Version in base suite: 4.1.2.1-2 Base version: x2goclient_4.1.2.1-2 Target version: x2goclient_4.1.2.1-2+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/x2goclient/x2goclient_4.1.2.1-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/x/x2goclient/x2goclient_4.1.2.1-2+deb10u1.dsc changelog | 12 ++ patches/libssh-regression-fix-CVE-2019-14889.patch | 110 +++++++++++++++++++++ patches/series | 1 3 files changed, 123 insertions(+) diff -Nru x2goclient-4.1.2.1/debian/changelog x2goclient-4.1.2.1/debian/changelog --- x2goclient-4.1.2.1/debian/changelog 2018-08-13 19:48:20.000000000 +0000 +++ x2goclient-4.1.2.1/debian/changelog 2019-12-21 17:22:22.000000000 +0000 @@ -1,3 +1,15 @@ +x2goclient (4.1.2.1-2+deb10u1) buster; urgency=medium + + * debian/patches: + + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp: + strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths + in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY- + based Windows solution for Kerberos support), but newer libssh versions + with the CVE-2019-14889 also interpret paths as literal strings. + (Closes: #947129). + + -- Mike Gabriel Sat, 21 Dec 2019 18:22:22 +0100 + x2goclient (4.1.2.1-2) unstable; urgency=medium * debian/patches: diff -Nru x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch --- x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch 1970-01-01 00:00:00.000000000 +0000 +++ x2goclient-4.1.2.1/debian/patches/libssh-regression-fix-CVE-2019-14889.patch 2019-12-21 17:22:22.000000000 +0000 @@ -0,0 +1,110 @@ +From ce559d163a943737fe4160f7233925df2eee1f9a Mon Sep 17 00:00:00 2001 +From: Mihai Moldovan +Date: Fri, 20 Dec 2019 20:27:31 +0100 +Subject: [PATCH] src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and + $HOME{,/} from destination paths in scp mode. Fixes: #1428. + +This was already necessary for pascp (PuTTY-based Windows solution for +Kerberos support), but newer libssh versions with the CVE-2019-14889 +also interpret paths as literal strings. +--- +# debian/changelog | 5 ++++ + src/sshprocess.cpp | 58 +++++++++++++++++++++++++--------------------- + 2 files changed, 37 insertions(+), 26 deletions(-) + +#diff --git a/debian/changelog b/debian/changelog +#index 504d6ae..9f84281 100644 +#--- a/debian/changelog +#+++ b/debian/changelog +#@@ -135,6 +135,11 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium +# sound weird first, but this behavior is consistent between all +# applications - tray icons can be clicked via either button and will +# always trigger a context menu. Let X2Go Client behave the same way. +#+ - src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from +#+ destination paths in scp mode. Fixes: #1428. This was already necessary +#+ for pascp (PuTTY-based Windows solution for Kerberos support), but newer +#+ libssh versions with the CVE-2019-14889 also interpret paths as literal +#+ strings. +# * debian/control: +# + Add build-depend on pkg-config. +# * x2goclient.spec: +diff --git a/src/sshprocess.cpp b/src/sshprocess.cpp +index 70c3b1c..aec5d0b 100644 +--- a/src/sshprocess.cpp ++++ b/src/sshprocess.cpp +@@ -310,6 +310,38 @@ void SshProcess::start_cp(QString src, QString dst) + x2goDebug<<"Copying file via SshProcess object "< "<getUser()+"/"); ++ dst.remove("~"+masterCon->getUser() ); ++ ++ dst.remove("~/"); ++ dst.remove("~" ); ++ ++ dst.remove("${HOME}/"); ++ dst.remove("${HOME}"); ++ ++ dst.remove("$HOME/"); ++ dst.remove("$HOME"); ++ + if(!masterCon->useKerberos()) + { + connect(masterCon, SIGNAL(copyErr(SshProcess*,QString,QString)), this, +@@ -321,32 +353,6 @@ void SshProcess::start_cp(QString src, QString dst) + { + proc=new QProcess(this); + #ifdef Q_OS_WIN +-//pscp doesn't acccept paths like the following when in SFTP mode (default) +-//~user/foo.txt +-//~/foo.txt +-//${HOME}/foo.txt +-//$HOME/foo.txt +-// +-//However, pscp does let you specify a path relative to the user's home dir. +-//You simply specify the relative path without a / at the beginning. +-//For example: +-//foo.txt +-// +-//This workaround assumes that files will never be uploaded to a home dir +-//other than the user's. +- +- dst.remove("~"+masterCon->getUser()+"/"); +- dst.remove("~"+masterCon->getUser() ); +- +- dst.remove("~/"); +- dst.remove("~" ); +- +- dst.remove("${HOME}/"); +- dst.remove("${HOME}"); +- +- dst.remove("$HOME/"); +- dst.remove("$HOME"); +- + QString sshString="pscp -batch -P "+ + #else + QString sshString="scp -o GSSApiAuthentication=yes -o PasswordAuthentication=no -o PubkeyAuthentication=no -P "+ +-- +2.17.1 + + diff -Nru x2goclient-4.1.2.1/debian/patches/series x2goclient-4.1.2.1/debian/patches/series --- x2goclient-4.1.2.1/debian/patches/series 2018-08-13 19:48:20.000000000 +0000 +++ x2goclient-4.1.2.1/debian/patches/series 2019-12-21 17:22:22.000000000 +0000 @@ -2,3 +2,4 @@ 1002_fix-ftbfs-on-non-linux.patch 1003_fix_ftbfs-against-libssh-0-8.patch 1004_fix_ftbfs-against-qt5-11.patch +libssh-regression-fix-CVE-2019-14889.patch