[SRU] X2Go Client broken by libssh CVE-2019-14889 fix

Status changed to 'Confirmed' because the bug affects multiple users.

Thanks. I can also confirm this bug running X2Go on Ubuntu 18.04 (Client / Remote).
Appears to have been described also here: https://lists.x2go.org/pipermail/x2go-dev/2019-December/013260.html

The issue seems to be that the CVE fixes changed the path interpretation to be literal.

See https://git.libssh.org/projects/libssh.git/commit/src/scp.c?id=3830c7ae6eec751b7618d3fc159cb5bb3c8806a6

If that's intentional, and I think it is, then I will need to change this behavior in X2Go Client directly instead and this bug report would be invalid.

I think, this issue needs to be re-assigned and someone needs to provide updates for x2goclient in all supported Ubuntu releases that have received the fix for CVE-2019-14889.

This patch needs to be applied on top of X2Go Client:
https://code.x2go.org/gitweb?p=x2goclient.git;a=patch;h=ce559d163a943737fe4160f7233925df2eee1f9a

For Debian, I am currently on this...

See Debian bug 947129
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129

Fixed in focal:

x2goclient (4.1.2.1-4) unstable; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (Closes: #947129).

 -- Mike Gabriel <email address hidden> Sat, 21 Dec 2019 17:56:23 +0100

Affect versions of libssh:

focal 0.9.0-1ubuntu5
eoan 0.9.0-1ubuntu1.3
disco 0.8.6-3ubuntu0.3
bionic 0.8.0~20170825.94fa1e38-1ubuntu0.5
xenial 0.6.3-4.3ubuntu0.5

Please see https://wiki.ubuntu.com/StableReleaseUpdates
[Test Case] and [Regression Potential] sections need to be added to the original report.
Debdiffs for Eoan, Bionic and Xenial need to be attached.
Disco is EOL in January 2020, so I think it's safe to ignore.

Based on:
https://salsa.debian.org/debian-remote-team/x2goclient/tree/ubuntu/bionic/updates

I've uploaded packages for Eoan, Bionic and Xenial with minor changes to my PPA:
https://launchpad.net/~ginggs/+archive/ubuntu/sru

Please test them and update the [Test Case] and [Regression Potential] sections in the original report.

[Test case]
Connect to a x2go server on a session that has file sharing or audo-forwarding enabled -> Error message "SCP: Warning: status code 1 received: scp: ~<user>/.x2go/ssh: No such file or directory" needs to be clicked away with "ok".

[Regression potential]
Very low as the patch removes "~<user>" from the ssh string which is the same as just using no path spec (":") as the default is the home dir of the logged in remote user.

I have tested Graham's ppa packages and they work again as before the libssh change and fix the bug reliably.

@ginggs: What else is needed to get this fix for X2Go Client into Ubuntu updates?

Hello Mihai, or anyone else affected,

Accepted x2goclient into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/x2goclient/4.1.2.1-2ubuntu0.19.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mihai, or anyone else affected,

Accepted x2goclient into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/x2goclient/4.1.1.1-2ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mihai, or anyone else affected,

Accepted x2goclient into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/x2goclient/4.0.5.1-1ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi, on my Ubuntu 18.04.3 workstation, the package version 4.1.1.1-2ubuntu0.18.04.1 does fix the bug. I can again share folders and print.

Hi,

package x2goclient 4.1.2.1-2ubuntu0.19.10.1 fixes this issue on my Kubuntu 19.10.

- Alex

On my ubuntu 16.04, the package version 4.0.5.1-1ubuntu0.16.04.1 does fix the bug. I can share folders and print.

Hi, I'm on Ubuntu 19.10, the package x2goclient 4.1.2.1-2ubuntu0.19.10.1 fixes the bug for me.

This bug was fixed in the package x2goclient - 4.1.2.1-2ubuntu0.19.10.1

---------------
x2goclient (4.1.2.1-2ubuntu0.19.10.1) eoan; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (LP: #1856795).

 -- Mike Gabriel <email address hidden> Wed, 25 Dec 2019 21:11:41 +0100

The verification of the Stable Release Update for x2goclient has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package x2goclient - 4.1.1.1-2ubuntu0.18.04.1

---------------
x2goclient (4.1.1.1-2ubuntu0.18.04.1) bionic; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (LP: #1856795).

 -- Mike Gabriel <email address hidden> Wed, 25 Dec 2019 21:11:41 +0100

This bug was fixed in the package x2goclient - 4.0.5.1-1ubuntu0.16.04.1

---------------
x2goclient (4.0.5.1-1ubuntu0.16.04.1) xenial; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (LP: #1856795).

 -- Mike Gabriel <email address hidden> Wed, 25 Dec 2019 21:11:41 +0100

I am still having this issue in Ubuntu 16.04.6 LTS. The automatically installed x2goclient version is 4.1.2.1-0~1788~ubuntu14.04.1, and it won't update to 4.0.5.1-1ubuntu0.16.04.1 unless one force the version.

can someone push an update to 16.04?

Hi Qianqian Fang
There is no version 4.1.2.1-0~1788~ubuntu14.04.1 in the Ubuntu repository.
I think you have installed a version from a PPA.
I suggest disabling the PPA, uninstalling x2goclient, and then installing x2goclient 4.0.5.1-1ubuntu0.16.04.1 from the Ubuntu repository.