Bug#947129: marked as done (x2goclient: regression caused by CVE-2019-14889/libssh fix)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 29 Dec 2019 14:44:56 +0000
with message-id <E1ilZoO-0005AW-7N@fasolo.debian.org>
and subject line Bug#947129: fixed in x2goclient 4.0.5.2-2+deb9u1
has caused the Debian Bug report #947129,
regarding x2goclient: regression caused by CVE-2019-14889/libssh fix
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
947129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: x2goclient: regression caused by CVE-2019-14889/libssh fix
• From: Mike Gabriel <sunweaver@debian.org>
• Date: Sat, 21 Dec 2019 16:53:01 +0000
• Message-id: <[🔎] 20191221165301.Horde.emHcjYRaf-gxfGlYyAXf9jC@mail.das-netzwerkteam.de>

Package: x2goclient
Version: 4.1.2.1-3
Severity: serious
Control: found -1 4.0.3.1-4
Control: found -1 4.0.5.2-2

the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client:

```

Connection failed. Couldn't create remote file ~<user>/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~<user>/.x2go/ssh: No such file or directory"

```

The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable):

https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1

light+love
Mike

--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgpSu4zrymwcC.pgp
Description: Digitale PGP-Signatur

--- End Message ---

--- Begin Message ---

• To: 947129-close@bugs.debian.org
• Subject: Bug#947129: fixed in x2goclient 4.0.5.2-2+deb9u1
• From: Mike Gabriel <sunweaver@debian.org>
• Date: Sun, 29 Dec 2019 14:44:56 +0000
• Message-id: <E1ilZoO-0005AW-7N@fasolo.debian.org>

Source: x2goclient
Source-Version: 4.0.5.2-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
x2goclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated x2goclient package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 22 Dec 2019 14:53:58 +0100
Source: x2goclient
Architecture: source
Version: 4.0.5.2-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 947129
Changes:
 x2goclient (4.0.5.2-2+deb9u1) stretch; urgency=medium
 .
   * debian/patches:
     + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
       strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
       in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
       based Windows solution for Kerberos support), but newer libssh versions
       with the CVE-2019-14889 also interpret paths as literal strings.
       (Closes: #947129).
Checksums-Sha1:
 0244ba470443ff25216cf62258156e3803d78692 2427 x2goclient_4.0.5.2-2+deb9u1.dsc
 337c99644163694d99a85f18599ae35a674cebbb 19392 x2goclient_4.0.5.2-2+deb9u1.debian.tar.xz
 de6ec636d19cae96d7b01e822b0f3e527eb75745 9895 x2goclient_4.0.5.2-2+deb9u1_source.buildinfo
Checksums-Sha256:
 52469be2c1d12427aa222235c4c3f1109ca43a51bf56890774993f7bb8831be5 2427 x2goclient_4.0.5.2-2+deb9u1.dsc
 3b0b6f7d4235b7debbdd23a8d2ba40a33831f0a98b4773f48ffdda6413eaa0d2 19392 x2goclient_4.0.5.2-2+deb9u1.debian.tar.xz
 fea1d7b4a076dc2a7aeeb08eb48ae555682ed25dcf6b28dfd8ca6855cdbbdbc0 9895 x2goclient_4.0.5.2-2+deb9u1_source.buildinfo
Files:
 bf3e9fbeafc260e3c54370a6c791dda0 2427 x11 extra x2goclient_4.0.5.2-2+deb9u1.dsc
 82e79762c750b1936d5450c74f6d21e5 19392 x11 extra x2goclient_4.0.5.2-2+deb9u1.debian.tar.xz
 4ce8b8a1a3c761bc30c726dea03fe9e8 9895 x11 extra x2goclient_4.0.5.2-2+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3/dtsVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxBHYQAIkQh703jOSC4FNbNoEfR53Zrm5+
QRuRnuZZwFEBTUtwwaBAcOhrUyjpb6RygLBI8bPijeKV6sDdcz6eu8boAFETvkHY
iKFv3tyeagjOUMxrklm4CtD1Ml/wIA9+vcBKcEMPsaSgPUZgODSikAumW+2UAd95
ikoPifv6/DWXnD5KcNITFzl+d64HIWMwlxAOXLOVWuWDlHvnpiB8Cd721X8QyyiR
YGXXkRrPCXPcEoxwrToPRpo9ec8xFAw1fNCHHsvEyC5Ce91qMbVlSAvw/6N6qU1d
JUbVwGtCySC7Qr5K07efJQxubJ9XpZspFfN+8tWX7YmSy2Wh8a7w7HcOZHuUzxDZ
YMNXmmGz9nmFgbsnfeV5U9gV7CyvrLfBQqWR/a4IGkUvbPF3H9lpyA4TuWnKLeSs
Y5ODIspTMazS8ECQer8zWCtxx0Rfr+lMwpP9zEXrgpoRCcpuIjbTwNcbdae4Sx/u
N+zjhaGZbof7ogS2y6jBQGW6c/rxZWYlih2nRbIET+0DMR/ZXAzLXBorbdxYqPj8
OVhdX0z3EVzmeA5qEoU2tcD3zHwM01nY7ltUJ4cZ+QwFvzfOVnXcE/+x402boGzW
io3ziyI0kPj0LeT9oP+jDOfYPBRUL9MAzNkGweMfLPOJbgwLsYKhkFRppo1G0ctt
U+VclJXs/V0TGcVo
=tap0
-----END PGP SIGNATURE-----

--- End Message ---