Bug#947129: marked as done (x2goclient: regression caused by CVE-2019-14889/libssh fix)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 29 Dec 2019 11:47:19 +0000
with message-id <E1ilX2V-000FTX-Mp@fasolo.debian.org>
and subject line Bug#947129: fixed in x2goclient 4.1.2.1-2+deb10u1
has caused the Debian Bug report #947129,
regarding x2goclient: regression caused by CVE-2019-14889/libssh fix
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
947129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: x2goclient: regression caused by CVE-2019-14889/libssh fix
• From: Mike Gabriel <sunweaver@debian.org>
• Date: Sat, 21 Dec 2019 16:53:01 +0000
• Message-id: <[🔎] 20191221165301.Horde.emHcjYRaf-gxfGlYyAXf9jC@mail.das-netzwerkteam.de>

Package: x2goclient
Version: 4.1.2.1-3
Severity: serious
Control: found -1 4.0.3.1-4
Control: found -1 4.0.5.2-2

the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client:

```

Connection failed. Couldn't create remote file ~<user>/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~<user>/.x2go/ssh: No such file or directory"

```

The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable):

https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1

light+love
Mike

--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgpvZmdY8it1g.pgp
Description: Digitale PGP-Signatur

--- End Message ---

--- Begin Message ---

• To: 947129-close@bugs.debian.org
• Subject: Bug#947129: fixed in x2goclient 4.1.2.1-2+deb10u1
• From: Mike Gabriel <sunweaver@debian.org>
• Date: Sun, 29 Dec 2019 11:47:19 +0000
• Message-id: <E1ilX2V-000FTX-Mp@fasolo.debian.org>

Source: x2goclient
Source-Version: 4.1.2.1-2+deb10u1

We believe that the bug you reported is fixed in the latest version of
x2goclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated x2goclient package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 21 Dec 2019 18:22:22 +0100
Source: x2goclient
Architecture: source
Version: 4.1.2.1-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 947129
Changes:
 x2goclient (4.1.2.1-2+deb10u1) buster; urgency=medium
 .
   * debian/patches:
     + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
       strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
       in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
       based Windows solution for Kerberos support), but newer libssh versions
       with the CVE-2019-14889 also interpret paths as literal strings.
       (Closes: #947129).
Checksums-Sha1:
 df8f3fc84a7b0bd388803200c4057e15f0a3ac32 2524 x2goclient_4.1.2.1-2+deb10u1.dsc
 b880847bce015331fcb2b62bbeda29194068b510 23976 x2goclient_4.1.2.1-2+deb10u1.debian.tar.xz
 b3987af3dad42f6ff3f6b04bc0424d745dd736f1 13293 x2goclient_4.1.2.1-2+deb10u1_source.buildinfo
Checksums-Sha256:
 655c0a02eb93c4ac1547969d3eb8d0e57c0a2802748a5b1aec45d152f45dede7 2524 x2goclient_4.1.2.1-2+deb10u1.dsc
 a47d06f610acc8505c474ba3876f9e3b83c1edceb5124a68d66194083907c545 23976 x2goclient_4.1.2.1-2+deb10u1.debian.tar.xz
 2667c61d7faec2abb82250a3bf38e22a7e31b13df228bbe32cace1228e245504 13293 x2goclient_4.1.2.1-2+deb10u1_source.buildinfo
Files:
 d26da1a02c6bfb6fdddd8604c71b3c74 2524 x11 optional x2goclient_4.1.2.1-2+deb10u1.dsc
 5bfd9edaefc75fe247e76d9a17b90b7c 23976 x11 optional x2goclient_4.1.2.1-2+deb10u1.debian.tar.xz
 8ab6412cffbcd49c133e7465435c9bba 13293 x11 optional x2goclient_4.1.2.1-2+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3/LqcVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxJBYQAKSvOxU8qN7PkOwetsQOubM/e72G
n0ehx5g+49g1tzCyoAaWRKKQGK3GMultnm7OgMQK07I0TUc523pdoo7AHhpDXloR
POhTH2E9JLBjEGkYq6ohrr056Snf7IwvWGyU2vMuvshrpZ2k3ySDbMm4JFk85hhF
OtEsnymcttted+OFIPk01SnaRlQJYODvI94Fkxa9OygnjEOOzzql4vz2icJGT5vl
Rgw4WvEL0QBLZ7fPOmCSsxtnEYiY22o6euRAfQxMZLzoq+V0ZOiwuE0IL0+oMZHa
wJGdzWhkRlX4RYc33QAnIyqhdPs+IGLIhmvT2lEH8+kAku5eAbuHdNTvATIZAP4X
6y+iQQigVadBDK8bwXNyE2cStFwXkQNpXTEKbFmxOhMJpetVLorXtH02qEWkRHju
rzS9PJozXzrEc5kM/0upm/JOQKcR3sho7ISXWpPZK/t7Aru0gI/dyNlhdXOQRXt3
t/TaQPwgvoZLNO4pnBJmR3suNGS+BZQEICAz7k1kL33qNHzIEZ4le44ZDTbajFzO
YABdyR8kc4daYezoWfleAgS+5CKBEiV1e/5dUr8lNjFfuVZypQSPMVg/smKHJsMu
53EfUSrSRYYrnDc/puTNkpiTvLYU4XFBmCuTHJ2x/EgwQYr/4c7aqIlXBitKf5A4
3uVJ3p05s8Nl9wtU
=DQTN
-----END PGP SIGNATURE-----

--- End Message ---