[X2Go-Dev] Bug#1429: Bug#1429: Tilde expansion no longer performed by libssh after CVE-2019-14889
Sylvain Cuaz
sylvain at ilm-informatique.fr
Fri Dec 20 21:44:07 CET 2019
Le 20/12/2019 à 19:06, Mihai Moldovan a écrit :
> Control: reassign -1 x2goclient 4.1.2.1
> Control: forcemerge -1 1428
>
> * On 12/20/19 6:21 PM, Sylvain Cuaz wrote:
>> SSH key fails to be copied to the remote side because the path use a tilde, so neither file sharing nor client-side printing works.
>> [...]
>> After using gdb I saw that ONMainWindow::exportDirs() calls SshMasterConnection::copyFile() with dst="~"+uname +"/.x2go/ssh/"+dst;
>> which is ultimately passed to libssh. But following CVE-2019-14889 the path is now literal (quoted), see
>> https://git.libssh.org/projects/libssh.git/log/src/scp.c for the libssh logs and
>> https://usn.ubuntu.com/4219-1/ for the ubuntu packages
> Yes, I think that this change has been intentional. I'll have to fix that in
> X2Go Client and I know how to do this easily to retain support for pre-patched
> and patched versions.
>
> I will, however, probably not be able to provide new release versions with that
> fix (and others) for about a months.
>
> I'll let you know when fixed nightly versions are available, though.
OK thanks
>> As a workaround I reinstalled an old version of the libssh-4 package and the bug went away.
> Please don't do that OR recommend that. You're essentially now running without
> the CVE fix, which is probably worse than a broken client.
Yes, 'workaround' was not the right word. I meant while investigating to confirm my findings.
More information about the x2go-dev
mailing list