[X2Go-Dev] Bug#1429: Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889
* On 12/20/19 9:44 PM, Sylvain Cuaz wrote: > Le 20/12/2019 à 19:06, Mihai Moldovan a écrit : >> I'll let you know when fixed nightly versions are available, though. > > OK thanks Nightly builds should incorporate the fix now. Mihai signature.asc Description: OpenPGP digital signature ___ x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev
[X2Go-Dev] Bug#1429: Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889
Le 20/12/2019 à 19:06, Mihai Moldovan a écrit : Control: reassign -1 x2goclient 4.1.2.1 Control: forcemerge -1 1428 * On 12/20/19 6:21 PM, Sylvain Cuaz wrote: SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works. [...] After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst; which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and https://usn.ubuntu.com/4219-1/ for the ubuntu packages Yes, I think that this change has been intentional. I'll have to fix that in X2Go Client and I know how to do this easily to retain support for pre-patched and patched versions. I will, however, probably not be able to provide new release versions with that fix (and others) for about a months. I'll let you know when fixed nightly versions are available, though. OK thanks As a workaround I reinstalled an old version of the libssh-4 package and the bug went away. Please don't do that OR recommend that. You're essentially now running without the CVE fix, which is probably worse than a broken client. Yes, 'workaround' was not the right word. I meant while investigating to confirm my findings. ___ x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev
[X2Go-Dev] Bug#1429: Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889
Control: reassign -1 x2goclient 4.1.2.1 Control: forcemerge -1 1428 * On 12/20/19 6:21 PM, Sylvain Cuaz wrote: > SSH key fails to be copied to the remote side because the path use a tilde, > so neither file sharing nor client-side printing works. > [...] > After using gdb I saw that ONMainWindow::exportDirs() calls > SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst; > which is ultimately passed to libssh. But following CVE-2019-14889 the path > is now literal (quoted), see > https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs > and > https://usn.ubuntu.com/4219-1/ for the ubuntu packages Yes, I think that this change has been intentional. I'll have to fix that in X2Go Client and I know how to do this easily to retain support for pre-patched and patched versions. I will, however, probably not be able to provide new release versions with that fix (and others) for about a months. I'll let you know when fixed nightly versions are available, though. > As a workaround I reinstalled an old version of the libssh-4 package and the > bug went away. Please don't do that OR recommend that. You're essentially now running without the CVE fix, which is probably worse than a broken client. Mihai signature.asc Description: OpenPGP digital signature ___ x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev