[X2Go-Dev] Bug#1428: Bug#1428: X2Go issue (in src:x2goclient) has been marked as pending for release

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Wed Dec 25 21:22:18 CET 2019 

Hi,

On  Fr 20 Dez 2019 20:32:49 CET, Mihai Moldovan wrote:

> tag #1428 pending
> fixed #1428 4.1.2.2
> thanks
>
> Hello,
>
> X2Go issue #1428 (src:x2goclient) reported by you has been
> fixed in X2Go Git. You can see the changelog below, and you can
> check the diff of the fix at:
>
>     http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1
>
> The issue will most likely be fixed in src:x2goclient (4.1.2.2).
>
> light+love
> X2Go Git Admin (on behalf of the sender of this mail)
>
> ---
> commit ce559d163a943737fe4160f7233925df2eee1f9a
> Author: Mihai Moldovan <ionic at ionic.de>
> Date:   Fri Dec 20 20:27:31 2019 +0100
>
>     src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and  
> $HOME{,/} from destination paths in scp mode. Fixes: #1428.
>
>     This was already necessary for pascp (PuTTY-based Windows solution for
>     Kerberos support), but newer libssh versions with the CVE-2019-14889
>     also interpret paths as literal strings.
>
> diff --git a/debian/changelog b/debian/changelog
> index 504d6ae..9f84281 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
>        sound weird first, but this behavior is consistent between all
>        applications - tray icons can be clicked via either button and will
>        always trigger a context menu. Let X2Go Client behave the same way.
> +    - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and  
> $HOME{,/} from
> +      destination paths in scp mode. Fixes: #1428. This was already  
> necessary
> +      for pascp (PuTTY-based Windows solution for Kerberos  
> support), but newer
> +      libssh versions with the CVE-2019-14889 also interpret paths  
> as literal
> +      strings.
>    * debian/control:
>      + Add build-depend on pkg-config.
>    * x2goclient.spec:

Please note that I am currently working on getting this  
libssh/CVE-2019-14889 robustness patch into Debian [done] and Ubuntu  
[pending].

Mike
-- 

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20191225/e641c58d/attachment.sig>

More information about the x2go-dev mailing list