[SRU] X2Go Client broken by libssh CVE-2019-14889 fix
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
x2goclient (Debian) |
Fix Released
|
Unknown
|
|||
x2goclient (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Disco |
Won't Fix
|
Undecided
|
Unassigned | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Test case]
Connect to a x2go server on a session that has file sharing or audo-forwarding enabled -> Error message "SCP: Warning: status code 1 received: scp: ~<user>/.x2go/ssh: No such file or directory" needs to be clicked away with "ok".
[Regression potential]
Very low as the patch removes "~<user>" from the ssh string which is the same as just using no path spec (":") as the default is the home dir of the logged in remote user.
-------
The recent CVE fix broke SCP support in libssh, which X2Go Client (x2goclient) relies on.
Sessions now fail with error messages such as "SCP: Warning: status code 1 received: scp: ~username/
The previous version worked fine and rolling the libssh4 package back fixes this issue, but also leaves users vulnerable to the fixed security issue in its scp implementation.
I've been looking at the debdiff, but spotting the actual changes is very difficult due to the reformatting that was done at the same time. This degraded the patch(es) into one big blob.
CVE References
Changed in x2goclient (Ubuntu): | |
status: | New → Confirmed |
Changed in libssh (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in x2goclient (Debian): | |
status: | Unknown → Fix Released |
description: | updated |
Changed in x2goclient (Ubuntu Xenial): | |
status: | Confirmed → In Progress |
Changed in x2goclient (Ubuntu Bionic): | |
status: | Confirmed → In Progress |
Changed in x2goclient (Ubuntu Eoan): | |
status: | Confirmed → In Progress |
no longer affects: | libssh (Ubuntu Eoan) |
no longer affects: | libssh (Ubuntu Disco) |
no longer affects: | libssh (Ubuntu Bionic) |
no longer affects: | libssh (Ubuntu Xenial) |
no longer affects: | libssh (Ubuntu) |
Changed in x2goclient (Ubuntu Disco): | |
status: | Invalid → Won't Fix |
tags: |
added: verification-done removed: verification-needed |
Status changed to 'Confirmed' because the bug affects multiple users.