[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#947204: marked as done (stretch-pu: package x2goclient/4.0.5.2-2+deb9u1)

Your message dated Sat, 08 Feb 2020 14:23:35 +0000
with message-id <a894a0233c2d264936953d7a69507573c4a5742a.camel@adam-barratt.org.uk>
and subject line Closing bugs included in 9.12
has caused the Debian Bug report #947204,
regarding stretch-pu: package x2goclient/4.0.5.2-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
947204: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947204
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I have just uploaded x2goclient 4.0.5.2-2+deb9u1 with the following change:

+    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+      based Windows solution for Kerberos support), but newer libssh versions
+      with the CVE-2019-14889 also interpret paths as literal strings.
+      (Closes: #947129).

It was discovered that the fix for CVE-2019-14889/libssh (currently
applied in libssh/jessie and libssh/testing+sid) causes a regression in
X2Go Client (copying of files via scp from client to server during session
startup, resulting in a GUI error message that can be clicked away).

The above patch makes X2Go Client robust against the libssh fix being
applied. As a pre-caution, I'd like to see this to be released to Debian stretch.

The security team has tagged CVE-2019-14889 as <no-dsa> and provisioning
of a fix for CVE-2019-14889 must be thoroughly tracked for regressions in
other packages in testing/unstable.

Greets,
Mike

-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru x2goclient-4.0.5.2/debian/changelog x2goclient-4.0.5.2/debian/changelog
--- x2goclient-4.0.5.2/debian/changelog	2016-11-30 08:31:54.000000000 +0100
+++ x2goclient-4.0.5.2/debian/changelog	2019-12-22 14:53:58.000000000 +0100
@@ -1,3 +1,15 @@
+x2goclient (4.0.5.2-2+deb9u1) stretch; urgency=medium
+
+  * debian/patches:
+    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+      based Windows solution for Kerberos support), but newer libssh versions
+      with the CVE-2019-14889 also interpret paths as literal strings.
+      (Closes: #947129).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sun, 22 Dec 2019 14:53:58 +0100
+
 x2goclient (4.0.5.2-2) unstable; urgency=medium
 
   * Rebuild against libssl1.0-dev (via libssh-dev 0.7.3-2).
diff -Nru x2goclient-4.0.5.2/debian/patches/libssh-regression-fix-CVE-2019-14889.patch x2goclient-4.0.5.2/debian/patches/libssh-regression-fix-CVE-2019-14889.patch
--- x2goclient-4.0.5.2/debian/patches/libssh-regression-fix-CVE-2019-14889.patch	1970-01-01 01:00:00.000000000 +0100
+++ x2goclient-4.0.5.2/debian/patches/libssh-regression-fix-CVE-2019-14889.patch	2019-12-22 14:53:58.000000000 +0100
@@ -0,0 +1,74 @@
+From ce559d163a943737fe4160f7233925df2eee1f9a Mon Sep 17 00:00:00 2001
+From: Mihai Moldovan <ionic@ionic.de>
+Date: Fri, 20 Dec 2019 20:27:31 +0100
+Subject: [PATCH] src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and
+ $HOME{,/} from destination paths in scp mode. Fixes: #1428.
+
+This was already necessary for pascp (PuTTY-based Windows solution for
+Kerberos support), but newer libssh versions with the CVE-2019-14889
+also interpret paths as literal strings.
+
+[sunweaver] - Patch ported to earlier version of x2goclient.
+
+---
+# debian/changelog   |  5 ++++
+ src/sshprocess.cpp | 58 +++++++++++++++++++++++++---------------------
+ 2 files changed, 37 insertions(+), 26 deletions(-)
+
+#diff --git a/debian/changelog b/debian/changelog
+#index 504d6ae..9f84281 100644
+#--- a/debian/changelog
+#+++ b/debian/changelog
+#@@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
+#       sound weird first, but this behavior is consistent between all
+#       applications - tray icons can be clicked via either button and will
+#       always trigger a context menu. Let X2Go Client behave the same way.
+#+    - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from
+#+      destination paths in scp mode. Fixes: #1428. This was already necessary
+#+      for pascp (PuTTY-based Windows solution for Kerberos support), but newer
+#+      libssh versions with the CVE-2019-14889 also interpret paths as literal
+#+      strings.
+#   * debian/control:
+#     + Add build-depend on pkg-config.
+#   * x2goclient.spec:
+--- a/src/sshprocess.cpp
++++ b/src/sshprocess.cpp
+@@ -301,6 +301,38 @@
+     x2goDebug<<"Copying file via SshProcess object "<<pid<<": "<<src<<" -> "<<dst;
+ 
+     scpSource=src;
++
++    /*
++     * pscp and newer libssh versions with the CVE-2019-14889 fixes treat
++     * paths as literal strings when in SFTP/SCP mode.
++     *
++     * Paths like the following will lead to errors:
++     *  - ~user/foo.txt
++     *  - ~/foo.txt
++     *  - ${HOME}/foo.txt
++     *  - $HOME/foo.txt
++     *
++     * However, relative paths are interpreted as relative to the user's home
++     * dir.
++     * For example:
++     * foo.txt
++     *
++     * This workaround assumes that files will never be uploaded to a home dir
++     * other than the user's.
++     */
++
++    dst.remove("~"+masterCon->getUser()+"/");
++    dst.remove("~"+masterCon->getUser()    );
++
++    dst.remove("~/");
++    dst.remove("~" );
++
++    dst.remove("${HOME}/");
++    dst.remove("${HOME}");
++
++    dst.remove("$HOME/");
++    dst.remove("$HOME");
++
+     if(!masterCon->useKerberos())
+     {
+         connect(masterCon, SIGNAL(copyErr(SshProcess*,QString,QString)), this,
diff -Nru x2goclient-4.0.5.2/debian/patches/series x2goclient-4.0.5.2/debian/patches/series
--- x2goclient-4.0.5.2/debian/patches/series	2016-11-30 08:31:54.000000000 +0100
+++ x2goclient-4.0.5.2/debian/patches/series	2019-12-22 10:53:13.000000000 +0100
@@ -1 +1,2 @@
 1001_deprecated-apache2-config.patch
+libssh-regression-fix-CVE-2019-14889.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.12

Hi,

Each of the uploads referred to by these bugs was included in today's
oldstable point release.

Regards,

Adam

--- End Message ---
Reply to: