[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
Please see https://wiki.ubuntu.com/StableReleaseUpdates [Test Case] and [Regression Potential] sections need to be added to the original report. Debdiffs for Eoan, Bionic and Xenial need to be attached. Disco is EOL in January 2020, so I think it's safe to ignore. ** Summary changed: - X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 + [SRU] X2Go Client broken by libssh CVE-2019-14889 fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: [SRU] X2Go Client broken by libssh CVE-2019-14889 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
Affect versions of libssh: focal 0.9.0-1ubuntu5 eoan 0.9.0-1ubuntu1.3 disco 0.8.6-3ubuntu0.3 bionic 0.8.0~20170825.94fa1e38-1ubuntu0.5 xenial 0.6.3-4.3ubuntu0.5 ** Changed in: x2goclient (Ubuntu Xenial) Status: New => Confirmed ** Changed in: x2goclient (Ubuntu Bionic) Status: New => Confirmed ** Changed in: x2goclient (Ubuntu Disco) Status: New => Confirmed ** Changed in: x2goclient (Ubuntu Eoan) Status: New => Confirmed ** Changed in: libssh (Ubuntu Xenial) Status: New => Invalid ** Changed in: libssh (Ubuntu Bionic) Status: New => Invalid ** Changed in: libssh (Ubuntu Disco) Status: New => Invalid ** Changed in: libssh (Ubuntu Eoan) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
Fixed in focal: x2goclient (4.1.2.1-4) unstable; urgency=medium * debian/patches: + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY- based Windows solution for Kerberos support), but newer libssh versions with the CVE-2019-14889 also interpret paths as literal strings. (Closes: #947129). -- Mike Gabriel Sat, 21 Dec 2019 17:56:23 +0100 ** Changed in: x2goclient (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
** Changed in: x2goclient (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
** Changed in: libssh (Ubuntu) Status: Confirmed => Invalid ** Also affects: libssh (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: x2goclient (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: libssh (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: x2goclient (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: libssh (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: x2goclient (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: libssh (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: x2goclient (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
** Changed in: x2goclient (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
** Also affects: x2goclient (Ubuntu) Importance: Undecided Status: New ** Also affects: x2goclient (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
See Debian bug 947129 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
I think, this issue needs to be re-assigned and someone needs to provide updates for x2goclient in all supported Ubuntu releases that have received the fix for CVE-2019-14889. This patch needs to be applied on top of X2Go Client: https://code.x2go.org/gitweb?p=x2goclient.git;a=patch;h=ce559d163a943737fe4160f7233925df2eee1f9a For Debian, I am currently on this... ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14889 ** Bug watch added: Debian Bug tracker #947129 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
The issue seems to be that the CVE fixes changed the path interpretation to be literal. See https://git.libssh.org/projects/libssh.git/commit/src/scp.c?id=3830c7ae6eec751b7618d3fc159cb5bb3c8806a6 If that's intentional, and I think it is, then I will need to change this behavior in X2Go Client directly instead and this bug report would be invalid. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
Thanks. I can also confirm this bug running X2Go on Ubuntu 18.04 (Client / Remote). Appears to have been described also here: https://lists.x2go.org/pipermail/x2go-dev/2019-December/013260.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856795] Re: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: libssh (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856795 Title: X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs