[X2Go-Dev] Bug#1428: Bug#1428: X2Go issue (in src:x2goclient) has been marked as pending for release

Wed, 25 Dec 2019 12:25:59 -0800 

Hi,

On  Fr 20 Dez 2019 20:32:49 CET, Mihai Moldovan wrote:


tag #1428 pending
fixed #1428 4.1.2.2
thanks

Hello,

X2Go issue #1428 (src:x2goclient) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1

The issue will most likely be fixed in src:x2goclient (4.1.2.2).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit ce559d163a943737fe4160f7233925df2eee1f9a
Author: Mihai Moldovan <io...@ionic.de>
Date:   Fri Dec 20 20:27:31 2019 +0100
src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode. Fixes: #1428. 

    This was already necessary for pascp (PuTTY-based Windows solution for
    Kerberos support), but newer libssh versions with the CVE-2019-14889
    also interpret paths as literal strings.

diff --git a/debian/changelog b/debian/changelog
index 504d6ae..9f84281 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
       sound weird first, but this behavior is consistent between all
       applications - tray icons can be clicked via either button and will
       always trigger a context menu. Let X2Go Client behave the same way.
+ - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from + destination paths in scp mode. Fixes: #1428. This was already necessary + for pascp (PuTTY-based Windows solution for Kerberos support), but newer + libssh versions with the CVE-2019-14889 also interpret paths as literal 
+      strings.
   * debian/control:
     + Add build-depend on pkg-config.
   * x2goclient.spec:
Please note that I am currently working on getting this libssh/CVE-2019-14889 robustness patch into Debian [done] and Ubuntu [pending]. 

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpywqpHMliCP.pgp
Description: Digitale PGP-Signatur

_______________________________________________
x2go-dev mailing list
x2go-dev@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-dev

Reply via email to