Package: x2goclient Version: 4.1.1.1
SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works.
Client OS Ubuntu 18.04.3 LTS with libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.5 Server OS Ubuntu 16.04.6 LTS
Since december, 10th on Ubuntu, every time I connect to a server with either file sharing or printing enabled I have this error message : "Cannot create remote file ~ilm/.x2go/ssh/key.jdT502" - "SCP: Warning: status code 1 received: scp: ~ilm/.x2go/ssh: No such file or directory\n" But the directory does exist.
After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst; which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and https://usn.ubuntu.com/4219-1/ for the ubuntu packages
A similar issue is handled for Windows in SshProcess::start_cp()
As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.
Control: reassign -1 x2goclient 4.1.2.1 Control: forcemerge -1 1428
- On 12/20/19 6:21 PM, Sylvain Cuaz wrote:
SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works. [...] After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst; which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and https://usn.ubuntu.com/4219-1/ for the ubuntu packages
Yes, I think that this change has been intentional. I'll have to fix that in X2Go Client and I know how to do this easily to retain support for pre-patched and patched versions.
I will, however, probably not be able to provide new release versions with that fix (and others) for about a months.
I'll let you know when fixed nightly versions are available, though.
As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.
Please don't do that OR recommend that. You're essentially now running without the CVE fix, which is probably worse than a broken client.
Mihai
Le 20/12/2019 à 19:06, Mihai Moldovan a écrit :
Control: reassign -1 x2goclient 4.1.2.1 Control: forcemerge -1 1428
- On 12/20/19 6:21 PM, Sylvain Cuaz wrote:
SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works. [...] After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst; which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and https://usn.ubuntu.com/4219-1/ for the ubuntu packages Yes, I think that this change has been intentional. I'll have to fix that in X2Go Client and I know how to do this easily to retain support for pre-patched and patched versions.
I will, however, probably not be able to provide new release versions with that fix (and others) for about a months.
I'll let you know when fixed nightly versions are available, though.
OK thanks
As a workaround I reinstalled an old version of the libssh-4 package and the bug went away. Please don't do that OR recommend that. You're essentially now running without the CVE fix, which is probably worse than a broken client.
Yes, 'workaround' was not the right word. I meant while investigating to confirm my findings.
- On 12/20/19 9:44 PM, Sylvain Cuaz wrote:
Le 20/12/2019 à 19:06, Mihai Moldovan a écrit :
I'll let you know when fixed nightly versions are available, though.
OK thanks
Nightly builds should incorporate the fix now.
Mihai
Processing control commands:
reassign -1 x2goclient 4.1.2.1 Bug #1429 [x2goclient] Tilde expansion no longer performed by libssh after CVE-2019-14889 Ignoring request to reassign bug #1429 to the same package Bug #1429 [x2goclient] Tilde expansion no longer performed by libssh after CVE-2019-14889 There is no source info for the package 'x2goclient' at version '4.1.2.1' with architecture '' Unable to make a source version for version '4.1.2.1' Marked as found in versions 4.1.2.1; no longer marked as found in versions 4.1.1.1. forcemerge -1 1428 Bug #1429 [x2goclient] Tilde expansion no longer performed by libssh after CVE-2019-14889 Bug #1428 {Done: Mihai Moldovan <ionic@ionic.de>} [x2goclient] Connection failed. Cannot create remote file Unset Bug forwarded-to-address Bug reopened Ignoring request to alter fixed versions of bug #1428 to the same values previously set Merged 1428 1429
-- 1428: bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1428 1429: bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1429 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
-
Mihai Moldovan -
Sylvain Cuaz -
X2Go Bug Tracking System