Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id
<cf1cb2f35981916a86b98b83609df15c95aa378b.ca...@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #947201,
regarding buster-pu: package x2goclient/4.1.2.1-2+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
947201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947201
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Hi,
I have just uploaded x2goclient 4.1.2.1-2+deb10u1 with the following change:
+ * debian/patches:
+ + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+ strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+ in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+ based Windows solution for Kerberos support), but newer libssh versions
+ with the CVE-2019-14889 also interpret paths as literal strings.
+ (Closes: #947129).
It was discovered that the fix for CVE-2019-14889/libssh (currently
applied in libssh/jessie and libssh/testing+sid) causes a regression in
X2Go Client (copying of files via scp from client to server during session
startup, resulting in a GUI error message that can be clicked away).
The above patch makes X2Go Client robust against the libssh fix being
applied. As a pre-caution, I'd like to see this be released to Debian buster.
The security team has tagged CVE-2019-14889 as <no-dsa> and provisioning
of a fix for CVE-2019-14889 must be thoroughly tracked for regressions in
other packages in testing/unstable.
Greets,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru x2goclient-4.1.2.1/debian/changelog
x2goclient-4.1.2.1/debian/changelog
--- x2goclient-4.1.2.1/debian/changelog 2018-08-13 21:48:20.000000000 +0200
+++ x2goclient-4.1.2.1/debian/changelog 2019-12-21 18:22:22.000000000 +0100
@@ -1,3 +1,15 @@
+x2goclient (4.1.2.1-2+deb10u1) buster; urgency=medium
+
+ * debian/patches:
+ + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+ strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+ in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+ based Windows solution for Kerberos support), but newer libssh versions
+ with the CVE-2019-14889 also interpret paths as literal strings.
+ (Closes: #947129).
+
+ -- Mike Gabriel <[email protected]> Sat, 21 Dec 2019 18:22:22 +0100
+
x2goclient (4.1.2.1-2) unstable; urgency=medium
* debian/patches:
diff -Nru
x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch
x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch
---
x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch
1970-01-01 01:00:00.000000000 +0100
+++
x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch
2019-12-21 18:22:22.000000000 +0100
@@ -0,0 +1,110 @@
+From ce559d163a943737fe4160f7233925df2eee1f9a Mon Sep 17 00:00:00 2001
+From: Mihai Moldovan <[email protected]>
+Date: Fri, 20 Dec 2019 20:27:31 +0100
+Subject: [PATCH] src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and
+ $HOME{,/} from destination paths in scp mode. Fixes: #1428.
+
+This was already necessary for pascp (PuTTY-based Windows solution for
+Kerberos support), but newer libssh versions with the CVE-2019-14889
+also interpret paths as literal strings.
+---
+# debian/changelog | 5 ++++
+ src/sshprocess.cpp | 58 +++++++++++++++++++++++++---------------------
+ 2 files changed, 37 insertions(+), 26 deletions(-)
+
+#diff --git a/debian/changelog b/debian/changelog
+#index 504d6ae..9f84281 100644
+#--- a/debian/changelog
+#+++ b/debian/changelog
+#@@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
+# sound weird first, but this behavior is consistent between all
+# applications - tray icons can be clicked via either button and will
+# always trigger a context menu. Let X2Go Client behave the same way.
+#+ - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from
+#+ destination paths in scp mode. Fixes: #1428. This was already necessary
+#+ for pascp (PuTTY-based Windows solution for Kerberos support), but
newer
+#+ libssh versions with the CVE-2019-14889 also interpret paths as literal
+#+ strings.
+# * debian/control:
+# + Add build-depend on pkg-config.
+# * x2goclient.spec:
+diff --git a/src/sshprocess.cpp b/src/sshprocess.cpp
+index 70c3b1c..aec5d0b 100644
+--- a/src/sshprocess.cpp
++++ b/src/sshprocess.cpp
+@@ -310,6 +310,38 @@ void SshProcess::start_cp(QString src, QString dst)
+ x2goDebug<<"Copying file via SshProcess object "<<pid<<": "<<src<<" ->
"<<dst;
+
+ scpSource=src;
++
++ /*
++ * pscp and newer libssh versions with the CVE-2019-14889 fixes treat
++ * paths as literal strings when in SFTP/SCP mode.
++ *
++ * Paths like the following will lead to errors:
++ * - ~user/foo.txt
++ * - ~/foo.txt
++ * - ${HOME}/foo.txt
++ * - $HOME/foo.txt
++ *
++ * However, relative paths are interpreted as relative to the user's home
++ * dir.
++ * For example:
++ * foo.txt
++ *
++ * This workaround assumes that files will never be uploaded to a home dir
++ * other than the user's.
++ */
++
++ dst.remove("~"+masterCon->getUser()+"/");
++ dst.remove("~"+masterCon->getUser() );
++
++ dst.remove("~/");
++ dst.remove("~" );
++
++ dst.remove("${HOME}/");
++ dst.remove("${HOME}");
++
++ dst.remove("$HOME/");
++ dst.remove("$HOME");
++
+ if(!masterCon->useKerberos())
+ {
+ connect(masterCon, SIGNAL(copyErr(SshProcess*,QString,QString)), this,
+@@ -321,32 +353,6 @@ void SshProcess::start_cp(QString src, QString dst)
+ {
+ proc=new QProcess(this);
+ #ifdef Q_OS_WIN
+-//pscp doesn't acccept paths like the following when in SFTP mode (default)
+-//~user/foo.txt
+-//~/foo.txt
+-//${HOME}/foo.txt
+-//$HOME/foo.txt
+-//
+-//However, pscp does let you specify a path relative to the user's home dir.
+-//You simply specify the relative path without a / at the beginning.
+-//For example:
+-//foo.txt
+-//
+-//This workaround assumes that files will never be uploaded to a home dir
+-//other than the user's.
+-
+- dst.remove("~"+masterCon->getUser()+"/");
+- dst.remove("~"+masterCon->getUser() );
+-
+- dst.remove("~/");
+- dst.remove("~" );
+-
+- dst.remove("${HOME}/");
+- dst.remove("${HOME}");
+-
+- dst.remove("$HOME/");
+- dst.remove("$HOME");
+-
+ QString sshString="pscp -batch -P "+
+ #else
+ QString sshString="scp -o GSSApiAuthentication=yes -o
PasswordAuthentication=no -o PubkeyAuthentication=no -P "+
+--
+2.17.1
+
+
diff -Nru x2goclient-4.1.2.1/debian/patches/series
x2goclient-4.1.2.1/debian/patches/series
--- x2goclient-4.1.2.1/debian/patches/series 2018-08-13 21:48:20.000000000
+0200
+++ x2goclient-4.1.2.1/debian/patches/series 2019-12-21 18:22:22.000000000
+0100
@@ -2,3 +2,4 @@
1002_fix-ftbfs-on-non-linux.patch
1003_fix_ftbfs-against-libssh-0-8.patch
1004_fix_ftbfs-against-qt5-11.patch
+libssh-regression-fix-CVE-2019-14889.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.3
Hi,
Each of the uploads referred to by these bugs was included in today's
stable point release.
Regards,
Adam
--- End Message ---
