X2Go Bug report logs - #508
X2GoSession class: add clipboard session parameter

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Mon, 1 Jul 2013 02:48:02 UTC

Severity: grave

Tags: pending, security

Fixed in version

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log

🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.502 (Entity 5.502)
X-Loop: owner@bugs.x2go.org
From: owner@bugs.x2go.org (X2Go Bug Tracking System)
Subject: Bug#508 closed by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 (X2Go issue (in src:python-x2go) has been marked as closed)
Message-ID: <handler.508.c.141380226418019.notifdone@bugs.x2go.org>
References: <20141020105023.1C7165DB42@ymir.das-netzwerkteam.de>
X-X2go-PR-Keywords: security pending
X-X2go-PR-Message: they-closed 508
X-X2go-PR-Package: python-x2go
X-X2go-PR-Source: python-x2go
Date: Mon, 20 Oct 2014 10:55:22 +0000
Content-Type: multipart/mixed; boundary="----------=_1413802522-3679-0"
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your Bug report
which was filed against the python-x2go package:

#508: X2GoSession class: add clipboard session parameter

It has been closed by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mike Gabriel <mike.gabriel@das-netzwerkteam.de> by
replying to this email.

X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems
[Message part 2 (message/rfc822, inline)]
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 508-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 508@bugs.x2go.org
Subject: X2Go issue (in src:python-x2go) has been marked as closed
Date: Mon, 20 Oct 2014 12:50:23 +0200 (CEST)
close #508


we are very hopeful that X2Go issue #508 reported by you
has been resolved in the new release ( of the
X2Go source project »src:python-x2go«.

You can view the complete changelog entry of src:python-x2go (
below, and you can use the following link to view all the code changes
between this and the last release of src:python-x2go.


If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:python-x2go.

Thanks a lot for contributing to X2Go!!!

X2Go Git Admin (on behalf of the sender of this mail)

X2Go Component: src:python-x2go
Date: Mon, 20 Oct 2014 12:40:34 +0200
Fixes: 334 358 500 508 532 537 588 602
 python-x2go ( RELEASED; urgency=low
   [ Mike Gabriel ]
   * New upstream version (
     - Split up session profile backend into generic and storage specific
     - Fully rework backend concept in Python X2Go. Breaks compatibility
       with earlier versions of Python X2Go concerning backends (probably
       not really used by third-party products, if at all).
     - Fix setting default values in X2GoClientXConfig class.
     - Default to xdg-open as default PDF viewer command.
     - Provide session profile backend for a http broker.
     - Make session profile backends more unicode robust.
     - X2GoSessionProfile.get_server_hostname must return unicode objects.
     - Speed-optimize session profile ID <-> name mapping.
     - Handle injection of PKey (Paramiko SSH key) objects for authentication
       from the broker session profiles backend.
     - Allow catching "connection refused" errors while talking to an X2Go
       Session Broker (X2GoBrokerConnectionException).
     - Support cookie based authentication against a http(s) session broker.
     - On Windows: Improve debugging when a new X-Server port has to be
     - Capture broker connection problems during selectsession calls to the
       broker via a HOOK method.
     - Allow user interaction via a HOOK if broker connection problems occur.
     - Handle broker setups that don't require credentials. Connection can
       be established simply by leaving the password (and authid) empty.
     - Fix detection of matching path names in X2GoIniFiles.
     - Make sure X2GoClientXConfig config file really gets written to disk
       (after we changed the internas of X2GoIniFile for this new major release).
     - Rename hook method HOOK_no_known_xserver_found to
       HOOK_no_installed_xservers_found. Call this new hook if no installed
       X-Servers could be found on the system.
     - Only check running X-Servers that have the same WMI SessionId as the
       current X2Go application.
     - Session profiles: default value type for exports session profile option
       is an empty dictionary.
     - Make X2GoClient's constructor aware of non-usable X-Server ports.
     - Windows: Fix crash while attempting to find the session window.
     - Support SSH proxy autologin feature of X2Go Session Broker.
     - Provide Telekinesis support in Python X2Go.
     - Stop manipulating session profiles in X2GoSshProxy class. Esp. stop
       manipulating session profiles with deprecated session options.
     - Type-hardening of X2GoSshProxy class. Accept hosts as list and strings.
       If hosts are given as a list, a random list element will be taken as
       host (for connecting and for the SSH proxy tunnel setup).
     - Type-hardening of X2GoControlSession class's C{connect()} method.
       Handle hostnames that come in as lists gracefully.
     - Don't construct the sshproxy_tunnel parameter in x2go/utils.py. Leave
       that to higher level classes that know more about X2Go internals.
     - Add support for a subsystem string when setting up port forwarding
     - Use gevent to spawn the TeKi client start-up process (instead of waiting
       for it to return).
     - Provide support for new session parameter: clipboard. (Fixes: #508).
     - Split up NX output and NX errors into two separate files.
     - Silent ignore it if we cannot detect the local Xlib.display.Display()
       instance (happens with polyinstantiated /tmp dirs).
     - Don't start telekinesis client if not support server-side. Don't attempt
       at starting telekinesis client, if it is not installed.
     - Disallow server-side users to override X2Go Server commands via
       ~/bin (or similar). (Fixes: #334).
     - Handle non-available color depth in X2Go session name gracefully.
       (Fixes: #358).
     - Make sure that the x2gosuspend-session/x2goterminate-session commands
       are sent to the X2Go Server before we take down the NX proxy subprocess.
     - Create a "session.window" file in the session directory. This file for now
       contains one line "ID:<window-id>". The file appears once a session window
       comes up (start/resume), and disappears once the session window closes
     - Only enable Telekinesis client debugging if the logger instance is in
       debug mode.
     - Performance tests have shown, that enabling SSH compression is not a
       good idea. NX should handle that instead (and does).
     - Better control the startup bootstrap of the Telekinesis client
     - Newly understand our own Paramiko/SSH forwarding tunnel code. Become
       aware of handling multiple connects on the same tunnel.
     - Rename LICENSE.txt to COPYING.
     - Be more exact when detecting the NX proxy window id.
     - On non-Windows platforms, enforce usage of the "ares" DNS resolver in
       python-gevent (which is available since Python gevent 1.0~). (Fixes:
     - Use Xlib to detect client-side destop geometry.
     - For reverse port forwardings use IPv4 localhost address only.
     - Assure proper NX Proxy cleanup when sessions suspends/
     - Assure proper Telekinesis client cleanup when sessions suspends/
     - Clean up terminal sessions properly when the clean_sessions() method
       of the control session has got called.
     - Don't use compression on  TeKi sshfs mounts.
     - Handle duplicate profile names gracefully (i.e. append a " (1)",
       " (2)", ... to the session profile name). (Fixes: #500).
     - Support server-side Telekinesis versions that ship their own
     - Use session_name, not session_info object's __str__() method to obtain
       session name (in X2GoTelekinesis).
     - Handle socket errors on the reverse port forwarding tunnels more
     - Handle sudden control session death during local folder sharing
     - Don't choke on non-initialized SSH transport objects when initializing
       SFTP client.
     - Fix transport lock release in X2GoControlSession._x2go_sftp_put().
     - Fix session lock release in various methods of the X2GoSession class.
     - Release _share_local_folder_lock on instance X2GoTerminalSession
     - Detect non-installed sshfs (required for Telekinesis).
     - X2GoControlSession: Don't mess with the associated_terminals dict if
       the control session has already died away (i.e. been forcefully
     - If the listsessions command detects a terminated or suspended session,
       we have to destroy the corresponding X2GoTerminalSession() to trigger
       a proper cleanup of that instance.
     - Fix various hrefs in __doc__ strings.
     - Fix creating/renaming/reconfiguring session profiles. Handle host
       option properly (as list).
     - Make sure we do a deepcopy of the default session profile parameters.
     - Detect more exceptions in the requests module when authenticating against a
       session broker.
     - Only convert the value of the export session profile option if not
       already a Python dictionary.
     - Capture X2GoControlSessionException occurrences during client-side folder
       sharing initializaation while starting/resuming a session.
     - X2GoSessionRegistry: Don't report about sessions that have a not yet
       fully assigned session name / profile name / profile id.
   * debian/control:
     + Add dependencies: python-requests, python-simplejson.
     + Add R (python-x2go): sshfs.
     + Add S (python-x2go): telekinesis-client, mteleplayer-clientside.
     + Update D (python-x2go): python-paramiko (>= 1.15.1-0~). (Fixes: #602).
   * python-x2go.spec:
     + Add dependencies: python-requests, python-simplejson.
     + Additionally adapt to building on openSUSE/SLES.
     + Add all python packages under R to BR (for epydoc run).
     + Update R for python-x2go: python-paramiko >= 1.15.1.
   [ Mike DePaulo ]
   * New upstream version (
     - Windows: Fix compatibility with PulseAudio 3.0 & later (Fixes: #532)
     - Windows: Prevent high PulseAudio CPU usage on Windows XP by lowering
       PulseAudio's CPU priority from "high" to "normal" on XP specifically.
       Also do so on Windows Server 2003 (R2) (Fixes: #537)

[Message part 3 (message/rfc822, inline)]
From: Christoph Anton Mitterer <calestyo@scientia.net>
To: submit@bugs.x2go.org
Subject: SECURITY: x2goclient allows clipboard sniffing
Date: Mon, 01 Jul 2013 04:38:28 +0200
Package: x2goclient
Severity: grave
Tags: security


From: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714588

It seems that per default (and I even found no way to disable it)
x2goclient (and perhaps other
related tools?) transmit the content of the clipboard to the remote

As this may easily contain passwords or other sensitive information,
this is a extremely
critical hole.


Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Sat Dec 14 08:05:29 2019; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.