Bug#947204: stretch-pu: package x2goclient/4.0.5.2-2+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I have just uploaded x2goclient 4.0.5.2-2+deb9u1 with the following change:
+ + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+ strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+ in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+ based Windows solution for Kerberos support), but newer libssh versions
+ with the CVE-2019-14889 also interpret paths as literal strings.
+ (Closes: #947129).
It was discovered that the fix for CVE-2019-14889/libssh (currently
applied in libssh/jessie and libssh/testing+sid) causes a regression in
X2Go Client (copying of files via scp from client to server during session
startup, resulting in a GUI error message that can be clicked away).
The above patch makes X2Go Client robust against the libssh fix being
applied. As a pre-caution, I'd like to see this to be released to Debian stretch.
The security team has tagged CVE-2019-14889 as <no-dsa> and provisioning
of a fix for CVE-2019-14889 must be thoroughly tracked for regressions in
other packages in testing/unstable.
Greets,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru x2goclient-4.0.5.2/debian/changelog x2goclient-4.0.5.2/debian/changelog
--- x2goclient-4.0.5.2/debian/changelog 2016-11-30 08:31:54.000000000 +0100
+++ x2goclient-4.0.5.2/debian/changelog 2019-12-22 14:53:58.000000000 +0100
@@ -1,3 +1,15 @@
+x2goclient (4.0.5.2-2+deb9u1) stretch; urgency=medium
+
+ * debian/patches:
+ + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+ strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+ in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+ based Windows solution for Kerberos support), but newer libssh versions
+ with the CVE-2019-14889 also interpret paths as literal strings.
+ (Closes: #947129).
+
+ -- Mike Gabriel <sunweaver@debian.org> Sun, 22 Dec 2019 14:53:58 +0100
+
x2goclient (4.0.5.2-2) unstable; urgency=medium
* Rebuild against libssl1.0-dev (via libssh-dev 0.7.3-2).
diff -Nru x2goclient-4.0.5.2/debian/patches/libssh-regression-fix-CVE-2019-14889.patch x2goclient-4.0.5.2/debian/patches/libssh-regression-fix-CVE-2019-14889.patch
--- x2goclient-4.0.5.2/debian/patches/libssh-regression-fix-CVE-2019-14889.patch 1970-01-01 01:00:00.000000000 +0100
+++ x2goclient-4.0.5.2/debian/patches/libssh-regression-fix-CVE-2019-14889.patch 2019-12-22 14:53:58.000000000 +0100
@@ -0,0 +1,74 @@
+From ce559d163a943737fe4160f7233925df2eee1f9a Mon Sep 17 00:00:00 2001
+From: Mihai Moldovan <ionic@ionic.de>
+Date: Fri, 20 Dec 2019 20:27:31 +0100
+Subject: [PATCH] src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and
+ $HOME{,/} from destination paths in scp mode. Fixes: #1428.
+
+This was already necessary for pascp (PuTTY-based Windows solution for
+Kerberos support), but newer libssh versions with the CVE-2019-14889
+also interpret paths as literal strings.
+
+[sunweaver] - Patch ported to earlier version of x2goclient.
+
+---
+# debian/changelog | 5 ++++
+ src/sshprocess.cpp | 58 +++++++++++++++++++++++++---------------------
+ 2 files changed, 37 insertions(+), 26 deletions(-)
+
+#diff --git a/debian/changelog b/debian/changelog
+#index 504d6ae..9f84281 100644
+#--- a/debian/changelog
+#+++ b/debian/changelog
+#@@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
+# sound weird first, but this behavior is consistent between all
+# applications - tray icons can be clicked via either button and will
+# always trigger a context menu. Let X2Go Client behave the same way.
+#+ - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from
+#+ destination paths in scp mode. Fixes: #1428. This was already necessary
+#+ for pascp (PuTTY-based Windows solution for Kerberos support), but newer
+#+ libssh versions with the CVE-2019-14889 also interpret paths as literal
+#+ strings.
+# * debian/control:
+# + Add build-depend on pkg-config.
+# * x2goclient.spec:
+--- a/src/sshprocess.cpp
++++ b/src/sshprocess.cpp
+@@ -301,6 +301,38 @@
+ x2goDebug<<"Copying file via SshProcess object "<<pid<<": "<<src<<" -> "<<dst;
+
+ scpSource=src;
++
++ /*
++ * pscp and newer libssh versions with the CVE-2019-14889 fixes treat
++ * paths as literal strings when in SFTP/SCP mode.
++ *
++ * Paths like the following will lead to errors:
++ * - ~user/foo.txt
++ * - ~/foo.txt
++ * - ${HOME}/foo.txt
++ * - $HOME/foo.txt
++ *
++ * However, relative paths are interpreted as relative to the user's home
++ * dir.
++ * For example:
++ * foo.txt
++ *
++ * This workaround assumes that files will never be uploaded to a home dir
++ * other than the user's.
++ */
++
++ dst.remove("~"+masterCon->getUser()+"/");
++ dst.remove("~"+masterCon->getUser() );
++
++ dst.remove("~/");
++ dst.remove("~" );
++
++ dst.remove("${HOME}/");
++ dst.remove("${HOME}");
++
++ dst.remove("$HOME/");
++ dst.remove("$HOME");
++
+ if(!masterCon->useKerberos())
+ {
+ connect(masterCon, SIGNAL(copyErr(SshProcess*,QString,QString)), this,
diff -Nru x2goclient-4.0.5.2/debian/patches/series x2goclient-4.0.5.2/debian/patches/series
--- x2goclient-4.0.5.2/debian/patches/series 2016-11-30 08:31:54.000000000 +0100
+++ x2goclient-4.0.5.2/debian/patches/series 2019-12-22 10:53:13.000000000 +0100
@@ -1 +1,2 @@
1001_deprecated-apache2-config.patch
+libssh-regression-fix-CVE-2019-14889.patch
Reply to: