Hi, On Fr 20 Dez 2019 20:32:49 CET, Mihai Moldovan wrote:
tag #1428 pending fixed #1428 4.1.2.2 thanks Hello, X2Go issue #1428 (src:x2goclient) reported by you has been fixed in X2Go Git. You can see the changelog below, and you can check the diff of the fix at: http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 The issue will most likely be fixed in src:x2goclient (4.1.2.2). light+love X2Go Git Admin (on behalf of the sender of this mail) --- commit ce559d163a943737fe4160f7233925df2eee1f9a Author: Mihai Moldovan <io...@ionic.de> Date: Fri Dec 20 20:27:31 2019 +0100src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode. Fixes: #1428.This was already necessary for pascp (PuTTY-based Windows solution for Kerberos support), but newer libssh versions with the CVE-2019-14889 also interpret paths as literal strings. diff --git a/debian/changelog b/debian/changelog index 504d6ae..9f84281 100644 --- a/debian/changelog +++ b/debian/changelog @@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium sound weird first, but this behavior is consistent between all applications - tray icons can be clicked via either button and will always trigger a context menu. Let X2Go Client behave the same way.+ - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from + destination paths in scp mode. Fixes: #1428. This was already necessary + for pascp (PuTTY-based Windows solution for Kerberos support), but newer + libssh versions with the CVE-2019-14889 also interpret paths as literal+ strings. * debian/control: + Add build-depend on pkg-config. * x2goclient.spec:
Please note that I am currently working on getting this libssh/CVE-2019-14889 robustness patch into Debian [done] and Ubuntu [pending].
Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpywqpHMliCP.pgp
Description: Digitale PGP-Signatur
_______________________________________________ x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev