group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Graham Inggs <graham.inggs+ubuntu@xxxxxxxxx>
Date: Sun, 22 Dec 2019 06:14:03 -0000
Reply-to: Bug 1856795 <1856795@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Fixed in focal:

x2goclient (4.1.2.1-4) unstable; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (Closes: #947129).

 -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Sat, 21 Dec 2019 17:56:23 +0100


** Changed in: x2goclient (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1856795

Title:
  X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5

Status in libssh package in Ubuntu:
  Invalid
Status in x2goclient package in Ubuntu:
  Fix Released
Status in libssh source package in Xenial:
  New
Status in x2goclient source package in Xenial:
  New
Status in libssh source package in Bionic:
  New
Status in x2goclient source package in Bionic:
  New
Status in libssh source package in Disco:
  New
Status in x2goclient source package in Disco:
  New
Status in libssh source package in Eoan:
  New
Status in x2goclient source package in Eoan:
  New
Status in x2goclient package in Debian:
  Fix Released

Bug description:
  The recent CVE fix broke SCP support in libssh, which X2Go Client
  (x2goclient) relies on.

  Sessions now fail with error messages such as "SCP: Warning: status
  code 1 received: scp: ~username/.x2go/ssh: No such file or
  directory\n". (Also note the literal "\n" there, but I guess we don't
  really need to care about that.)

  The previous version worked fine and rolling the libssh4 package back
  fixes this issue, but also leaves users vulnerable to the fixed
  security issue in its scp implementation.

  
  I've been looking at the debdiff, but spotting the actual changes is very difficult due to the reformatting that was done at the same time. This degraded the patch(es) into one big blob.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions