[SRU] X2Go Client broken by libssh CVE-2019-14889 fix

Bug #1856795 reported by Mihai Moldovan on 2019-12-18
60
This bug affects 12 people
Affects Status Importance Assigned to Milestone
x2goclient (Debian)
Fix Released
Unknown
x2goclient (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Disco
Undecided
Unassigned
Eoan
Undecided
Unassigned

Bug Description

[Test case]
Connect to a x2go server on a session that has file sharing or audo-forwarding enabled -> Error message "SCP: Warning: status code 1 received: scp: ~<user>/.x2go/ssh: No such file or directory" needs to be clicked away with "ok".

[Regression potential]
Very low as the patch removes "~<user>" from the ssh string which is the same as just using no path spec (":") as the default is the home dir of the logged in remote user.

--------------------------------------------------------------------------

The recent CVE fix broke SCP support in libssh, which X2Go Client (x2goclient) relies on.

Sessions now fail with error messages such as "SCP: Warning: status code 1 received: scp: ~username/.x2go/ssh: No such file or directory\n". (Also note the literal "\n" there, but I guess we don't really need to care about that.)

The previous version worked fine and rolling the libssh4 package back fixes this issue, but also leaves users vulnerable to the fixed security issue in its scp implementation.

I've been looking at the debdiff, but spotting the actual changes is very difficult due to the reformatting that was done at the same time. This degraded the patch(es) into one big blob.

CVE References

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libssh (Ubuntu):
status: New → Confirmed
cprecht2123 (cprecht2123) wrote :

Thanks. I can also confirm this bug running X2Go on Ubuntu 18.04 (Client / Remote).
Appears to have been described also here: https://lists.x2go.org/pipermail/x2go-dev/2019-December/013260.html

Mihai Moldovan (ionic) wrote :

The issue seems to be that the CVE fixes changed the path interpretation to be literal.

See https://git.libssh.org/projects/libssh.git/commit/src/scp.c?id=3830c7ae6eec751b7618d3fc159cb5bb3c8806a6

If that's intentional, and I think it is, then I will need to change this behavior in X2Go Client directly instead and this bug report would be invalid.

Mike Gabriel (sunweaver) wrote :

I think, this issue needs to be re-assigned and someone needs to provide updates for x2goclient in all supported Ubuntu releases that have received the fix for CVE-2019-14889.

This patch needs to be applied on top of X2Go Client:
https://code.x2go.org/gitweb?p=x2goclient.git;a=patch;h=ce559d163a943737fe4160f7233925df2eee1f9a

For Debian, I am currently on this...

Daniel Lange (dlange) on 2019-12-21
Changed in x2goclient (Ubuntu):
status: New → Confirmed
Graham Inggs (ginggs) on 2019-12-21
Changed in libssh (Ubuntu):
status: Confirmed → Invalid
Changed in x2goclient (Debian):
status: Unknown → Fix Released
Graham Inggs (ginggs) wrote :

Fixed in focal:

x2goclient (4.1.2.1-4) unstable; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (Closes: #947129).

 -- Mike Gabriel <email address hidden> Sat, 21 Dec 2019 17:56:23 +0100

Changed in x2goclient (Ubuntu):
status: Confirmed → Fix Released
Graham Inggs (ginggs) wrote :

Affect versions of libssh:

focal 0.9.0-1ubuntu5
eoan 0.9.0-1ubuntu1.3
disco 0.8.6-3ubuntu0.3
bionic 0.8.0~20170825.94fa1e38-1ubuntu0.5
xenial 0.6.3-4.3ubuntu0.5

Changed in x2goclient (Ubuntu Xenial):
status: New → Confirmed
Changed in x2goclient (Ubuntu Bionic):
status: New → Confirmed
Changed in x2goclient (Ubuntu Disco):
status: New → Confirmed
Changed in x2goclient (Ubuntu Eoan):
status: New → Confirmed
Changed in libssh (Ubuntu Xenial):
status: New → Invalid
Changed in libssh (Ubuntu Bionic):
status: New → Invalid
Changed in libssh (Ubuntu Disco):
status: New → Invalid
Changed in libssh (Ubuntu Eoan):
status: New → Invalid
Graham Inggs (ginggs) wrote :

Please see https://wiki.ubuntu.com/StableReleaseUpdates
[Test Case] and [Regression Potential] sections need to be added to the original report.
Debdiffs for Eoan, Bionic and Xenial need to be attached.
Disco is EOL in January 2020, so I think it's safe to ignore.

summary: - X2Go Client broken by 0.8.0~20170825.94fa1e38-1ubuntu0.5
+ [SRU] X2Go Client broken by libssh CVE-2019-14889 fix
Graham Inggs (ginggs) wrote :

Based on:
https://salsa.debian.org/debian-remote-team/x2goclient/tree/ubuntu/bionic/updates

I've uploaded packages for Eoan, Bionic and Xenial with minor changes to my PPA:
https://launchpad.net/~ginggs/+archive/ubuntu/sru

Please test them and update the [Test Case] and [Regression Potential] sections in the original report.

Daniel Lange (dlange) wrote :

[Test case]
Connect to a x2go server on a session that has file sharing or audo-forwarding enabled -> Error message "SCP: Warning: status code 1 received: scp: ~<user>/.x2go/ssh: No such file or directory" needs to be clicked away with "ok".

[Regression potential]
Very low as the patch removes "~<user>" from the ssh string which is the same as just using no path spec (":") as the default is the home dir of the logged in remote user.

I have tested Graham's ppa packages and they work again as before the libssh change and fix the bug reliably.

Graham Inggs (ginggs) on 2020-01-02
description: updated
Graham Inggs (ginggs) on 2020-01-02
Changed in x2goclient (Ubuntu Xenial):
status: Confirmed → In Progress
Changed in x2goclient (Ubuntu Bionic):
status: Confirmed → In Progress
Changed in x2goclient (Ubuntu Eoan):
status: Confirmed → In Progress
Mike Gabriel (sunweaver) wrote :

@ginggs: What else is needed to get this fix for X2Go Client into Ubuntu updates?

Hello Mihai, or anyone else affected,

Accepted x2goclient into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/x2goclient/4.1.2.1-2ubuntu0.19.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in x2goclient (Ubuntu Disco):
status: Confirmed → Invalid
Changed in x2goclient (Ubuntu Eoan):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-eoan
Changed in x2goclient (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Timo Aaltonen (tjaalton) wrote :

Hello Mihai, or anyone else affected,

Accepted x2goclient into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/x2goclient/4.1.1.1-2ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in x2goclient (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Timo Aaltonen (tjaalton) wrote :

Hello Mihai, or anyone else affected,

Accepted x2goclient into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/x2goclient/4.0.5.1-1ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Mathew Hodson (mhodson) on 2020-01-25
no longer affects: libssh (Ubuntu Eoan)
no longer affects: libssh (Ubuntu Disco)
no longer affects: libssh (Ubuntu Bionic)
no longer affects: libssh (Ubuntu Xenial)
no longer affects: libssh (Ubuntu)
Mathew Hodson (mhodson) on 2020-01-25
Changed in x2goclient (Ubuntu Disco):
status: Invalid → Won't Fix
Sylvain CUAZ (sylvain.ilm) wrote :

Hi, on my Ubuntu 18.04.3 workstation, the package version 4.1.1.1-2ubuntu0.18.04.1 does fix the bug. I can again share folders and print.

tags: added: verification-done-bionic
removed: verification-needed-bionic

Hi,

package x2goclient 4.1.2.1-2ubuntu0.19.10.1 fixes this issue on my Kubuntu 19.10.

- Alex

Sylvain CUAZ (sylvain.ilm) wrote :

On my ubuntu 16.04, the package version 4.0.5.1-1ubuntu0.16.04.1 does fix the bug. I can share folders and print.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Alex Potapenko (alllexx88) wrote :

Hi, I'm on Ubuntu 19.10, the package x2goclient 4.1.2.1-2ubuntu0.19.10.1 fixes the bug for me.

tags: added: verification-done-eoan
removed: verification-needed-eoan
Graham Inggs (ginggs) on 2020-01-28
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package x2goclient - 4.1.2.1-2ubuntu0.19.10.1

---------------
x2goclient (4.1.2.1-2ubuntu0.19.10.1) eoan; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (LP: #1856795).

 -- Mike Gabriel <email address hidden> Wed, 25 Dec 2019 21:11:41 +0100

Changed in x2goclient (Ubuntu Eoan):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for x2goclient has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package x2goclient - 4.1.1.1-2ubuntu0.18.04.1

---------------
x2goclient (4.1.1.1-2ubuntu0.18.04.1) bionic; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (LP: #1856795).

 -- Mike Gabriel <email address hidden> Wed, 25 Dec 2019 21:11:41 +0100

Changed in x2goclient (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package x2goclient - 4.0.5.1-1ubuntu0.16.04.1

---------------
x2goclient (4.0.5.1-1ubuntu0.16.04.1) xenial; urgency=medium

  * debian/patches:
    + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp:
      strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths
      in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY-
      based Windows solution for Kerberos support), but newer libssh versions
      with the CVE-2019-14889 also interpret paths as literal strings.
      (LP: #1856795).

 -- Mike Gabriel <email address hidden> Wed, 25 Dec 2019 21:11:41 +0100

Changed in x2goclient (Ubuntu Xenial):
status: Fix Committed → Fix Released
Qianqian Fang (fangq) wrote :

I am still having this issue in Ubuntu 16.04.6 LTS. The automatically installed x2goclient version is 4.1.2.1-0~1788~ubuntu14.04.1, and it won't update to 4.0.5.1-1ubuntu0.16.04.1 unless one force the version.

can someone push an update to 16.04?

Graham Inggs (ginggs) wrote :

Hi Qianqian Fang
There is no version 4.1.2.1-0~1788~ubuntu14.04.1 in the Ubuntu repository.
I think you have installed a version from a PPA.
I suggest disabling the PPA, uninstalling x2goclient, and then installing x2goclient 4.0.5.1-1ubuntu0.16.04.1 from the Ubuntu repository.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.