKL/MaO6NYRo+UMkOzmwsEFQL3b 6Cea70QRgvn+cxjpnDP5a5wLKyiezwE3GdlPV2+Aohlq1BrY1N3OAVby5/QylYoz Ezb4zlhg2ncvp3N4FZh7BBDkaK1d+ZObBP/uxrkwoapAXqp4S8iSE46d2/R1W20v 7edGN21+qi8DkKI69hTzo4OgyRPwF0LIQnJlGL0eI0cMA1P1SqJpLePKPPFPqHYY haBvDlGXWVwEflKBNh06CqT7fwi7nnRV7EkIP+kXDYYGxn05DsFqIbNB2fFRrPaO 4x2NCE7eCU9kf1Xazv6MRGudzTndeFGFKyqIrx4fRZHnrytL11vxxGw207mx/TCx +6zQwwGu3bMtv9QUnEjDvZWXkMU+emz7kDjg+3Bnb9lC78zKJRWXSpp3StTgMFi5 Cu+QzVVkzywEqmNzcLySIoyFqjUhhvVlXTQjzNU1JI3hRETG/sRQmftsIJNJQFf3 0/euiRD48rQvjH9s82sniUCI+l+DXUOyFkGofz5045Q7z8gky+W98q/c7Y8YG1d6 Cba1Im2tMaiR2m/jUzai1T3q+7AmdKxCVELvxpaSDSKLWR+UxVR8yjirhmGtwo1L eIkCQAQTAQgAKgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAIZAQUCUWUgKQUJ CsIkhAAKCRCa9GswJXcbMSVTEACKK4yB3eZJHV1F2bm8lvJCYsqhnuxmIGrZgXPa Apv2gItUdqiaHLTboa0MFIfhT29tJ7FYSD3xto9VX7tocegoUoRct+YVFiubiqge PTe1GU7eNER5i3UyG+b/o8jhDAQzv+GDH8jPFQ3CfbR5DyW9JMhncKbOrCtSI0Zy s2QdGjZJf22wUdkJF67Aac/Ohktjg/Lriv/swZXo4azE3BoCfPBVnxqQ0f5Cno/J NyLDRYEHvU6+vRsX0nsfmLi8AMYu0OD2/WSluRDLUK59fumBJSHNdxxnQ0aU4pZk FvLvP6XVG/RjnLiYpzTi78cSNLzcTxC2GqrZh4s6NVho70ZVhyAc8xFp2zcoD/YT iOI8cbetnxWDtMOY9i+0GKYK/FAlUkBhcKPKJfpWcBxGsUnV5XI2XDKMsL1sQafo eYz0afVcXEOnNoHiwJ2/Ez6G+TrJU8cSNsLd3eClimIoRNLUE0m4eE+SnVJSJxeq VlJhTFAtILSJ75u+N+SoP5d+PZc1aR88M3oVbjbNkQlVxqah6Ag5Tg/mOKX5lsbx Par35hhpQU1YukRDOFoAcvry79yp+Kh+OU/S3TNp2z6epTgAoSwZz+k+s9R/WG5s qUEarWQLbOM3J7740qkrvz7C949fgXO4GwLBl6p4skQZonIFNqp6QlqIUsTATlDu 94h2GLQwTWlrZSBHYWJyaWVsIDxtaWtlLmdhYnJpZWxAaXQtenVrdW5mdC1zY2h1 bGUuZGU+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJRZSAw BQkKwiSEAAoJEJr0azAldxsxfC8P/3hCWeFjbOp4tXfHTJy/C6d+vSIfUEwJ8RmV uMp7VledcGN9NffT3F1Qw+x9jX37M0kqa4RdAl2hes6h1c0fMUG/imAFpVt17E7k PT5BrTz4jMqRQAU0JHnuos0F2MiaoWc5/w22W8vwmj+NrdL8Bagu3OYUV66KGaIO YDsWLCw6Qqaj33on4AqAOcnsylvNyrV0zttB0x9ZvIY8sDPpgkfZ5iyA/eRBqlsc 1UShbbN7ucirfN5vJFnOXGTKABIVis/29o56KvlT571WRPK56H3U6U6f3402+gjW vaAYKTm5Ma8MelzPciXRVEj7CMWJ7+CvlRTUaOuPQfwDxPTLAE6K8t7Dbo8SCuai MYDLfd5cAO5Fs3zwdO0QOgnc/RUT/vKT6d/iskFdTXuMr3iNBuEOt0jW2elP3OeA OMKcITryYQZ73uOlDnns3P+WDDezMMMUHNoboy4mO7G3SKXsLCaJHXF1Meg/NWwN 0W38vLnHyqABlN2F3KwoXtCQzeJE6j3kVD76hAyL2KoSmB55UXP9mdfSwe17XUnS BEyYzdBdoJIlPKVTh8EzcNwHcxOCNMbV9FEFaNAVpBp5tDrkO6Og+XE+wohTJJAj fRSLD76+0O3jhYqbnqxsxaOMrtazxQv0mB2+ZNa4MoZWIBOzeA1SncZhAOdoqhgs eL3HVU3QtCxNaWtlIEdhYnJpZWwgPG0uZ2FicmllbEBkYXMtbmV0endlcmt0ZWFt LmRlPokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMQUJ CsIkhAAKCRCa9GswJXcbMekMD/9KeqniddnMyKAz9pLbY94YpkmRizhygOnLhxL+ Q3m68vKHfaexDGSa2SXiSOqY1DBeDbj8VQbwJfSu7TDN6JHzvoa6p9IufrkHwJzt bI4gz+GsGBlJsCD/2/tEf9AqKwnxPNK+5RmED4rKyG9uCs3Sdvte30ZF3yQia6JU zgDwCGMCWwNJUe+Diya7oOpW0R+O+T3Lyt7PGqi9xndC/pIZBPybysTzq+GLu1mj e7BNlSU8wc0AcVMIBusGPdby9uTCfN5/dPTlb5g0oOAg0lc381HsrUQYTP+pGPCJ azkz7GkTWJnarMEk1OTUVdjpXd5oW6Zn1JVI06VlpxV1D7lixtBXk1alwecj4TZP bAl4qVNloNX7J7FOWK2o58qXiNU56i9RhmurFMes4O66WvznGaUMH9RW/Agd6SVV Su+Obu7fvIg1W5tJ6wtkXWSMYebro9zmBcTnIC61VRqIgHW/miqw69Ds0KpNPW0I yxUUzuq+g+gby4PwF2RhAIKCE324JMVl7cCexobHuO/pB3PFv7Fo0lcAQ1S6W72l C+ksgQHVzpLDTRl9PYF+nmI7T/70orhN+J7zxzV2Zuu+iJSTA/DAIGN9o9CNJdwt P0Y+m3FQUYuMk7NyIdSYqYPuCa8NqOn/Z1oN/VDIstF0JuCwN+wZcr3B/+5B+tLF m+NGubQdTWlrZSBHYWJyaWVsIDxtaWtlQHVidW50dS5kZT6JAj0EEwEIACcCGwMF CwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlFlIDEFCQrCJIQACgkQmvRrMCV3GzHv SBAAsLX0Y3ov6kKk1tfYms+V51+1rqCcAn6Dm5Zj+CUnMmsxAkJoDqsStrKaEh6H aJglVg8+ddvHU7Hd9f/rALRttpMEN8crIYugv2PevK2u4+WAxyCuTqM+CQyRLaSo o0ndfDqc5NCZggKD3Xr3RNUQgmNqIaXuGeVG2BqEaPreurP2MYpakYJYTgRkj10z p+srw0RujzCOyq2t4r0JkElEJQx1eTXnxo1ByOO0E8kZkN9hQ9Jg0a34EwGvxqk4 qXfb8rQM5qFQRymOI2OCKvjb7ehkaQZR9nSobVQtFWRX5cVauZL5pmfOmHl+tjwn qSMiR9+fdulOTLZ7jsr1JBYb4czs1y7ShbbcZD1BCvF17oNGqi2up27jDD290jJU xBy7Z0RkWlPRsFO2B/9d1ic7arYIDjN4PZETMXIogVp9doaU9M+t3vWK7nEf8/1+ dNuyBLZBgFbGt9zOnoeLqFlhUQVHlJjpjjwn1CvfPIBd6eAiyfa4OE7YAkZySu2E pazJ02xDw+DJ+8NVGFqQrbOc9JN/Vc9zusrf4YTxxWRbSysR8QgrTjF5WPy4CbAo QoS8qGrWnNuOn8YJ/d5z6icOd7VGNjCRREEyAVXU1kIQUXbIJWuUjyYNWdzoaLWx qIt+CB/bcQDngqjUEDZ2CZkWNL58vd8aAXjprqRElB2hvtK0I01pa2UgR2Ficmll bCA8c3Vud2VhdmVyQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRSD+9AhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCa9GswJXcbMYtjEAClP1Fz+ID1p8RxxCeR jYjL1oeeLRwXTuIS1wQfeAoz5wbLMMn/HsKKQ2YDebxzhiroW7Moa0FMO++O9Wmd ua9rVwV1g4qShrmDzSwWmRBrowlAav0IbcCM2vcbi845tSyGWmR2i6bJZpK8NZAS Cug5hijNdXwRVfAmNGFElcIXC1aa6U2kIVuh45tG/IuO5YmZWC5LQdK8VgTLs/yk HBlNt8sdo7TgzRpKHmEZG1jCpmYRuxgJPTroPdzvwqTKamh+LIqC8Z+E9pGlZeQf 44dKpvHJuSdEy1UBTOnvCiRgFP4ZX735Arc9WA83qFzrNFjLiy3zNQp9pcCdBY2x aLhsyfG8EBtZE9GXEgc52EuTqDZSAyBi5IeRcG7FvdHvLV8zypEHK3Hn9g3Eq2OS PDOw6/EL7KnVbhvogEujPlgD3wJW0FItrE6iR05TAeK0jE0gUBNMzGnyUbFRxJZX RTHEsFyIc9oMqoNEUOSblH8cgGY+HLEWFWaqfkTLBC6kVKP/RxZOVypNvtHZn86q 85x6XucfCoBpVqRzrHmOcAXuA6YHGEamoK7OdvkOrV1Nc1OMxYWnxG/4WYjokxEc Hx2Jg7CAlzi1/NFHAQD4o9TJaAraQjy0nqFiobHHzyLmiPBDKMfjTXdsSRjjVm3k m5mV6Bpy15KNVamTcINasFCChbkCDQRQCP0cARAAocrlXanxu815kLU6zhFP6Jp3 sQHcTRXucq28BgWf7Dz8galugBPTEEdKTkrxxAiSGZ3iHEJsmW8H4XNy56Jh+jpL OqW0+4RvPc6Eemv1MzgfdAuEkKNA+3ar3ETqhVnn54olI6rMo0FulDCopNE/0LIC AjSLekPXTlPj2swClmyl35hXJYiTgtwwLCkoQHMxz2L1+igyoGdR/O3lEwQJ1pI7 oaanWV8fda4jQkLpDf1q6bY2tEdUZx2uR5J79pjpjNkxpCbD1TvGRWjekkZP9Yi7 4ZgtyTh86hAPVP1x30a7/Hb0ysfeqJ63f8sQEqLtrfjPYO0IRoaPvL/RXxXrO2nV RMmLVeeho6GHk0LqubfA8gzZ1Vu9Rfag1EMMNy6ZkvdHNJm8sSaec90tn59aPLUP taBe5d4Ji6tlpJu2ez75A6tmt3JMDrQ6crfN5eZ0ISAGHwWHN9SPDhAcVcGBZrKQ QQaKIcQ2gVbGcnO3lOCY4MkxgyCiJX+MepnWOpvB2pyv4ftJLv7rxfOQ3Z/3yewS GRfwrT+AW/i1jcW/C+c5sLZPGFtG8gBXPwUj2CYbAGI74eFhGk6Ksu3f2qxFOVDM IJdiBJatEYojN64Gzap2nzZfhUHPqOnBeI/cL+Z/YbakUuIAcva3o1UuOLvGg+Fo 9kFdPLDXRhPOqMywdDUAEQEAAYkCHwQYAQgACQUCUAj9HAIbDAAKCRCa9GswJXcb MZubEAC8GzMcU5CVNqDGOHiStowzKgU3njez9aYa70Gsmtm62WPkJSTVw7Nw6wfC val84JLqy0wL8tq90px0du/Ep7lE3laKlhREXiDLFGTccLH2XzK9CcnRygqjhPV9 yTY7YGorNbYKpwwgL889Ld6dhXlwDfR4PmvEKZjzqdhwDAXWsivkMYsEwC3oKC1m Ra3Nzf/oHUNrPwKSW55EKswc88u+T7553BUpGMyp2lktuA6jFSgbal3KdA0Ipbr7 C8elt7IapSz03MjcGTfVvnax5M8m/6dejdjKjGi8UFpaTbIiufQw8gpCFJhwRMpK MzU9qmDwOpeg5yL+a/k41wvBEZx4hHHkpcMfTF9vigZb+h8WHgwN/Zu+mCS84MyS g/oGwYs0flIPi/FJ9KrcMJFzB+d8YNYdx1mZaxY1b2gs4RtmTrhhRXbdcNeHNEH4 xHaRhSfDGW8UFuFVY4LKz4iF/mnoo6jMXds2HLKz7OaEneDbeDlZc8EViXvOtL7Q 8nS7ta8cWLCDd9n42hzf6Dw+dq4B/OLVJTFYGMrhouA6xr3GzhgcgAeUmFEPoBbU fX5Gy108fh4YQh1w+QsJxznorI+2rqOD1RxG2dxxBlHKSfDbY4gT35U4SrSfV6rW P6TFT0JSxqgibbegXJUN0jSUL4HibtLXHS2/vpV/wTceVaGB/g== =uwZl -----END PGP PUBLIC KEY BLOCK----- --=_-KBdQOZX2i9mlIOjxPIf0g8-- --=_cN8QfrtZKqO6KBqhYulU2w4 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSb7tsAAoJEJr0azAldxsxk1sP/jWgcrzHUHfT6ZxmutcSc0bc b+kTCAoVAH0sJ9g7//ZjOHK70m8y7nwN1lZ0b87cln03iXtjsgUpOLMH3rMtO8Mg Y1/+7dV0vev2VUDO2h8F4LsvEv1p1JW0RhXw5smQpWiE5s+cZvDpxx8O9WFjwMao n3DNQ8XP4MXxjrpBMaTtab0dtGv7jQUEd/FrsnoWGwgWtOOXiZ44KaSnCyua9rwv UVM64YB7AWze9cxGl93FJtUfmSRRoGMZOjl/oRHwcuLiq2/qoXTCCjz6ObJtTMMD /qDXju5vaRxjbWJHJFSW6Ck2WW/sQ73IWkaFJ7BGAay5/7MIOLVf58u8jcJvxNWz yZGPMbuDktsNAf0qUJnj+QSlpORtAy44eVLNPRQNuD6+pyNHA9Mr58ySydqPwL18 kwOlaTkz5sR9bA82I2RdpecoHxifeAr2OgS/Lc9x8qV0dFQaEaOS2PUM324iNyPP ClPWUQ27S4oc+7YKOEoOJ+UtM/trnlAZ+ssnRYhnP6DfcpOqaAvgJmYjcpWzskc7 y9SDgkdMZ3fycJSXKPIv3GuL+KazK/6bzQLd6tUOhCJIhBXLr8FuS8/6IeVuDgah Oe4MlPwSTsBmT5ROhfekjpjzteDCZfcERf2OGV4mZPySnxSQnjnfT95snu9W6Ieb ElV4tqMvaP+KjKp2i+mD =v9ua -----END PGP SIGNATURE----- --=_cN8QfrtZKqO6KBqhYulU2w4-- From x2go@ymir.das-netzwerkteam.de Mon Jun 16 08:41:53 2014 Received: (at 336) by bugs.x2go.org; 16 Jun 2014 06:42:02 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS, URIBL_BLOCKED autolearn=unavailable version=3.3.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id 778CE5DB2C; Mon, 16 Jun 2014 08:41:53 +0200 (CEST) From: Mike Gabriel To: 336-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 336@bugs.x2go.org Subject: X2Go issue (in src:x2goclient) has been marked as pending for release Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Mailer: http://snipr.com/post-receive-tag-pending Message-Id: <20140616064153.778CE5DB2C@ymir.das-netzwerkteam.de> Date: Mon, 16 Jun 2014 08:41:53 +0200 (CEST) tag #336 pending fixed #336 4.0.2.1 thanks Hello, X2Go issue #336 (src:x2goclient) reported by you has been fixed in X2Go Git. You can see the changelog below, and you can check the diff of the fix at: http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=4eb1fd1 The issue will most likely be fixed in src:x2goclient (4.0.2.1). light+love X2Go Git Admin (on behalf of the sender of this mail) --- commit 4eb1fd18370a692ff962e99dec5d60d93302783e Author: Mike Gabriel Date: Mon Jun 16 08:40:41 2014 +0200 Disallow server-side users to override X2Go Server commands via ~/bin (or similar). (Fixes: #336). diff --git a/debian/changelog b/debian/changelog index 5bfb7a7..14f29b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,8 @@ x2goclient (4.0.2.1-0x2go1) UNRELEASED; urgency=low we force X2Go client to only use the default "accelerated X" as system tray icon (and prohibit usage of the session's icon as tray icon). (Fixes: #365). + - Disallow server-side users to override X2Go Server commands via + ~/bin (or similar). (Fixes: #336). * debian/control: + Add dbg:package x2goplugin-dbg. From x2go@ymir.das-netzwerkteam.de Tue Oct 21 13:26:09 2014 Received: (at 336) by bugs.x2go.org; 21 Oct 2014 11:28:44 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS, URIBL_BLOCKED autolearn=ham version=3.3.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id 950033D45C; Tue, 21 Oct 2014 13:26:09 +0200 (CEST) From: Mike Gabriel To: 336-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 336@bugs.x2go.org Subject: X2Go issue (in src:x2goclient) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20141021112609.950033D45C@ymir.das-netzwerkteam.de> Date: Tue, 21 Oct 2014 13:26:09 +0200 (CEST) close #336 thanks Hello, we are very hopeful that X2Go issue #336 reported by you has been resolved in the new release (4.0.3.0) of the X2Go source project »src:x2goclient«. You can view the complete changelog entry of src:x2goclient (4.0.3.0) below, and you can use the following link to view all the code changes between this and the last release of src:x2goclient. http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=04ed56d4162f000b093bea13aa2582c2de718144;hp=85bf0c6e7539910fff779689528009a897cdceb4 If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:x2goclient. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:x2goclient Version: 4.0.3.0-0x2go1 Status: RELEASE Date: Tue, 21 Oct 2014 12:38:56 +0200 Fixes: 108 159 253 258 336 474 522 525 566 568 571 580 587 590 597 603 607 608 609 612 636 Changes: x2goclient (4.0.3.0-0x2go1) RELEASED; urgency=low . [ Mike Gabriel ] * New upstream release (4.0.3.0): - Disallow server-side users to override X2Go Server commands via ~/bin (or similar). (Fixes: #336). - Avoid unitialised variables on early calls of ONMainWindow::closeEvent() or ONMainWindow::closeClient(). (Fixes: #253). - Update translation files. Add empty Portuguese translation. Update qt_.qm files from Debian unstable as of today. - Update German translation file (after session folder feature got added). - Makefile.man2html: Test if man2html exists. If not, don't fail. - Honor exports (client-side shared folders) from broker session profiles. Thanks to Ming Song for providing a patch for this (Fixes: 612). * debian/control: + Add B-D: apache2-dev. On squeeze / lucid builds, this is a superfluous B-D, but for later Debian/Ubuntu versions, this smoothes the installation of the x2goplugin-provide bin:package. + Update B-D: apache2-dev | libc6-dev. The apache2-dev package does not exist on all Debian/Ubuntu versions. * x2goclient.spec: + Adapt to building for openSUSE/SLES. + openSUSE: Make Qt4 Linguist tools available for Makefile. + Upgrade versioned BR for libssh-devel (0.6.3 or patched 0.5.5). + The libqt4-linguist split off happened in openSUSE 13.1. + Add x2goclient-rpmlintrc file. + In openSUSE, it is openldap2-devel, in Fedora/RHEL it is openldap-devel. + In openSUSE, openssh is openssh (not openssh-clients / openssh-server). . [ Oleksandr Shneyder ] * New upstream release (4.0.3.0): - Fix running x2goclient without arguments on Windows. (Fixes: #522). - Save proxy output in $HOME/S-$SESSION-ID/session.log if debugging is enabled. - Fork x2goclient on windows and terminate child processes if X2Go Client crashed. (Fixes: #159). - Add "clipboard" parameter to session profile and to command line options. (Fixes: #258). - Replace qCritical() with printError() by argument parsing. - Update translation files. - Update russian translation. - Update string "&Clipboard Mode" and translate in russian translation file. - Grammar fix in russian translation. - Add x2gohelper to start X2Go Client on Windows and clean child processes if X2Go Client crashes. (Fixes: #525). - On Windows rename x2goclient.exe to x2goclient-mainprocess.exe and x2gohelper.exe to x2goclient.exe. - Start x2gohelper from X2Go Client. Revert name changing of X2Go Client and x2gohelper. - Add Makefile for x2gohelper. - Add support for sessions folders. - Add folder explorer: a GUI to manage of session subfolders. - Support for sessions subfolders in sessionmanagedialog. - Session name autocompletion only for sessions in current folder. - Support for session subfolders and command-line options "--session" and "--sessionid". - Disable session explorer "back" button if user sessions are disabled. - Include in sessionexplorer.cpp. - Remove deprecated workaround in wapi.cpp. - Save folder icons Base64 coded. Save icons under General\icon_. (Fixes: #580). - Fix placing sessions folders in broker mode. - Fix onmainwindow.cpp after 76ae96781f1d2d5754ee4751539d5de47f1d0297. - Add support for session selection in broker mode. . [ Mike DePaulo ] * New upstream release (4.0.3.0): - Make X2Go Client aware of the Cinnamon (CINNAMON) desktop environment. (Fixes: #571) - Make X2Go Client aware of the Trinity (TRINITY) desktop environment. (Fixes: #609) - Make X2Go Client aware of the Openbox (OPENBOX) window manager. (Fixes: #607) - Make X2Go Client aware of the IceWM (ICEWM) window manager. (Fixes: #608) - Windows: Fix not being able to add the server to the known_hosts file when the username has non-English characters. (Fixes: #566) (NOTE: This fix only works when the non-English characters are in the same language as the Windows "system locale" AKA "Language for non-Unicode programs." Bug #611 was written for fixing the issue for languages other than the system locale.) Thanks George Trakatelis (uom.edu.gr) for submitting part of this fix. - Windows: Install VcXsrv "misc" fonts by default, and make all 4 font groups optional: misc, 75dpi, 100dpi and others (Fixes: #108) Note: The fact that all the fonts are included makes the installer about 30MB larger. - Windows: Bundle new version of VcXsrv: 1.15.2.1-xp+vc2013+x2go1 This new version is based on upstream VcXsrv 1.15.2.0, but still compatible with Windows XP. It also has its bundled OpenSSL updated to 1.0.1j. It is compiled with Microsoft Visual C++ 2013 and contains 1 X2Go-specific change, winmultiwindow.patch. This patch fixes an issue when resizing the NX-proxy window on specific multiple monitor setups. (Thanks Oleksandr Shneyder for the patch) (Fixes: #568) (Fixes: #594) - Windows: Port from MinGW 4.4 + Qt 4.8.5 to MinGW 4.8.2 + Qt 4.8.6, including fix for QTBUG-38706 (Fixes: #474, #603) - Windows: Fix missing VcXsrv/zlib1.dll . The impact of this bug was that VcXsrv would not start if the cwd was changed from the x2goclient directory. (The start menu and desktop shortcuts do have the x2goclient directory as the cwd. So they were not affected.) (Fixes: #587) - Windows: Make the desktop shortcut optional during install, but still the default. - Windows: Upgrade libssh from 0.5.5 to 0.6.3. This fixes connecting to hpn-enabled SSH servers. The Pageant support patch from the KDE Windows project was ported to 0.6.3 by myself and Mike Frederick. (Gmail: psududemike) (Fixes: #590) - Windows: Win32 OpenSSL updated from 1.0.1h to 1.0.1j, which fixes the CVEs announced on 2014-08-06 & 2014-10-15. - Windows: Replace Cygwin Bash (sh.exe) with Cygwin Dash (ash.exe renamed to sh.exe). This also means fewer Cygwin .DLLs are bundled. (Fixes: #636) - Windows: cygwin packages (excluding OpenSSH, which is at the patched version of 6.6.1p1-3-x2go1) updated from latest versions as of 2014-06-09 to latest versions as of 2014-10-18. This includes openssl 1.0.1j-1, which fixes the CVEs announced on 2014-08-06 & 2014-10.15. (Cygwin openssl was also individually updated in 4.0.2.1+hotfix1+build2, but only to 1.0.1i-1.) - Windows: Build nxproxy.exe with Cygwin's libpng 1.5.x rather than 1.2.x. (This may improve performance when PNG compression is selected.) - Windows: Build cygwin openssh without krb5 or tcp_wrappers support because X2Go Client for Windows does not use either feature. (On Windows, Kerberos 5 (GSSAPI) support is provided by PuTTY.) - Windows: Fix text not being rendered properly at end of NSIS installer (Fixes: #597) . [ Stefan Baur ] * New upstream version (4.0.3.0): - Update German translation file. . [ Ricardo Díaz Martín ] * New upstream version (4.0.3.0): - Update Spanish translation file. . [ Martti Pitkanen ] * New upstream version (4.0.3.0): - Update Finnish translation file. . [ Jos Wolfram ] * New upstream version (4.0.3.0): - Update Dutch translation file. . [ Robert Parts ] * New upstream version (4.0.3.0): - Add Estonian translation file. . [ Klaus Ade Johnstad ] * New upstream version (4.0.3.0): - Update Bokmal (Norway) translation file. . [ Daniel Lindgren ] * New upstream version (4.0.3.0): - Update Swedish translation file. . * Translation status: OK - Updating 'x2goclient/x2goclient_de.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) INCOMPLETE - Updating 'x2goclient/x2goclient_da.qm'... Generated 536 translation(s) (526 finished and 10 unfinished) Ignored 30 untranslated source text(s) OK - Updating 'x2goclient/x2goclient_es.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) OK - Updating 'x2goclient/x2goclient_et.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) OK - Updating 'x2goclient/x2goclient_fi.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) INCOMPLETE - Updating 'x2goclient/x2goclient_fr.qm'... Generated 254 translation(s) (201 finished and 53 unfinished) Ignored 312 untranslated source text(s) OK - Updating 'x2goclient/x2goclient_nb_no.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) OK - Updating 'x2goclient/x2goclient_nl.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) UNTRANSLATED - Updating 'x2goclient/x2goclient_pt.qm'... Generated 0 translation(s) (0 finished and 0 unfinished) Ignored 566 untranslated source text(s) INCOMPLETE - Updating 'x2goclient/x2goclient_ru.qm'... Generated 552 translation(s) (543 finished and 9 unfinished) Ignored 14 untranslated source text(s) OK - Updating 'x2goclient/x2goclient_sv.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) INCOMPLETE - Updating 'x2goclient/x2goclient_zh_tw.qm'... Generated 397 translation(s) (372 finished and 25 unfinished) Ignored 169 untranslated source text(s) From unknown Thu Mar 28 14:22:38 2024 MIME-Version: 1.0 X-Mailer: MIME-tools 5.502 (Entity 5.502) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#336 closed by Mike Gabriel (X2Go issue (in src:x2goclient) has been marked as closed) Message-ID: References: <20141021112609.950033D45C@ymir.das-netzwerkteam.de> X-X2go-PR-Keywords: pending X-X2go-PR-Message: they-closed 336 X-X2go-PR-Package: x2goclient X-X2go-PR-Source: x2goclient Date: Tue, 21 Oct 2014 11:30:35 +0000 Content-Type: multipart/mixed; boundary="----------=_1413891035-12643-0" This is a multi-part message in MIME format... ------------=_1413891035-12643-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This is an automatic notification regarding your Bug report which was filed against the x2goclient package: #336: Don't allow users to override X2Go commands via ~/bin (or similar) It has been closed by Mike Gabriel . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Mike Gabriel by replying to this email. --=20 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems ------------=_1413891035-12643-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at control) by bugs.x2go.org; 21 Oct 2014 11:28:59 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS, URIBL_BLOCKED autolearn=unavailable version=3.3.2 Received: by ymir.das-netzwerkteam.de (Postfix, from userid 1005) id 950033D45C; Tue, 21 Oct 2014 13:26:09 +0200 (CEST) From: Mike Gabriel To: 336-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 336@bugs.x2go.org Subject: X2Go issue (in src:x2goclient) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20141021112609.950033D45C@ymir.das-netzwerkteam.de> Date: Tue, 21 Oct 2014 13:26:09 +0200 (CEST) close #336 thanks Hello, we are very hopeful that X2Go issue #336 reported by you has been resolved in the new release (4.0.3.0) of the X2Go source project »src:x2goclient«. You can view the complete changelog entry of src:x2goclient (4.0.3.0) below, and you can use the following link to view all the code changes between this and the last release of src:x2goclient. http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=04ed56d4162f000b093bea13aa2582c2de718144;hp=85bf0c6e7539910fff779689528009a897cdceb4 If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:x2goclient. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:x2goclient Version: 4.0.3.0-0x2go1 Status: RELEASE Date: Tue, 21 Oct 2014 12:38:56 +0200 Fixes: 108 159 253 258 336 474 522 525 566 568 571 580 587 590 597 603 607 608 609 612 636 Changes: x2goclient (4.0.3.0-0x2go1) RELEASED; urgency=low . [ Mike Gabriel ] * New upstream release (4.0.3.0): - Disallow server-side users to override X2Go Server commands via ~/bin (or similar). (Fixes: #336). - Avoid unitialised variables on early calls of ONMainWindow::closeEvent() or ONMainWindow::closeClient(). (Fixes: #253). - Update translation files. Add empty Portuguese translation. Update qt_.qm files from Debian unstable as of today. - Update German translation file (after session folder feature got added). - Makefile.man2html: Test if man2html exists. If not, don't fail. - Honor exports (client-side shared folders) from broker session profiles. Thanks to Ming Song for providing a patch for this (Fixes: 612). * debian/control: + Add B-D: apache2-dev. On squeeze / lucid builds, this is a superfluous B-D, but for later Debian/Ubuntu versions, this smoothes the installation of the x2goplugin-provide bin:package. + Update B-D: apache2-dev | libc6-dev. The apache2-dev package does not exist on all Debian/Ubuntu versions. * x2goclient.spec: + Adapt to building for openSUSE/SLES. + openSUSE: Make Qt4 Linguist tools available for Makefile. + Upgrade versioned BR for libssh-devel (0.6.3 or patched 0.5.5). + The libqt4-linguist split off happened in openSUSE 13.1. + Add x2goclient-rpmlintrc file. + In openSUSE, it is openldap2-devel, in Fedora/RHEL it is openldap-devel. + In openSUSE, openssh is openssh (not openssh-clients / openssh-server). . [ Oleksandr Shneyder ] * New upstream release (4.0.3.0): - Fix running x2goclient without arguments on Windows. (Fixes: #522). - Save proxy output in $HOME/S-$SESSION-ID/session.log if debugging is enabled. - Fork x2goclient on windows and terminate child processes if X2Go Client crashed. (Fixes: #159). - Add "clipboard" parameter to session profile and to command line options. (Fixes: #258). - Replace qCritical() with printError() by argument parsing. - Update translation files. - Update russian translation. - Update string "&Clipboard Mode" and translate in russian translation file. - Grammar fix in russian translation. - Add x2gohelper to start X2Go Client on Windows and clean child processes if X2Go Client crashes. (Fixes: #525). - On Windows rename x2goclient.exe to x2goclient-mainprocess.exe and x2gohelper.exe to x2goclient.exe. - Start x2gohelper from X2Go Client. Revert name changing of X2Go Client and x2gohelper. - Add Makefile for x2gohelper. - Add support for sessions folders. - Add folder explorer: a GUI to manage of session subfolders. - Support for sessions subfolders in sessionmanagedialog. - Session name autocompletion only for sessions in current folder. - Support for session subfolders and command-line options "--session" and "--sessionid". - Disable session explorer "back" button if user sessions are disabled. - Include in sessionexplorer.cpp. - Remove deprecated workaround in wapi.cpp. - Save folder icons Base64 coded. Save icons under General\icon_. (Fixes: #580). - Fix placing sessions folders in broker mode. - Fix onmainwindow.cpp after 76ae96781f1d2d5754ee4751539d5de47f1d0297. - Add support for session selection in broker mode. . [ Mike DePaulo ] * New upstream release (4.0.3.0): - Make X2Go Client aware of the Cinnamon (CINNAMON) desktop environment. (Fixes: #571) - Make X2Go Client aware of the Trinity (TRINITY) desktop environment. (Fixes: #609) - Make X2Go Client aware of the Openbox (OPENBOX) window manager. (Fixes: #607) - Make X2Go Client aware of the IceWM (ICEWM) window manager. (Fixes: #608) - Windows: Fix not being able to add the server to the known_hosts file when the username has non-English characters. (Fixes: #566) (NOTE: This fix only works when the non-English characters are in the same language as the Windows "system locale" AKA "Language for non-Unicode programs." Bug #611 was written for fixing the issue for languages other than the system locale.) Thanks George Trakatelis (uom.edu.gr) for submitting part of this fix. - Windows: Install VcXsrv "misc" fonts by default, and make all 4 font groups optional: misc, 75dpi, 100dpi and others (Fixes: #108) Note: The fact that all the fonts are included makes the installer about 30MB larger. - Windows: Bundle new version of VcXsrv: 1.15.2.1-xp+vc2013+x2go1 This new version is based on upstream VcXsrv 1.15.2.0, but still compatible with Windows XP. It also has its bundled OpenSSL updated to 1.0.1j. It is compiled with Microsoft Visual C++ 2013 and contains 1 X2Go-specific change, winmultiwindow.patch. This patch fixes an issue when resizing the NX-proxy window on specific multiple monitor setups. (Thanks Oleksandr Shneyder for the patch) (Fixes: #568) (Fixes: #594) - Windows: Port from MinGW 4.4 + Qt 4.8.5 to MinGW 4.8.2 + Qt 4.8.6, including fix for QTBUG-38706 (Fixes: #474, #603) - Windows: Fix missing VcXsrv/zlib1.dll . The impact of this bug was that VcXsrv would not start if the cwd was changed from the x2goclient directory. (The start menu and desktop shortcuts do have the x2goclient directory as the cwd. So they were not affected.) (Fixes: #587) - Windows: Make the desktop shortcut optional during install, but still the default. - Windows: Upgrade libssh from 0.5.5 to 0.6.3. This fixes connecting to hpn-enabled SSH servers. The Pageant support patch from the KDE Windows project was ported to 0.6.3 by myself and Mike Frederick. (Gmail: psududemike) (Fixes: #590) - Windows: Win32 OpenSSL updated from 1.0.1h to 1.0.1j, which fixes the CVEs announced on 2014-08-06 & 2014-10-15. - Windows: Replace Cygwin Bash (sh.exe) with Cygwin Dash (ash.exe renamed to sh.exe). This also means fewer Cygwin .DLLs are bundled. (Fixes: #636) - Windows: cygwin packages (excluding OpenSSH, which is at the patched version of 6.6.1p1-3-x2go1) updated from latest versions as of 2014-06-09 to latest versions as of 2014-10-18. This includes openssl 1.0.1j-1, which fixes the CVEs announced on 2014-08-06 & 2014-10.15. (Cygwin openssl was also individually updated in 4.0.2.1+hotfix1+build2, but only to 1.0.1i-1.) - Windows: Build nxproxy.exe with Cygwin's libpng 1.5.x rather than 1.2.x. (This may improve performance when PNG compression is selected.) - Windows: Build cygwin openssh without krb5 or tcp_wrappers support because X2Go Client for Windows does not use either feature. (On Windows, Kerberos 5 (GSSAPI) support is provided by PuTTY.) - Windows: Fix text not being rendered properly at end of NSIS installer (Fixes: #597) . [ Stefan Baur ] * New upstream version (4.0.3.0): - Update German translation file. . [ Ricardo Díaz Martín ] * New upstream version (4.0.3.0): - Update Spanish translation file. . [ Martti Pitkanen ] * New upstream version (4.0.3.0): - Update Finnish translation file. . [ Jos Wolfram ] * New upstream version (4.0.3.0): - Update Dutch translation file. . [ Robert Parts ] * New upstream version (4.0.3.0): - Add Estonian translation file. . [ Klaus Ade Johnstad ] * New upstream version (4.0.3.0): - Update Bokmal (Norway) translation file. . [ Daniel Lindgren ] * New upstream version (4.0.3.0): - Update Swedish translation file. . * Translation status: OK - Updating 'x2goclient/x2goclient_de.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) INCOMPLETE - Updating 'x2goclient/x2goclient_da.qm'... Generated 536 translation(s) (526 finished and 10 unfinished) Ignored 30 untranslated source text(s) OK - Updating 'x2goclient/x2goclient_es.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) OK - Updating 'x2goclient/x2goclient_et.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) OK - Updating 'x2goclient/x2goclient_fi.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) INCOMPLETE - Updating 'x2goclient/x2goclient_fr.qm'... Generated 254 translation(s) (201 finished and 53 unfinished) Ignored 312 untranslated source text(s) OK - Updating 'x2goclient/x2goclient_nb_no.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) OK - Updating 'x2goclient/x2goclient_nl.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) UNTRANSLATED - Updating 'x2goclient/x2goclient_pt.qm'... Generated 0 translation(s) (0 finished and 0 unfinished) Ignored 566 untranslated source text(s) INCOMPLETE - Updating 'x2goclient/x2goclient_ru.qm'... Generated 552 translation(s) (543 finished and 9 unfinished) Ignored 14 untranslated source text(s) OK - Updating 'x2goclient/x2goclient_sv.qm'... Generated 566 translation(s) (566 finished and 0 unfinished) INCOMPLETE - Updating 'x2goclient/x2goclient_zh_tw.qm'... Generated 397 translation(s) (372 finished and 25 unfinished) Ignored 169 untranslated source text(s) ------------=_1413891035-12643-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.x2go.org; 29 Oct 2013 12:41:08 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 913DA5DA6C for ; Tue, 29 Oct 2013 13:41:07 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 221F8BBE for ; Tue, 29 Oct 2013 13:41:07 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 161983BA6D for ; Tue, 29 Oct 2013 13:41:07 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUpYCMDwqQbT for ; Tue, 29 Oct 2013 13:41:07 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id DD3C53BB68 for ; Tue, 29 Oct 2013 13:41:06 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id C21CA3BA6D for ; Tue, 29 Oct 2013 13:41:06 +0100 (CET) Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Tue, 29 Oct 2013 12:41:06 +0000 Date: Tue, 29 Oct 2013 12:41:06 +0000 Message-ID: <20131029124106.Horde.xagnkAt_UswgeDkpr-Foog9@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org Subject: Don't allow users to override X2Go commands via ~/bin (or similar) User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.47 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_lGfiq-QSA4JmQ6s5KBI2Hg1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_lGfiq-QSA4JmQ6s5KBI2Hg1 Content-Type: multipart/mixed; boundary="=_vmLATebcaT7eOQOkde9xKg1" This message is in MIME format. --=_vmLATebcaT7eOQOkde9xKg1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Package: x2goclient Severity: important In X2Go it is currently possible to replace every command in X2Go Server by a command of the same name in ~/bin. An attacker could use this to infiltrate X2Go Client with arbitrary data. IMHO, we should make sure, X2Go Client only uses system-wide paths when evoking commands on X2Go Servers. This, of course, will boycott installing X2Go Server into ~ space, but actually, I prefer a safe setup to such custom installation tweaks. Feedback?!? Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_vmLATebcaT7eOQOkde9xKg1 Content-Type: application/pgp-keys Content-Description: =?utf-8?b?w5ZmZmVudGxpY2hlciA=?= =?utf-8?b?UEdQLVNjaGzDvHNzZWw=?= -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.14 (GNU/Linux) mQINBFAI/RwBEAC882z9DZ0OqvdoswfZD6sWlHH43iTc2QUibyHEhz/Jov8UQLPK qUncNd9QMcQ3zp2NnU9tS4j5IY/QPcBMR96ZNdl9PWpV/Ubs6yZ9PK2/DBt3Noos FZUN2KrHbnbED5zf9sEHyRuBTnDtVRtskQlaFreX5NSZ1ndqJrC1Uqm64Mf+0mC8 7D1QRlNkH7OQmMK+u6EN8a1IZae7mDzzStgzvbvm1BZ6XDJ6ThNckvGEhgSbPF16 9zfW6a0mdlOjkmW50VIQg3wjtVHxlIYqFnH4KGp2kYslJR3SIB7ntbNW1wVQm8d2 vAnnnzXWNFFuIqOj7z6ylIL9lVTPEBen3rgDsha7/YCR5d4Kez4piKKbAMBxeSxZ yzz90YRtp/zIqjotfQt6Q05mAi9xVfvbi+XKBcGtoU89g5aekFi7bkrpxDB/JCAA VaLz0Mrpz0/33Pffhnf5a9JUvk6UhNmYBEknLn7fuO3WF0Q6Q58QvMYvHxpxAr3X nywyYFic8o71lxWB8D/Y2bhwHE3098BJhI80DLznx7cmuInORg0AnV5AArkdCBNa p+bh0rVbQXxOzKT3ETPkKBKbMRhAWtCiQfGGzOzVvtGzMw+yZMnGIEfJ7Dqe5URF rvRPJYlIJLPsa3josVtIMjaeK6xIG2o7c8qN/H89nNyplQkt+Vx28x3dewARAQAB tC9NaWtlIEdhYnJpZWwgPG1pa2UuZ2FicmllbEBkYXMtbmV0endlcmt0ZWFtLmRl PokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMAUJCsIk hAAKCRCa9GswJXcbMYLlD/9Ov0PPICrmOD5LG2W3eF/bEqSd5Lnvc0njkI0IOKhJ Ww/jjGcQpnclfxsDNIvhXtHcZHL3b50320p7neKL/MaO6NYRo+UMkOzmwsEFQL3b 6Cea70QRgvn+cxjpnDP5a5wLKyiezwE3GdlPV2+Aohlq1BrY1N3OAVby5/QylYoz Ezb4zlhg2ncvp3N4FZh7BBDkaK1d+ZObBP/uxrkwoapAXqp4S8iSE46d2/R1W20v 7edGN21+qi8DkKI69hTzo4OgyRPwF0LIQnJlGL0eI0cMA1P1SqJpLePKPPFPqHYY haBvDlGXWVwEflKBNh06CqT7fwi7nnRV7EkIP+kXDYYGxn05DsFqIbNB2fFRrPaO 4x2NCE7eCU9kf1Xazv6MRGudzTndeFGFKyqIrx4fRZHnrytL11vxxGw207mx/TCx +6zQwwGu3bMtv9QUnEjDvZWXkMU+emz7kDjg+3Bnb9lC78zKJRWXSpp3StTgMFi5 Cu+QzVVkzywEqmNzcLySIoyFqjUhhvVlXTQjzNU1JI3hRETG/sRQmftsIJNJQFf3 0/euiRD48rQvjH9s82sniUCI+l+DXUOyFkGofz5045Q7z8gky+W98q/c7Y8YG1d6 Cba1Im2tMaiR2m/jUzai1T3q+7AmdKxCVELvxpaSDSKLWR+UxVR8yjirhmGtwo1L eIkCQAQTAQgAKgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAIZAQUCUWUgKQUJ CsIkhAAKCRCa9GswJXcbMSVTEACKK4yB3eZJHV1F2bm8lvJCYsqhnuxmIGrZgXPa Apv2gItUdqiaHLTboa0MFIfhT29tJ7FYSD3xto9VX7tocegoUoRct+YVFiubiqge PTe1GU7eNER5i3UyG+b/o8jhDAQzv+GDH8jPFQ3CfbR5DyW9JMhncKbOrCtSI0Zy s2QdGjZJf22wUdkJF67Aac/Ohktjg/Lriv/swZXo4azE3BoCfPBVnxqQ0f5Cno/J NyLDRYEHvU6+vRsX0nsfmLi8AMYu0OD2/WSluRDLUK59fumBJSHNdxxnQ0aU4pZk FvLvP6XVG/RjnLiYpzTi78cSNLzcTxC2GqrZh4s6NVho70ZVhyAc8xFp2zcoD/YT iOI8cbetnxWDtMOY9i+0GKYK/FAlUkBhcKPKJfpWcBxGsUnV5XI2XDKMsL1sQafo eYz0afVcXEOnNoHiwJ2/Ez6G+TrJU8cSNsLd3eClimIoRNLUE0m4eE+SnVJSJxeq VlJhTFAtILSJ75u+N+SoP5d+PZc1aR88M3oVbjbNkQlVxqah6Ag5Tg/mOKX5lsbx Par35hhpQU1YukRDOFoAcvry79yp+Kh+OU/S3TNp2z6epTgAoSwZz+k+s9R/WG5s qUEarWQLbOM3J7740qkrvz7C949fgXO4GwLBl6p4skQZonIFNqp6QlqIUsTATlDu 94h2GLQwTWlrZSBHYWJyaWVsIDxtaWtlLmdhYnJpZWxAaXQtenVrdW5mdC1zY2h1 bGUuZGU+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJRZSAw BQkKwiSEAAoJEJr0azAldxsxfC8P/3hCWeFjbOp4tXfHTJy/C6d+vSIfUEwJ8RmV uMp7VledcGN9NffT3F1Qw+x9jX37M0kqa4RdAl2hes6h1c0fMUG/imAFpVt17E7k PT5BrTz4jMqRQAU0JHnuos0F2MiaoWc5/w22W8vwmj+NrdL8Bagu3OYUV66KGaIO YDsWLCw6Qqaj33on4AqAOcnsylvNyrV0zttB0x9ZvIY8sDPpgkfZ5iyA/eRBqlsc 1UShbbN7ucirfN5vJFnOXGTKABIVis/29o56KvlT571WRPK56H3U6U6f3402+gjW vaAYKTm5Ma8MelzPciXRVEj7CMWJ7+CvlRTUaOuPQfwDxPTLAE6K8t7Dbo8SCuai MYDLfd5cAO5Fs3zwdO0QOgnc/RUT/vKT6d/iskFdTXuMr3iNBuEOt0jW2elP3OeA OMKcITryYQZ73uOlDnns3P+WDDezMMMUHNoboy4mO7G3SKXsLCaJHXF1Meg/NWwN 0W38vLnHyqABlN2F3KwoXtCQzeJE6j3kVD76hAyL2KoSmB55UXP9mdfSwe17XUnS BEyYzdBdoJIlPKVTh8EzcNwHcxOCNMbV9FEFaNAVpBp5tDrkO6Og+XE+wohTJJAj fRSLD76+0O3jhYqbnqxsxaOMrtazxQv0mB2+ZNa4MoZWIBOzeA1SncZhAOdoqhgs eL3HVU3QtCxNaWtlIEdhYnJpZWwgPG0uZ2FicmllbEBkYXMtbmV0endlcmt0ZWFt LmRlPokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMQUJ CsIkhAAKCRCa9GswJXcbMekMD/9KeqniddnMyKAz9pLbY94YpkmRizhygOnLhxL+ Q3m68vKHfaexDGSa2SXiSOqY1DBeDbj8VQbwJfSu7TDN6JHzvoa6p9IufrkHwJzt bI4gz+GsGBlJsCD/2/tEf9AqKwnxPNK+5RmED4rKyG9uCs3Sdvte30ZF3yQia6JU zgDwCGMCWwNJUe+Diya7oOpW0R+O+T3Lyt7PGqi9xndC/pIZBPybysTzq+GLu1mj e7BNlSU8wc0AcVMIBusGPdby9uTCfN5/dPTlb5g0oOAg0lc381HsrUQYTP+pGPCJ azkz7GkTWJnarMEk1OTUVdjpXd5oW6Zn1JVI06VlpxV1D7lixtBXk1alwecj4TZP bAl4qVNloNX7J7FOWK2o58qXiNU56i9RhmurFMes4O66WvznGaUMH9RW/Agd6SVV Su+Obu7fvIg1W5tJ6wtkXWSMYebro9zmBcTnIC61VRqIgHW/miqw69Ds0KpNPW0I yxUUzuq+g+gby4PwF2RhAIKCE324JMVl7cCexobHuO/pB3PFv7Fo0lcAQ1S6W72l C+ksgQHVzpLDTRl9PYF+nmI7T/70orhN+J7zxzV2Zuu+iJSTA/DAIGN9o9CNJdwt P0Y+m3FQUYuMk7NyIdSYqYPuCa8NqOn/Z1oN/VDIstF0JuCwN+wZcr3B/+5B+tLF m+NGubQdTWlrZSBHYWJyaWVsIDxtaWtlQHVidW50dS5kZT6JAj0EEwEIACcCGwMF CwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlFlIDEFCQrCJIQACgkQmvRrMCV3GzHv SBAAsLX0Y3ov6kKk1tfYms+V51+1rqCcAn6Dm5Zj+CUnMmsxAkJoDqsStrKaEh6H aJglVg8+ddvHU7Hd9f/rALRttpMEN8crIYugv2PevK2u4+WAxyCuTqM+CQyRLaSo o0ndfDqc5NCZggKD3Xr3RNUQgmNqIaXuGeVG2BqEaPreurP2MYpakYJYTgRkj10z p+srw0RujzCOyq2t4r0JkElEJQx1eTXnxo1ByOO0E8kZkN9hQ9Jg0a34EwGvxqk4 qXfb8rQM5qFQRymOI2OCKvjb7ehkaQZR9nSobVQtFWRX5cVauZL5pmfOmHl+tjwn qSMiR9+fdulOTLZ7jsr1JBYb4czs1y7ShbbcZD1BCvF17oNGqi2up27jDD290jJU xBy7Z0RkWlPRsFO2B/9d1ic7arYIDjN4PZETMXIogVp9doaU9M+t3vWK7nEf8/1+ dNuyBLZBgFbGt9zOnoeLqFlhUQVHlJjpjjwn1CvfPIBd6eAiyfa4OE7YAkZySu2E pazJ02xDw+DJ+8NVGFqQrbOc9JN/Vc9zusrf4YTxxWRbSysR8QgrTjF5WPy4CbAo QoS8qGrWnNuOn8YJ/d5z6icOd7VGNjCRREEyAVXU1kIQUXbIJWuUjyYNWdzoaLWx qIt+CB/bcQDngqjUEDZ2CZkWNL58vd8aAXjprqRElB2hvtK0I01pa2UgR2Ficmll bCA8c3Vud2VhdmVyQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRSD+9AhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCa9GswJXcbMYtjEAClP1Fz+ID1p8RxxCeR jYjL1oeeLRwXTuIS1wQfeAoz5wbLMMn/HsKKQ2YDebxzhiroW7Moa0FMO++O9Wmd ua9rVwV1g4qShrmDzSwWmRBrowlAav0IbcCM2vcbi845tSyGWmR2i6bJZpK8NZAS Cug5hijNdXwRVfAmNGFElcIXC1aa6U2kIVuh45tG/IuO5YmZWC5LQdK8VgTLs/yk HBlNt8sdo7TgzRpKHmEZG1jCpmYRuxgJPTroPdzvwqTKamh+LIqC8Z+E9pGlZeQf 44dKpvHJuSdEy1UBTOnvCiRgFP4ZX735Arc9WA83qFzrNFjLiy3zNQp9pcCdBY2x aLhsyfG8EBtZE9GXEgc52EuTqDZSAyBi5IeRcG7FvdHvLV8zypEHK3Hn9g3Eq2OS PDOw6/EL7KnVbhvogEujPlgD3wJW0FItrE6iR05TAeK0jE0gUBNMzGnyUbFRxJZX RTHEsFyIc9oMqoNEUOSblH8cgGY+HLEWFWaqfkTLBC6kVKP/RxZOVypNvtHZn86q 85x6XucfCoBpVqRzrHmOcAXuA6YHGEamoK7OdvkOrV1Nc1OMxYWnxG/4WYjokxEc Hx2Jg7CAlzi1/NFHAQD4o9TJaAraQjy0nqFiobHHzyLmiPBDKMfjTXdsSRjjVm3k m5mV6Bpy15KNVamTcINasFCChbkCDQRQCP0cARAAocrlXanxu815kLU6zhFP6Jp3 sQHcTRXucq28BgWf7Dz8galugBPTEEdKTkrxxAiSGZ3iHEJsmW8H4XNy56Jh+jpL OqW0+4RvPc6Eemv1MzgfdAuEkKNA+3ar3ETqhVnn54olI6rMo0FulDCopNE/0LIC AjSLekPXTlPj2swClmyl35hXJYiTgtwwLCkoQHMxz2L1+igyoGdR/O3lEwQJ1pI7 oaanWV8fda4jQkLpDf1q6bY2tEdUZx2uR5J79pjpjNkxpCbD1TvGRWjekkZP9Yi7 4ZgtyTh86hAPVP1x30a7/Hb0ysfeqJ63f8sQEqLtrfjPYO0IRoaPvL/RXxXrO2nV RMmLVeeho6GHk0LqubfA8gzZ1Vu9Rfag1EMMNy6ZkvdHNJm8sSaec90tn59aPLUP taBe5d4Ji6tlpJu2ez75A6tmt3JMDrQ6crfN5eZ0ISAGHwWHN9SPDhAcVcGBZrKQ QQaKIcQ2gVbGcnO3lOCY4MkxgyCiJX+MepnWOpvB2pyv4ftJLv7rxfOQ3Z/3yewS GRfwrT+AW/i1jcW/C+c5sLZPGFtG8gBXPwUj2CYbAGI74eFhGk6Ksu3f2qxFOVDM IJdiBJatEYojN64Gzap2nzZfhUHPqOnBeI/cL+Z/YbakUuIAcva3o1UuOLvGg+Fo 9kFdPLDXRhPOqMywdDUAEQEAAYkCHwQYAQgACQUCUAj9HAIbDAAKCRCa9GswJXcb MZubEAC8GzMcU5CVNqDGOHiStowzKgU3njez9aYa70Gsmtm62WPkJSTVw7Nw6wfC val84JLqy0wL8tq90px0du/Ep7lE3laKlhREXiDLFGTccLH2XzK9CcnRygqjhPV9 yTY7YGorNbYKpwwgL889Ld6dhXlwDfR4PmvEKZjzqdhwDAXWsivkMYsEwC3oKC1m Ra3Nzf/oHUNrPwKSW55EKswc88u+T7553BUpGMyp2lktuA6jFSgbal3KdA0Ipbr7 C8elt7IapSz03MjcGTfVvnax5M8m/6dejdjKjGi8UFpaTbIiufQw8gpCFJhwRMpK MzU9qmDwOpeg5yL+a/k41wvBEZx4hHHkpcMfTF9vigZb+h8WHgwN/Zu+mCS84MyS g/oGwYs0flIPi/FJ9KrcMJFzB+d8YNYdx1mZaxY1b2gs4RtmTrhhRXbdcNeHNEH4 xHaRhSfDGW8UFuFVY4LKz4iF/mnoo6jMXds2HLKz7OaEneDbeDlZc8EViXvOtL7Q 8nS7ta8cWLCDd9n42hzf6Dw+dq4B/OLVJTFYGMrhouA6xr3GzhgcgAeUmFEPoBbU fX5Gy108fh4YQh1w+QsJxznorI+2rqOD1RxG2dxxBlHKSfDbY4gT35U4SrSfV6rW P6TFT0JSxqgibbegXJUN0jSUL4HibtLXHS2/vpV/wTceVaGB/g== =uwZl -----END PGP PUBLIC KEY BLOCK----- --=_vmLATebcaT7eOQOkde9xKg1-- --=_lGfiq-QSA4JmQ6s5KBI2Hg1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSb6ziAAoJEJr0azAldxsxAOEP/jMM855HsHbMeRsBNEKpPhI3 CF68tAXh0aTowGmIDwVFyUsCy7z/jvFWOx68bBt6axy67BAtw/x05JNoKUrIqx5i tGXZgzO4l3ikorRlvtL4gJ6QswCYaQyedr3umJZW0zeNPXCR76x38ddWAjk3k2Dn pYrBeOcBAbQgZ46ZaQh/ZzBf2r5Vhv2bB3tIgx1F1nglVvo4ifunmcXr+Ec/26BS b+QdoolEEaHUvGvmTfWDNYxZIcQjgWVgIGD1JlB3cIxkiY13eIefEZLfEMlVOi3/ 7C1dpSG11R8n4DuaHBOPabb+9K6o+T5Uk4eKTvGX1VP329cHNZFsCsICQmrPnysy Hu/vtJpfLBrxE0QWAL4wkCsIl3YwjCdb2Y9LpSwSR+XVGys7Wtk2Dx5gP+90xqJ2 9VxHd88OEEuEjq80vy/iOReVVDI+DW4q+XizBeBVd9PJxnXTNyEC7aUdpCdvPUmo CBs7HpgrXcQgMDT9vUkP3puYUuwMZsGMtQK+QJCM9++9/jrSBDvl2AQRVU6enfth zjip1HWz7PcwrmuC/KCukDeikKPiYsNZbnQLSie95duheFf1GgssWhEaW2cxz39x st/qiBSKlMxaej4LbsfgebSN9vnjpC/n7vFyg0r/VLx/5IbY1VLbbC5E+vy6nmBq QBL4r1GBMgHasKg0dT97 =26HI -----END PGP SIGNATURE----- --=_lGfiq-QSA4JmQ6s5KBI2Hg1-- ------------=_1413891035-12643-0-- From unknown Thu Mar 28 14:22:38 2024 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@bugs.x2go.org From: Debbugs Internal Request Subject: Internal Control Message-Id: Bug archived. Date: Mi, 19 Nov 2014 06:24:02 +0000 User-Agent: Fakemail v42.6.9 # A New Hope # A long time ago, in a galaxy far, far away # something happened. # # Magically this resulted in the following # action being taken, but this fake control # message doesn't tell you why it happened # # The action: # Bug archived. thanks # This fakemail brought to you by your local debbugs # administrator