Bug#947129: marked as done (x2goclient: regression caused by CVE-2019-14889/libssh fix)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 21 Dec 2019 17:37:48 +0000
with message-id <E1iiihI-000FEX-Bt@fasolo.debian.org>
and subject line Bug#947129: fixed in x2goclient 4.1.2.1-4
has caused the Debian Bug report #947129,
regarding x2goclient: regression caused by CVE-2019-14889/libssh fix
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
947129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: x2goclient: regression caused by CVE-2019-14889/libssh fix
• From: Mike Gabriel <sunweaver@debian.org>
• Date: Sat, 21 Dec 2019 16:53:01 +0000
• Message-id: <[🔎] 20191221165301.Horde.emHcjYRaf-gxfGlYyAXf9jC@mail.das-netzwerkteam.de>

Package: x2goclient
Version: 4.1.2.1-3
Severity: serious
Control: found -1 4.0.3.1-4
Control: found -1 4.0.5.2-2

the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client:

```

Connection failed. Couldn't create remote file ~<user>/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~<user>/.x2go/ssh: No such file or directory"

```

The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable):

https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1

light+love
Mike

--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgpXorXGYFFcC.pgp
Description: Digitale PGP-Signatur

--- End Message ---

--- Begin Message ---

• To: 947129-close@bugs.debian.org
• Subject: Bug#947129: fixed in x2goclient 4.1.2.1-4
• From: Mike Gabriel <sunweaver@debian.org>
• Date: Sat, 21 Dec 2019 17:37:48 +0000
• Message-id: <E1iiihI-000FEX-Bt@fasolo.debian.org>

Source: x2goclient
Source-Version: 4.1.2.1-4

We believe that the bug you reported is fixed in the latest version of
x2goclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated x2goclient package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 21 Dec 2019 17:56:23 +0100
Source: x2goclient
Architecture: source
Version: 4.1.2.1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <debian-remote@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 947129
Changes:
 x2goclient (4.1.2.1-4) unstable; urgency=medium
 .
   * debian/patches:
     + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
       strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
       in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
       based Windows solution for Kerberos support), but newer libssh versions
       with the CVE-2019-14889 also interpret paths as literal strings.
       (Closes: #947129).
Checksums-Sha1:
 e5a05985b48ac351cbea110711a29fb621a66ef6 2489 x2goclient_4.1.2.1-4.dsc
 dbc1e27d7d30127ff176b911193c6a6f2e13c95c 24068 x2goclient_4.1.2.1-4.debian.tar.xz
 c7bad695f3d3499f83beafed23fdf135f5a04c87 13021 x2goclient_4.1.2.1-4_source.buildinfo
Checksums-Sha256:
 21f9d6a71ba016003a6161aa8df366c25e2945f5a80f395df49bbfe210770fda 2489 x2goclient_4.1.2.1-4.dsc
 986ada1ef922176baaff8bbde2e264e24153ce9fac962daa3d88694b99c73280 24068 x2goclient_4.1.2.1-4.debian.tar.xz
 f8a0d0140c1ff0ac4245afa6597cc3e292a585fa8531bc01ceff50ac682b226a 13021 x2goclient_4.1.2.1-4_source.buildinfo
Files:
 ab88fa360d9297e67679e76c4834a5fc 2489 x11 optional x2goclient_4.1.2.1-4.dsc
 bee88899ce4b13b1022ee44dc1bac673 24068 x11 optional x2goclient_4.1.2.1-4.debian.tar.xz
 300fa8976876634b8de6d96eb2b817eb 13021 x11 optional x2goclient_4.1.2.1-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3+VE4VHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx3dMP/iCSggpg5jtShOGo0VPNvu67cz1j
e0M0UO9uMjcu95hTeCySITbHKblQKB/VPgD910rW9dD9igGf/enM3Qg2ue0iY7Dt
d2ERKCZEZRum98+O9S1aMwQZypZEAxpGIe4xC5gItYqclBPnqTg9UadXP35DBmNf
3p4cUCwfAmFdi0Pz7m6NmDZ3H/1PoOH303d2+IdfndD6iZe+if45nEJfCganC5Fd
FFrUr+Bt1URGaN1/Gy8bMiRTfP+NXamyL7Yc2KCfxBAaARIZWrjO2yHff6OY2oPM
etnoJOUmFP6vtbiLhcconfXe+kYpOL0smlQp0CeK3PAGQkkqizKqk1i3FDU/PvCD
2pIUJvhV7Rhnbr2bG66VfT3mr3ekcoJynXOlLGEFqKsHtIu3xoOBWHbLoy8ouSwc
WK9A+eyBwKa2A4BF9f9W82ymZrHYP2BbA2nbpDhjEjIpjFR8a0tFEMCByIeXgGzo
2QNbG1crA7BwISbWR1cF/NmYxbNb0OpZYGuR6rFnxLARmEwfO+19AaFj385z05yJ
OAFHsqXBkUqm9Xwp8jfLsenOj1xK5vefiO1XC6JDwgi4vFf7X8TM6HXyBbPORiPT
79WRbvPV3mwzv+ifiVV3w6rwkwbowr2zvagEWXWYSQZ1RzaBD9wTDwJwt5Y1Mttr
Pm/Y+/yzQLtZ7KAb
=ovSJ
-----END PGP SIGNATURE-----

--- End Message ---