[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#947201: buster-pu: package x2goclient/4.1.2.1-2+deb10u1

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I have just uploaded x2goclient 4.1.2.1-2+deb10u1 with the following change:

+  * debian/patches:
+    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+      based Windows solution for Kerberos support), but newer libssh versions
+      with the CVE-2019-14889 also interpret paths as literal strings.
+      (Closes: #947129).

It was discovered that the fix for CVE-2019-14889/libssh (currently
applied in libssh/jessie and libssh/testing+sid) causes a regression in
X2Go Client (copying of files via scp from client to server during session
startup, resulting in a GUI error message that can be clicked away).

The above patch makes X2Go Client robust against the libssh fix being
applied. As a pre-caution, I'd like to see this be released to Debian buster.

The security team has tagged CVE-2019-14889 as <no-dsa> and provisioning
of a fix for CVE-2019-14889 must be thoroughly tracked for regressions in
other packages in testing/unstable.

Greets,
Mike


-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru x2goclient-4.1.2.1/debian/changelog x2goclient-4.1.2.1/debian/changelog
--- x2goclient-4.1.2.1/debian/changelog	2018-08-13 21:48:20.000000000 +0200
+++ x2goclient-4.1.2.1/debian/changelog	2019-12-21 18:22:22.000000000 +0100
@@ -1,3 +1,15 @@
+x2goclient (4.1.2.1-2+deb10u1) buster; urgency=medium
+
+  * debian/patches:
+    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+      based Windows solution for Kerberos support), but newer libssh versions
+      with the CVE-2019-14889 also interpret paths as literal strings.
+      (Closes: #947129).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sat, 21 Dec 2019 18:22:22 +0100
+
 x2goclient (4.1.2.1-2) unstable; urgency=medium
 
   * debian/patches:
diff -Nru x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch
--- x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch	1970-01-01 01:00:00.000000000 +0100
+++ x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch	2019-12-21 18:22:22.000000000 +0100
@@ -0,0 +1,110 @@
+From ce559d163a943737fe4160f7233925df2eee1f9a Mon Sep 17 00:00:00 2001
+From: Mihai Moldovan <ionic@ionic.de>
+Date: Fri, 20 Dec 2019 20:27:31 +0100
+Subject: [PATCH] src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and
+ $HOME{,/} from destination paths in scp mode. Fixes: #1428.
+
+This was already necessary for pascp (PuTTY-based Windows solution for
+Kerberos support), but newer libssh versions with the CVE-2019-14889
+also interpret paths as literal strings.
+---
+# debian/changelog   |  5 ++++
+ src/sshprocess.cpp | 58 +++++++++++++++++++++++++---------------------
+ 2 files changed, 37 insertions(+), 26 deletions(-)
+
+#diff --git a/debian/changelog b/debian/changelog
+#index 504d6ae..9f84281 100644
+#--- a/debian/changelog
+#+++ b/debian/changelog
+#@@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
+#       sound weird first, but this behavior is consistent between all
+#       applications - tray icons can be clicked via either button and will
+#       always trigger a context menu. Let X2Go Client behave the same way.
+#+    - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from
+#+      destination paths in scp mode. Fixes: #1428. This was already necessary
+#+      for pascp (PuTTY-based Windows solution for Kerberos support), but newer
+#+      libssh versions with the CVE-2019-14889 also interpret paths as literal
+#+      strings.
+#   * debian/control:
+#     + Add build-depend on pkg-config.
+#   * x2goclient.spec:
+diff --git a/src/sshprocess.cpp b/src/sshprocess.cpp
+index 70c3b1c..aec5d0b 100644
+--- a/src/sshprocess.cpp
++++ b/src/sshprocess.cpp
+@@ -310,6 +310,38 @@ void SshProcess::start_cp(QString src, QString dst)
+     x2goDebug<<"Copying file via SshProcess object "<<pid<<": "<<src<<" -> "<<dst;
+ 
+     scpSource=src;
++
++    /*
++     * pscp and newer libssh versions with the CVE-2019-14889 fixes treat
++     * paths as literal strings when in SFTP/SCP mode.
++     *
++     * Paths like the following will lead to errors:
++     *  - ~user/foo.txt
++     *  - ~/foo.txt
++     *  - ${HOME}/foo.txt
++     *  - $HOME/foo.txt
++     *
++     * However, relative paths are interpreted as relative to the user's home
++     * dir.
++     * For example:
++     * foo.txt
++     *
++     * This workaround assumes that files will never be uploaded to a home dir
++     * other than the user's.
++     */
++
++    dst.remove("~"+masterCon->getUser()+"/");
++    dst.remove("~"+masterCon->getUser()    );
++
++    dst.remove("~/");
++    dst.remove("~" );
++
++    dst.remove("${HOME}/");
++    dst.remove("${HOME}");
++
++    dst.remove("$HOME/");
++    dst.remove("$HOME");
++
+     if(!masterCon->useKerberos())
+     {
+         connect(masterCon, SIGNAL(copyErr(SshProcess*,QString,QString)), this,
+@@ -321,32 +353,6 @@ void SshProcess::start_cp(QString src, QString dst)
+     {
+         proc=new QProcess(this);
+ #ifdef Q_OS_WIN
+-//pscp doesn't acccept paths like the following when in SFTP mode (default)
+-//~user/foo.txt
+-//~/foo.txt
+-//${HOME}/foo.txt
+-//$HOME/foo.txt
+-//
+-//However, pscp does let you specify a path relative to the user's home dir.
+-//You simply specify the relative path without a / at the beginning.
+-//For example:
+-//foo.txt
+-//
+-//This workaround assumes that files will never be uploaded to a home dir
+-//other than the user's.
+-
+-        dst.remove("~"+masterCon->getUser()+"/");
+-        dst.remove("~"+masterCon->getUser()    );
+-
+-        dst.remove("~/");
+-        dst.remove("~" );
+-
+-        dst.remove("${HOME}/");
+-        dst.remove("${HOME}");
+-
+-        dst.remove("$HOME/");
+-        dst.remove("$HOME");
+-
+         QString sshString="pscp -batch -P "+
+ #else
+         QString sshString="scp -o GSSApiAuthentication=yes -o PasswordAuthentication=no -o PubkeyAuthentication=no -P "+
+-- 
+2.17.1
+
+
diff -Nru x2goclient-4.1.2.1/debian/patches/series x2goclient-4.1.2.1/debian/patches/series
--- x2goclient-4.1.2.1/debian/patches/series	2018-08-13 21:48:20.000000000 +0200
+++ x2goclient-4.1.2.1/debian/patches/series	2019-12-21 18:22:22.000000000 +0100
@@ -2,3 +2,4 @@
 1002_fix-ftbfs-on-non-linux.patch
 1003_fix_ftbfs-against-libssh-0-8.patch
 1004_fix_ftbfs-against-qt5-11.patch
+libssh-regression-fix-CVE-2019-14889.patch
Reply to: