group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1856795] Re: [SRU] X2Go Client broken by libssh CVE-2019-14889 fix

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1856795@xxxxxxxxxxxxxxxxxx>
Date: Mon, 03 Feb 2020 12:31:35 -0000
Reply-to: Bug 1856795 <1856795@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package x2goclient - 4.1.2.1-2ubuntu0.19.10.1

---------------
x2goclient (4.1.2.1-2ubuntu0.19.10.1) eoan; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (LP: #1856795).

 -- Mike Gabriel <sunweaver@xxxxxxxxxx>  Wed, 25 Dec 2019 21:11:41 +0100

** Changed in: x2goclient (Ubuntu Eoan)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1856795

Title:
  [SRU] X2Go Client broken by libssh CVE-2019-14889 fix

Status in x2goclient package in Ubuntu:
  Fix Released
Status in x2goclient source package in Xenial:
  Fix Released
Status in x2goclient source package in Bionic:
  Fix Released
Status in x2goclient source package in Disco:
  Won't Fix
Status in x2goclient source package in Eoan:
  Fix Released
Status in x2goclient package in Debian:
  Fix Released

Bug description:
  [Test case]
  Connect to a x2go server on a session that has file sharing or audo-forwarding enabled -> Error message "SCP: Warning: status code 1 received: scp: ~<user>/.x2go/ssh: No such file or directory" needs to be clicked away with "ok".

  [Regression potential]
  Very low as the patch removes "~<user>" from the ssh string which is the same as just using no path spec (":") as the default is the home dir of the logged in remote user.

  --------------------------------------------------------------------------

  The recent CVE fix broke SCP support in libssh, which X2Go Client
  (x2goclient) relies on.

  Sessions now fail with error messages such as "SCP: Warning: status
  code 1 received: scp: ~username/.x2go/ssh: No such file or
  directory\n". (Also note the literal "\n" there, but I guess we don't
  really need to care about that.)

  The previous version worked fine and rolling the libssh4 package back
  fixes this issue, but also leaves users vulnerable to the fixed
  security issue in its scp implementation.

  I've been looking at the debdiff, but spotting the actual changes is
  very difficult due to the reformatting that was done at the same time.
  This degraded the patch(es) into one big blob.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/x2goclient/+bug/1856795/+subscriptions