[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#947201: marked as done (buster-pu: package x2goclient/4.1.2.1-2+deb10u1)

Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id <cf1cb2f35981916a86b98b83609df15c95aa378b.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #947201,
regarding buster-pu: package x2goclient/4.1.2.1-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
947201: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947201
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I have just uploaded x2goclient 4.1.2.1-2+deb10u1 with the following change:

+  * debian/patches:
+    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+      based Windows solution for Kerberos support), but newer libssh versions
+      with the CVE-2019-14889 also interpret paths as literal strings.
+      (Closes: #947129).

It was discovered that the fix for CVE-2019-14889/libssh (currently
applied in libssh/jessie and libssh/testing+sid) causes a regression in
X2Go Client (copying of files via scp from client to server during session
startup, resulting in a GUI error message that can be clicked away).

The above patch makes X2Go Client robust against the libssh fix being
applied. As a pre-caution, I'd like to see this be released to Debian buster.

The security team has tagged CVE-2019-14889 as <no-dsa> and provisioning
of a fix for CVE-2019-14889 must be thoroughly tracked for regressions in
other packages in testing/unstable.

Greets,
Mike


-- System Information:
Debian Release: 10.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru x2goclient-4.1.2.1/debian/changelog x2goclient-4.1.2.1/debian/changelog
--- x2goclient-4.1.2.1/debian/changelog	2018-08-13 21:48:20.000000000 +0200
+++ x2goclient-4.1.2.1/debian/changelog	2019-12-21 18:22:22.000000000 +0100
@@ -1,3 +1,15 @@
+x2goclient (4.1.2.1-2+deb10u1) buster; urgency=medium
+
+  * debian/patches:
+    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
+      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
+      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
+      based Windows solution for Kerberos support), but newer libssh versions
+      with the CVE-2019-14889 also interpret paths as literal strings.
+      (Closes: #947129).
+
+ -- Mike Gabriel <sunweaver@debian.org>  Sat, 21 Dec 2019 18:22:22 +0100
+
 x2goclient (4.1.2.1-2) unstable; urgency=medium
 
   * debian/patches:
diff -Nru x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch
--- x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch	1970-01-01 01:00:00.000000000 +0100
+++ x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch	2019-12-21 18:22:22.000000000 +0100
@@ -0,0 +1,110 @@
+From ce559d163a943737fe4160f7233925df2eee1f9a Mon Sep 17 00:00:00 2001
+From: Mihai Moldovan <ionic@ionic.de>
+Date: Fri, 20 Dec 2019 20:27:31 +0100
+Subject: [PATCH] src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and
+ $HOME{,/} from destination paths in scp mode. Fixes: #1428.
+
+This was already necessary for pascp (PuTTY-based Windows solution for
+Kerberos support), but newer libssh versions with the CVE-2019-14889
+also interpret paths as literal strings.
+---
+# debian/changelog   |  5 ++++
+ src/sshprocess.cpp | 58 +++++++++++++++++++++++++---------------------
+ 2 files changed, 37 insertions(+), 26 deletions(-)
+
+#diff --git a/debian/changelog b/debian/changelog
+#index 504d6ae..9f84281 100644
+#--- a/debian/changelog
+#+++ b/debian/changelog
+#@@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
+#       sound weird first, but this behavior is consistent between all
+#       applications - tray icons can be clicked via either button and will
+#       always trigger a context menu. Let X2Go Client behave the same way.
+#+    - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from
+#+      destination paths in scp mode. Fixes: #1428. This was already necessary
+#+      for pascp (PuTTY-based Windows solution for Kerberos support), but newer
+#+      libssh versions with the CVE-2019-14889 also interpret paths as literal
+#+      strings.
+#   * debian/control:
+#     + Add build-depend on pkg-config.
+#   * x2goclient.spec:
+diff --git a/src/sshprocess.cpp b/src/sshprocess.cpp
+index 70c3b1c..aec5d0b 100644
+--- a/src/sshprocess.cpp
++++ b/src/sshprocess.cpp
+@@ -310,6 +310,38 @@ void SshProcess::start_cp(QString src, QString dst)
+     x2goDebug<<"Copying file via SshProcess object "<<pid<<": "<<src<<" -> "<<dst;
+ 
+     scpSource=src;
++
++    /*
++     * pscp and newer libssh versions with the CVE-2019-14889 fixes treat
++     * paths as literal strings when in SFTP/SCP mode.
++     *
++     * Paths like the following will lead to errors:
++     *  - ~user/foo.txt
++     *  - ~/foo.txt
++     *  - ${HOME}/foo.txt
++     *  - $HOME/foo.txt
++     *
++     * However, relative paths are interpreted as relative to the user's home
++     * dir.
++     * For example:
++     * foo.txt
++     *
++     * This workaround assumes that files will never be uploaded to a home dir
++     * other than the user's.
++     */
++
++    dst.remove("~"+masterCon->getUser()+"/");
++    dst.remove("~"+masterCon->getUser()    );
++
++    dst.remove("~/");
++    dst.remove("~" );
++
++    dst.remove("${HOME}/");
++    dst.remove("${HOME}");
++
++    dst.remove("$HOME/");
++    dst.remove("$HOME");
++
+     if(!masterCon->useKerberos())
+     {
+         connect(masterCon, SIGNAL(copyErr(SshProcess*,QString,QString)), this,
+@@ -321,32 +353,6 @@ void SshProcess::start_cp(QString src, QString dst)
+     {
+         proc=new QProcess(this);
+ #ifdef Q_OS_WIN
+-//pscp doesn't acccept paths like the following when in SFTP mode (default)
+-//~user/foo.txt
+-//~/foo.txt
+-//${HOME}/foo.txt
+-//$HOME/foo.txt
+-//
+-//However, pscp does let you specify a path relative to the user's home dir.
+-//You simply specify the relative path without a / at the beginning.
+-//For example:
+-//foo.txt
+-//
+-//This workaround assumes that files will never be uploaded to a home dir
+-//other than the user's.
+-
+-        dst.remove("~"+masterCon->getUser()+"/");
+-        dst.remove("~"+masterCon->getUser()    );
+-
+-        dst.remove("~/");
+-        dst.remove("~" );
+-
+-        dst.remove("${HOME}/");
+-        dst.remove("${HOME}");
+-
+-        dst.remove("$HOME/");
+-        dst.remove("$HOME");
+-
+         QString sshString="pscp -batch -P "+
+ #else
+         QString sshString="scp -o GSSApiAuthentication=yes -o PasswordAuthentication=no -o PubkeyAuthentication=no -P "+
+-- 
+2.17.1
+
+
diff -Nru x2goclient-4.1.2.1/debian/patches/series x2goclient-4.1.2.1/debian/patches/series
--- x2goclient-4.1.2.1/debian/patches/series	2018-08-13 21:48:20.000000000 +0200
+++ x2goclient-4.1.2.1/debian/patches/series	2019-12-21 18:22:22.000000000 +0100
@@ -2,3 +2,4 @@
 1002_fix-ftbfs-on-non-linux.patch
 1003_fix_ftbfs-against-libssh-0-8.patch
 1004_fix_ftbfs-against-qt5-11.patch
+libssh-regression-fix-CVE-2019-14889.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.3

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: