Bug#947201: buster-pu: package x2goclient/4.1.2.1-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I have just uploaded x2goclient 4.1.2.1-2+deb10u1 with the following change:
+ * debian/patches:
+ + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+ strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+ in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+ based Windows solution for Kerberos support), but newer libssh versions
+ with the CVE-2019-14889 also interpret paths as literal strings.
+ (Closes: #947129).
It was discovered that the fix for CVE-2019-14889/libssh (currently
applied in libssh/jessie and libssh/testing+sid) causes a regression in
X2Go Client (copying of files via scp from client to server during session
startup, resulting in a GUI error message that can be clicked away).
The above patch makes X2Go Client robust against the libssh fix being
applied. As a pre-caution, I'd like to see this be released to Debian buster.
The security team has tagged CVE-2019-14889 as <no-dsa> and provisioning
of a fix for CVE-2019-14889 must be thoroughly tracked for regressions in
other packages in testing/unstable.
Greets,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru x2goclient-4.1.2.1/debian/changelog x2goclient-4.1.2.1/debian/changelog
--- x2goclient-4.1.2.1/debian/changelog 2018-08-13 21:48:20.000000000 +0200
+++ x2goclient-4.1.2.1/debian/changelog 2019-12-21 18:22:22.000000000 +0100
@@ -1,3 +1,15 @@
+x2goclient (4.1.2.1-2+deb10u1) buster; urgency=medium
+
+ * debian/patches:
+ + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+ strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+ in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+ based Windows solution for Kerberos support), but newer libssh versions
+ with the CVE-2019-14889 also interpret paths as literal strings.
+ (Closes: #947129).
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 21 Dec 2019 18:22:22 +0100
+
x2goclient (4.1.2.1-2) unstable; urgency=medium
* debian/patches:
diff -Nru x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch
--- x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch 1970-01-01 01:00:00.000000000 +0100
+++ x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch 2019-12-21 18:22:22.000000000 +0100
@@ -0,0 +1,110 @@
+From ce559d163a943737fe4160f7233925df2eee1f9a Mon Sep 17 00:00:00 2001
+From: Mihai Moldovan <ionic@ionic.de>
+Date: Fri, 20 Dec 2019 20:27:31 +0100
+Subject: [PATCH] src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and
+ $HOME{,/} from destination paths in scp mode. Fixes: #1428.
+
+This was already necessary for pascp (PuTTY-based Windows solution for
+Kerberos support), but newer libssh versions with the CVE-2019-14889
+also interpret paths as literal strings.
+---
+# debian/changelog | 5 ++++
+ src/sshprocess.cpp | 58 +++++++++++++++++++++++++---------------------
+ 2 files changed, 37 insertions(+), 26 deletions(-)
+
+#diff --git a/debian/changelog b/debian/changelog
+#index 504d6ae..9f84281 100644
+#--- a/debian/changelog
+#+++ b/debian/changelog
+#@@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
+# sound weird first, but this behavior is consistent between all
+# applications - tray icons can be clicked via either button and will
+# always trigger a context menu. Let X2Go Client behave the same way.
+#+ - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from
+#+ destination paths in scp mode. Fixes: #1428. This was already necessary
+#+ for pascp (PuTTY-based Windows solution for Kerberos support), but newer
+#+ libssh versions with the CVE-2019-14889 also interpret paths as literal
+#+ strings.
+# * debian/control:
+# + Add build-depend on pkg-config.
+# * x2goclient.spec:
+diff --git a/src/sshprocess.cpp b/src/sshprocess.cpp
+index 70c3b1c..aec5d0b 100644
+--- a/src/sshprocess.cpp
++++ b/src/sshprocess.cpp
+@@ -310,6 +310,38 @@ void SshProcess::start_cp(QString src, QString dst)
+ x2goDebug<<"Copying file via SshProcess object "<<pid<<": "<<src<<" -> "<<dst;
+
+ scpSource=src;
++
++ /*
++ * pscp and newer libssh versions with the CVE-2019-14889 fixes treat
++ * paths as literal strings when in SFTP/SCP mode.
++ *
++ * Paths like the following will lead to errors:
++ * - ~user/foo.txt
++ * - ~/foo.txt
++ * - ${HOME}/foo.txt
++ * - $HOME/foo.txt
++ *
++ * However, relative paths are interpreted as relative to the user's home
++ * dir.
++ * For example:
++ * foo.txt
++ *
++ * This workaround assumes that files will never be uploaded to a home dir
++ * other than the user's.
++ */
++
++ dst.remove("~"+masterCon->getUser()+"/");
++ dst.remove("~"+masterCon->getUser() );
++
++ dst.remove("~/");
++ dst.remove("~" );
++
++ dst.remove("${HOME}/");
++ dst.remove("${HOME}");
++
++ dst.remove("$HOME/");
++ dst.remove("$HOME");
++
+ if(!masterCon->useKerberos())
+ {
+ connect(masterCon, SIGNAL(copyErr(SshProcess*,QString,QString)), this,
+@@ -321,32 +353,6 @@ void SshProcess::start_cp(QString src, QString dst)
+ {
+ proc=new QProcess(this);
+ #ifdef Q_OS_WIN
+-//pscp doesn't acccept paths like the following when in SFTP mode (default)
+-//~user/foo.txt
+-//~/foo.txt
+-//${HOME}/foo.txt
+-//$HOME/foo.txt
+-//
+-//However, pscp does let you specify a path relative to the user's home dir.
+-//You simply specify the relative path without a / at the beginning.
+-//For example:
+-//foo.txt
+-//
+-//This workaround assumes that files will never be uploaded to a home dir
+-//other than the user's.
+-
+- dst.remove("~"+masterCon->getUser()+"/");
+- dst.remove("~"+masterCon->getUser() );
+-
+- dst.remove("~/");
+- dst.remove("~" );
+-
+- dst.remove("${HOME}/");
+- dst.remove("${HOME}");
+-
+- dst.remove("$HOME/");
+- dst.remove("$HOME");
+-
+ QString sshString="pscp -batch -P "+
+ #else
+ QString sshString="scp -o GSSApiAuthentication=yes -o PasswordAuthentication=no -o PubkeyAuthentication=no -P "+
+--
+2.17.1
+
+
diff -Nru x2goclient-4.1.2.1/debian/patches/series x2goclient-4.1.2.1/debian/patches/series
--- x2goclient-4.1.2.1/debian/patches/series 2018-08-13 21:48:20.000000000 +0200
+++ x2goclient-4.1.2.1/debian/patches/series 2019-12-21 18:22:22.000000000 +0100
@@ -2,3 +2,4 @@
1002_fix-ftbfs-on-non-linux.patch
1003_fix_ftbfs-against-libssh-0-8.patch
1004_fix_ftbfs-against-qt5-11.patch
+libssh-regression-fix-CVE-2019-14889.patch
Reply to: