pool/xrdp
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1102086 from home:linnaea:branches:X11:RemoteDesktop

Browse Source 
- Update to version 0.9.22
  + New features
    - Empty passwords are no longer automatically passed through to sesman for authentication
    - Don't try to listen on the scard socket if it isn't there
    - The directory where PAM configuration files are installed can now be set with --with-pamconfdir
    - Sesman can now be configured to ignore alternate shells passed from the client
    - Allow longer UserWindowManager strings
    - openSuSE Tumbleweed move to /usr/lib/pam.d is now supported in the installation scripts
    - VNC backend session now supports extra mouse buttons 6, 7 and 8
  + Bug fixes
    - Minor documentation fixes
    - Memory management fixes to list module
    - Fix some noise when MP3/AAC are in use and some logging improvements
    - Fix potential NULL dereferences in chansrv
    - An erroneous free in the smartcard handling code has been removed
    - Passwords are no longer left on the heap in sesman
    - Set permissions on pcsc socket dir to owner only
- Drop upstreamed patches:
    xrdp-CVE-2022-23468.patch
    xrdp-CVE-2022-23477.patch
    xrdp-CVE-2022-23478.patch
    xrdp-CVE-2022-23479.patch
    xrdp-CVE-2022-23480.patch
    xrdp-CVE-2022-23481.patch
    xrdp-CVE-2022-23482.patch
    xrdp-CVE-2022-23483.patch
    xrdp-CVE-2022-23484.patch
    xrdp-CVE-2022-23493.patch
    xrdp-make-pamconfdir-configurable.patch
    xrdp-update-pam.d-path.patch

OBS-URL: https://build.opensuse.org/request/show/1102086
OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=119
This commit is contained in:
Dirk Mueller 2023-08-08 07:00:45 +00:00 committed by Git OBS Bridge
parent a390a9a598
commit 8222d51000
18 changed files with 65 additions and 1016 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
xrdp-0.9.20.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb
size 2062157

16
xrdp-0.9.20.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEGKuDipBxZ3RZFIcZA5k7QGXnGTsFAmMiv48ACgkQA5k7QGXn
GTulEhAAnTDBCyslV+m1Z9cJ/Pkt08vVGcOS+O9tDZIFu/oCRGKqjS/h/tOWMPaK
zbPT0U9Lf/EfyqBeJYc6UwZdEijL2QV1kSyeKYTIlGomecxJERDbh38q6iJYTkHf
l3tiShaT1jxWQyeTMDPLuOC4UE0d1R2RYpCIm1c9MWPx9pTiBvvtIespzjeAM5Sp
7/o5d+8aIp1XL8/v0I//zPUCHdvADwqEgwDh76OdNIqWBpIoRfdIdmZYsR8a/ZcF
Y8+UIrYHt5tXHnAgiAXQep5l96JNH+tMZQ2n4w0tO7FSKmC+L8lLqaAfSBrgFbHF
BMVs+IV9HrTA9TLogzAAheZ5lIrw2DHswHS/3tgYl5++BCWC++TWkV04/+FY2Cbc
YNAeQ5vOfolsagWraSDr/DQOcar+GEjMLX4b2KYoKnBU6RoSHgkXaaxrO9ruXUZd
V3U0zqtEGJDVelLaZ4cV/Z9OGYtmr3NrKI4Xb+PjI6DFLoimx1g58VN6A5Fku33W
MnaXRXKZBsbJWe9FmoA1q7oERuFDQTkRgJyi4rIZiZDHQtNHeoF7T5R8yVtFjk5R
g3Lq9KAzuw84vCzg30THd228gV3ookGu7L5JWvsaVDb8CdN2uxIMYQoijCQbgw/p
CMrqNiH3KvjlnPoLn9iYYhhe84io+HQk1ZNwIIQ/yWYjU0z2RJQ=
=egk+
-----END PGP SIGNATURE-----

3
xrdp-0.9.22.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6dd320cfe9594a2aaa78f90adfe1bb550f9ce3f58bd9fc312dd30d003cb7f3cb
size 2059401

16
xrdp-0.9.22.1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEGKuDipBxZ3RZFIcZA5k7QGXnGTsFAmRsEM0ACgkQA5k7QGXn
GTvOXA//cvi3R0CMIOtTCb8LYXEeH6+S8c4Mr/FDvvWn/7+lKcDG2T/d5dLkLobn
oQjmdnFT/aTlcQau5tlbpRms5zYjT9uAx4CCQ6pQENEbzlq4hB4yQ8ue8b9Up08v
4W0JyMZYpq96Hd1VgNOf+MBkLsHbKsCPB8f6GqEWvdMIrRtBTvP4pb+BxLgKxcZ8
afWRcjymgVUBRgwzAP2KAiOhFM6aVCUVf0JQ97YxhZWMt2+IWwl0MvJW4otztMC/
FgOomfdXnkhUKjdN5GTbG4mwBF4NiLSQirQfdFp+mkpZMTQNoqkahymXbAv9O525
mqpItW59MjkonlvpPwX3ZiRBjOezOFhq/tAyKUWJ2FxYG7YRuVM50rrI8bhIQ90N
JO2KIwfLcki+wNDNlYYZvUFV6vdjwIOWy26gtsu0sTCSH7BIZ9kezxhfYiY9BBGN
6XuCtz6/rbcF89a7pMJoME+obGDlemp7vmhAf5R3pjtXjfj62eIfxefvjt0w1rvU
fujowcsgOUWAQ3evMSedrjThdD6fETbNc9nHCtum0SzMcupTZp4bBhDR2eaVv4QF
kd+BwG0vE+tiWDs6xeKrxhNS/Ok80B7coFeynuzALQXxVQk69e7mTmZtotkRAwx2
+hXaVl+EjuskKFPevrz6TlIzQYNj7qyjhgGbJ4HllUcsJdc7Wa4=
=ePiK
-----END PGP SIGNATURE-----

33
xrdp-CVE-2022-23468.patch
View File

@ -1,33 +0,0 @@
From a0b5de1d09ed149cbbee8697f001adbbe9476a06 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 09:16:44 +0000
Subject: [PATCH 1/9] CVE-2022-23468
Login window - replace g_sprintf() withl g_snprintf() calls
---
xrdp/xrdp_login_wnd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c
index 7a3134fd..28748676 100644
--- a/xrdp/xrdp_login_wnd.c
+++ b/xrdp/xrdp_login_wnd.c
@@ -722,13 +722,13 @@ xrdp_login_wnd_create(struct xrdp_wm *self)
if (globals->ls_title[0] == 0)
{
g_gethostname(buf1, 256);
- g_sprintf(buf, "Login to %s", buf1);
+ g_snprintf(buf, sizeof(buf), "Login to %s", buf1);
set_string(&self->login_window->caption1, buf);
}
else
{
/*self->login_window->caption1 = globals->ls_title[0];*/
- g_sprintf(buf, "%s", globals->ls_title);
+ g_snprintf(buf, sizeof(buf), "%s", globals->ls_title);
set_string(&self->login_window->caption1, buf);
}
--
2.39.0

37
xrdp-CVE-2022-23477.patch
View File

@ -1,37 +0,0 @@
From c57c32e6cfeda40b3f006a5ba63a3ff161e8d497 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Tue, 6 Dec 2022 11:31:31 +0000
Subject: [PATCH] CVE-2022-23477
Prevent buffer overflow for oversized audio format from client
---
sesman/chansrv/audin.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c
index cd802fa5..36a8027a 100644
--- a/sesman/chansrv/audin.c
+++ b/sesman/chansrv/audin.c
@@ -181,15 +181,16 @@ audin_send_open(int chan_id)
int error;
int bytes;
struct stream *s;
- struct xr_wave_format_ex *wf;
+ struct xr_wave_format_ex *wf = g_client_formats[g_current_format];
LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:");
make_stream(s);
- init_stream(s, 8192);
+ /* wf->cbSize was checked when the format was received */
+ init_stream(s, wf->cbSize + 64);
+
out_uint8(s, MSG_SNDIN_OPEN);
out_uint32_le(s, 2048); /* FramesPerPacket */
out_uint32_le(s, g_current_format); /* initialFormat */
- wf = g_client_formats[g_current_format];
out_uint16_le(s, wf->wFormatTag);
out_uint16_le(s, wf->nChannels);
out_uint32_le(s, wf->nSamplesPerSec);
--
2.39.0

84
xrdp-CVE-2022-23478.patch
View File

@ -1,84 +0,0 @@
From 2a71e18fe78529c0d9338eaafe87d4313382b7cc Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:12:42 +0000
Subject: [PATCH 2/9] CVE-2022-23478
Fix potential OOB write if invalid chansrv channel opened
Also removed an unnecessary dynamic memory allocation
---
xrdp/xrdp_mm.c | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index 74b0516a..c91e03ab 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
int error;
int chan_id;
int chansrv_chan_id;
- char *name;
+ char name[1024 + 1];
struct xrdp_drdynvc_procs procs;
if (!s_check_rem(s, 2))
@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
return 1;
}
in_uint32_le(s, name_bytes);
- if ((name_bytes < 1) || (name_bytes > 1024))
- {
- return 1;
- }
- name = g_new(char, name_bytes + 1);
- if (name == NULL)
+ if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1)))
{
return 1;
}
if (!s_check_rem(s, name_bytes))
{
- g_free(name);
return 1;
}
in_uint8a(s, name, name_bytes);
name[name_bytes] = 0;
if (!s_check_rem(s, 8))
{
- g_free(name);
return 1;
}
in_uint32_le(s, flags);
in_uint32_le(s, chansrv_chan_id);
+ if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
+ {
+ LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d",
+ chansrv_chan_id);
+ return 1;
+ }
+
if (flags == 0)
{
/* open static channel, not supported */
- g_free(name);
return 1;
}
else
@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
&chan_id);
if (error != 0)
{
- g_free(name);
return 1;
}
self->xr2cr_cid_map[chan_id] = chansrv_chan_id;
self->cs2xr_cid_map[chansrv_chan_id] = chan_id;
}
- g_free(name);
return 0;
}
--
2.39.0

82
xrdp-CVE-2022-23479.patch
View File

@ -1,82 +0,0 @@
From de3b0bea6406619632a6583235ba467ff97528f8 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 09:44:56 +0000
Subject: [PATCH 3/9] CVE-2022-23479
Detect attempts to overflow input buffer
If application code hasn't properly sanitised the header_size
for a transport, it is possible for read requests to be issued
which overflow the input buffer. This change detects this
at a low level and bounces the read request.
---
common/trans.c | 19 +++++++++++++++----
common/trans.h | 2 +-
2 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/common/trans.c b/common/trans.c
index 55d2a638..1d2d3e68 100644
--- a/common/trans.c
+++ b/common/trans.c
@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self)
tbus in_sck = (tbus) 0;
struct trans *in_trans = (struct trans *) NULL;
int read_bytes = 0;
- int to_read = 0;
- int read_so_far = 0;
+ unsigned int to_read = 0;
+ unsigned int read_so_far = 0;
int rv = 0;
enum xrdp_source cur_source;
@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self)
}
else if (self->trans_can_recv(self, self->sck, 0))
{
+ /* CVE-2022-23479 - check a malicious caller hasn't managed
+ * to set the header_size to an unreasonable value */
+ if (self->header_size > (unsigned int)self->in_s->size)
+ {
+ LOG(LOG_LEVEL_ERROR,
+ "trans_check_wait_objs: Reading %u bytes beyond buffer",
+ self->header_size - (unsigned int)self->in_s->size);
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+
cur_source = XRDP_SOURCE_NONE;
if (self->si != 0)
{
cur_source = self->si->cur_source;
self->si->cur_source = self->my_source;
}
- read_so_far = (int) (self->in_s->end - self->in_s->data);
+ read_so_far = self->in_s->end - self->in_s->data;
to_read = self->header_size - read_so_far;
if (to_read > 0)
@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self)
}
}
- read_so_far = (int) (self->in_s->end - self->in_s->data);
+ read_so_far = self->in_s->end - self->in_s->data;
if (read_so_far == self->header_size)
{
diff --git a/common/trans.h b/common/trans.h
index 1cd89fda..313c543b 100644
--- a/common/trans.h
+++ b/common/trans.h
@@ -98,7 +98,7 @@ struct trans
ttrans_data_in trans_data_in;
ttrans_conn_in trans_conn_in;
void *callback_data;
- int header_size;
+ unsigned int header_size;
struct stream *in_s;
struct stream *out_s;
char *listen_filename;
--
2.39.0

355
xrdp-CVE-2022-23480.patch
View File

@ -1,355 +0,0 @@
From 6680c506e4562715e3ff500c114208dac88863cb Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Tue, 6 Dec 2022 12:48:57 +0000
Subject: [PATCH 4/9] CVE-2022-23480
Added length checking to redirector response parsing
---
sesman/chansrv/devredir.c | 151 +++++++++++++++++++++++++++++++-------
1 file changed, 123 insertions(+), 28 deletions(-)
diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c
index a44d47e6..7faa9bfc 100644
--- a/sesman/chansrv/devredir.c
+++ b/sesman/chansrv/devredir.c
@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void);
static void devredir_send_server_clientID_confirm(void);
static void devredir_send_server_user_logged_on(void);
-static void devredir_proc_client_core_cap_resp(struct stream *s);
-static void devredir_proc_client_devlist_announce_req(struct stream *s);
-static void devredir_proc_client_devlist_remove_req(struct stream *s);
-static void devredir_proc_device_iocompletion(struct stream *s);
+static int devredir_proc_client_core_cap_resp(struct stream *s);
+static int devredir_proc_client_devlist_announce_req(struct stream *s);
+static int devredir_proc_client_devlist_remove_req(struct stream *s);
+static int devredir_proc_device_iocompletion(struct stream *s);
static void devredir_proc_query_dir_response(IRP *irp,
struct stream *s_in,
tui32 DeviceId,
@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
}
/* read header from incoming data */
+ if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER"))
+ {
+ rv = -1;
+ goto done;
+ }
xstream_rd_u16_le(ls, comp_type);
xstream_rd_u16_le(ls, pktID);
@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
switch (pktID)
{
case PAKID_CORE_CLIENTID_CONFIRM:
- xstream_seek(ls, 2); /* major version, we ignore it */
- xstream_rd_u16_le(ls, minor_ver);
- xstream_rd_u32_le(ls, g_clientID);
+ if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS] DR_CORE_CLIENT_ANNOUNCE_RSP"))
+ {
+ rv = -1;
+ }
+ else
+ {
+ xstream_seek(ls, 2); /* major version, we ignore it */
+ xstream_rd_u16_le(ls, minor_ver);
+ xstream_rd_u32_le(ls, g_clientID);
- g_client_rdp_version = minor_ver;
+ g_client_rdp_version = minor_ver;
- switch (minor_ver)
- {
- case RDP_CLIENT_50:
- break;
+ switch (minor_ver)
+ {
+ case RDP_CLIENT_50:
+ break;
- case RDP_CLIENT_51:
- break;
+ case RDP_CLIENT_51:
+ break;
- case RDP_CLIENT_52:
- break;
+ case RDP_CLIENT_52:
+ break;
- case RDP_CLIENT_60_61:
- break;
+ case RDP_CLIENT_60_61:
+ break;
+ }
+ // LK_TODO devredir_send_server_clientID_confirm();
}
- // LK_TODO devredir_send_server_clientID_confirm();
break;
case PAKID_CORE_CLIENT_NAME:
@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
break;
case PAKID_CORE_CLIENT_CAPABILITY:
- devredir_proc_client_core_cap_resp(ls);
+ rv = devredir_proc_client_core_cap_resp(ls);
break;
case PAKID_CORE_DEVICELIST_ANNOUNCE:
- devredir_proc_client_devlist_announce_req(ls);
+ rv = devredir_proc_client_devlist_announce_req(ls);
break;
case PAKID_CORE_DEVICELIST_REMOVE:
- devredir_proc_client_devlist_remove_req(ls);
+ rv = devredir_proc_client_devlist_remove_req(ls);
break;
case PAKID_CORE_DEVICE_IOCOMPLETION:
- devredir_proc_device_iocompletion(ls);
+ rv = devredir_proc_device_iocompletion(ls);
break;
default:
@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id,
* @brief process client's response to our core_capability_req() msg
*
* @param s stream containing client's response
+ * @return 0 for success, -1 otherwise
*****************************************************************************/
-static void
+static int
devredir_proc_client_core_cap_resp(struct stream *s)
{
int i;
@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s)
tui32 cap_version;
char *holdp;
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_CAPABLITY_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u16_le(s, num_caps);
xstream_seek(s, 2); /* padding */
for (i = 0; i < num_caps; i++)
{
holdp = s->p;
+ if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS] CAPABILITY_HEADER"))
+ {
+ return -1;
+ }
xstream_rd_u16_le(s, cap_type);
xstream_rd_u16_le(s, cap_len);
xstream_rd_u32_le(s, cap_version);
+ /* Convert the length to a remaining length. Underflow is possible,
+ * but this is an unsigned type so that's OK */
+ cap_len -= (s->p - holdp);
+ if (cap_len > 0 &&
+ !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS] CAPABILITY_HEADER length"))
+ {
+ return -1;
+ }
switch (cap_type)
{
@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s)
scard_init();
break;
}
- s->p = holdp + cap_len;
+ xstream_seek(s, cap_len);
}
+ return 0;
}
-static void
+static int
devredir_proc_client_devlist_announce_req(struct stream *s)
{
unsigned int i;
@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
enum NTSTATUS response_status;
/* get number of devices being announced */
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_DEVICELIST_ANNOUNCE_REQ"))
+ {
+ return -1;
+ }
+
xstream_rd_u32_le(s, device_count);
LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count);
for (i = 0; i < device_count; i++)
{
+ if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4,
+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, device_type);
xstream_rd_u32_le(s, g_device_id);
/* get preferred DOS name
@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
/* Read the device data length from the stream */
xstream_rd_u32_le(s, device_data_len);
+ if (device_data_len > 0 && !
+ !s_check_rem_and_log(s, device_data_len,
+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE devdata"))
+ {
+ return -1;
+ }
switch (device_type)
{
@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
devredir_send_server_device_announce_resp(g_device_id,
response_status);
}
+
+ return 0;
}
-static void
+static int
devredir_proc_client_devlist_remove_req(struct stream *s)
{
unsigned int i;
@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
tui32 device_id;
/* get number of devices being announced */
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, device_count);
+ if (!s_check_rem_and_log(s, 4 * device_count,
+ "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list"))
+ {
+ return -1;
+ }
LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count);
{
@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
xfuse_delete_share(device_id);
}
}
+ return 0;
}
-static void
+static int
devredir_proc_device_iocompletion(struct stream *s)
{
IRP *irp = NULL;
@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s)
tui32 Length;
enum COMPLETION_TYPE comp_type;
+ if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS] DR_DEVICE_IOCOMPLETION"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, DeviceId);
xstream_rd_u32_le(s, CompletionId);
xstream_rd_u32_le(s, IoStatus32);
@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s)
}
else
{
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
devredir_send_drive_dir_request(irp, DeviceId,
1, irp->pathname);
@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_CREATE_REQ:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
xfuse_devredir_cb_create_file(
@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_OPEN_REQ:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
xfuse_devredir_cb_open_file((struct state_open *) irp->fuse_info,
@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_READ:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_READ_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, Length);
+ if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS] DR_READ_RSP"))
+ {
+ return -1;
+ }
xfuse_devredir_cb_read_file((struct state_read *) irp->fuse_info,
IoStatus,
s->p, Length);
@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_WRITE:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_WRITE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, Length);
xfuse_devredir_cb_write_file((struct state_write *) irp->fuse_info,
IoStatus,
@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_RMDIR_OR_FILE:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
devredir_proc_cid_rmdir_or_file(irp, IoStatus);
break;
@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_RENAME_FILE:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
devredir_proc_cid_rename_file(irp, IoStatus);
break;
@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
}
}
+ return 0;
}
static void
--
2.39.0

45
xrdp-CVE-2022-23481.patch
View File

@ -1,45 +0,0 @@
From 69888a988b8cf811e4a8e393700c374d31749e76 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:40:25 +0000
Subject: [PATCH 5/9] CVE-2022-23481
Add length checks to client confirm active PDU parsing
---
libxrdp/xrdp_caps.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c
index 5c5e74a5..ac21cc0a 100644
--- a/libxrdp/xrdp_caps.c
+++ b/libxrdp/xrdp_caps.c
@@ -667,13 +667,27 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self, struct stream *s)
int len;
char *p;
+ if (!s_check_rem_and_log(s, 10,
+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+ " - header"))
+ {
+ return 1;
+ }
in_uint8s(s, 4); /* rdp_shareid */
in_uint8s(s, 2); /* userid */
in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */
in_uint16_le(s, cap_len);
+
+ if (!s_check_rem_and_log(s, source_len + 2 + 2,
+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+ " - header2"))
+ {
+ return 1;
+ }
in_uint8s(s, source_len);
in_uint16_le(s, num_caps);
in_uint8s(s, 2); /* pad */
+
LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU "
"shareID (ignored), originatorID (ignored), lengthSourceDescriptor %d, "
"lengthCombinedCapabilities %d, sourceDescriptor (ignored), "
--
2.39.0

68
xrdp-CVE-2022-23482.patch
View File

@ -1,68 +0,0 @@
From b01a62ac07933e0690eb0fa3329f5288c6069cf6 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:05:46 +0000
Subject: [PATCH 6/9] CVE-2022-23482
Check minimum length of TS_UD_CS_CORE message
---
libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index 691d4f04..084fca6b 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
static int
xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
{
+#define CS_CORE_MIN_LENGTH \
+ (\
+ 4 + /* Version */ \
+ 2 + 2 + /* desktopWidth + desktopHeight */ \
+ 2 + 2 + /* colorDepth + SASSequence */ \
+ 4 + /* keyboardLayout */ \
+ 4 + 32 + /* clientBuild + clientName */ \
+ 4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
+ 64 + /* imeFileName */ \
+ 0)
+
int version;
int colorDepth;
int postBeta2ColorDepth;
@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
UNUSED_VAR(version);
- /* TS_UD_CS_CORE requiered fields */
+ /* TS_UD_CS_CORE required fields */
+ if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
+ "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
+ {
+ return 1;
+ }
in_uint32_le(s, version);
in_uint16_le(s, self->rdp_layer->client_info.width);
in_uint16_le(s, self->rdp_layer->client_info.height);
@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
clientName);
/* TS_UD_CS_CORE optional fields */
+ if (!s_check_rem(s, 2))
+ {
+ return 0;
+ }
in_uint16_le(s, postBeta2ColorDepth);
LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
"<Optional Field> postBeta2ColorDepth %s",
@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
"<Optional Field> desktopOrientation (ignored)");
return 0;
+#undef CS_CORE_MIN_LENGTH
}
/*****************************************************************************/
--
2.39.0

63
xrdp-CVE-2022-23483.patch
View File

@ -1,63 +0,0 @@
From 5c95289b98f10f5a0be098e4bc9c0d189db171ca Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:21:41 +0000
Subject: [PATCH 7/9] CVE-2022-23483
Sanitise channel data being passed from application
Avoids OOB read if the size field is incorrect.
---
xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index c91e03ab..bc7b1b83 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans)
static int
xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s)
{
- int size;
- int total_size;
+ unsigned int size;
+ unsigned int total_size;
int chan_id;
int chan_flags;
- int rv;
-
- in_uint16_le(s, chan_id);
- in_uint16_le(s, chan_flags);
- in_uint16_le(s, size);
- in_uint32_le(s, total_size);
- rv = 0;
+ int rv = 0;
- if (rv == 0)
+ if (!s_check_rem_and_log(s, 10, "Reading channel data header"))
+ {
+ rv = 1;
+ }
+ else
{
- rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size,
- chan_flags);
+ in_uint16_le(s, chan_id);
+ in_uint16_le(s, chan_flags);
+ in_uint16_le(s, size);
+ in_uint32_le(s, total_size);
+ if (!s_check_rem_and_log(s, size, "Reading channel data data"))
+ {
+ rv = 1;
+ }
+ else
+ {
+ rv = libxrdp_send_to_channel(self->wm->session, chan_id,
+ s->p, size, total_size, chan_flags);
+ }
}
return rv;
--
2.39.0

30
xrdp-CVE-2022-23484.patch
View File

@ -1,30 +0,0 @@
From e503ce71bde7ca0817c2f5f4e1561a33a971af46 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:03:24 +0000
Subject: [PATCH 8/9] CVE-2022-23484
Add check for RAIL window text size
---
xrdp/xrdp_mm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index bc7b1b83..b59345d7 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -938,6 +938,12 @@ xrdp_mm_process_rail_update_window_text(struct xrdp_mm *self, struct stream *s)
g_memset(&rwso, 0, sizeof(rwso));
in_uint32_le(s, size); /* title size */
+ if (size < 0 || !s_check_rem(s, size))
+ {
+ LOG(LOG_LEVEL_ERROR, "%s : invalid window text size %d",
+ __func__, size);
+ return 1;
+ }
rwso.title_info = g_new(char, size + 1);
in_uint8a(s, rwso.title_info, size);
rwso.title_info[size] = 0;
--
2.39.0

32
xrdp-CVE-2022-23493.patch
View File

@ -1,32 +0,0 @@
From 5c1399c30901b98ee9eb0b83be2847eb74b9e80d Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:49:06 +0000
Subject: [PATCH 9/9] CVE-2022-23493
Check chansrv channel ID on a channel close
Prevent OOB read if an invalid channel ID is sent.
---
xrdp/xrdp_mm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index b59345d7..c27c2341 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1447,6 +1447,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct xrdp_mm *self,
return 1;
}
in_uint32_le(s, chansrv_chan_id);
+ if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
+ {
+ LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d",
+ chansrv_chan_id);
+ return 1;
+ }
chan_id = self->cs2xr_cid_map[chansrv_chan_id];
/* close dynamic channel */
error = libxrdp_drdynvc_close(self->wm->session, chan_id);
--
2.39.0

96
xrdp-make-pamconfdir-configurable.patch
View File

@ -1,96 +0,0 @@
From 8be6bc137e44939d15a8b28eff4df53c961ca84c Mon Sep 17 00:00:00 2001
From: Yifan J <yifanj2007@gmail.com>
Date: Tue, 21 Feb 2023 09:50:46 +0800
Subject: [PATCH] Make pam.d directory configurable
---
configure.ac | 7 +++++++
instfiles/pam.d/Makefile.am | 2 +-
sesman/Makefile.am | 1 +
sesman/tools/Makefile.am | 1 +
sesman/verify_user_pam.c | 10 +++++++++-
5 files changed, 19 insertions(+), 2 deletions(-)
Index: xrdp-0.9.20/configure.ac
===================================================================
--- xrdp-0.9.20.orig/configure.ac
+++ xrdp-0.9.20/configure.ac
@@ -464,6 +464,12 @@ if test "x$enable_strict_locations" != "
localstatedir="/var";
fi
+AC_ARG_WITH([pamconfdir],
+ [AS_HELP_STRING([--with-pamconfdir=DIR],
+ [Use directory for pam.d config (default: /etc/pam.d)])],
+ [], [with_pamconfdir="$sysconfdir/pam.d"])
+AC_SUBST([pamconfdir], [$with_pamconfdir])
+
PKG_INSTALLDIR
AC_CHECK_HEADERS([sys/prctl.h])
@@ -542,6 +548,7 @@ echo " exec_prefix $exec_pr
echo " libdir $libdir"
echo " bindir $bindir"
echo " sysconfdir $sysconfdir"
+echo " pamconfdir $pamconfdir"
echo ""
echo " unit tests performable $perform_unit_tests"
echo ""
Index: xrdp-0.9.20/instfiles/pam.d/Makefile.am
===================================================================
--- xrdp-0.9.20.orig/instfiles/pam.d/Makefile.am
+++ xrdp-0.9.20/instfiles/pam.d/Makefile.am
@@ -25,7 +25,7 @@ endif
endif
endif
-pamddir = $(sysconfdir)/pam.d
+pamddir = $(pamconfdir)
pamd_DATA = \
$(PAMFILE)
Index: xrdp-0.9.20/sesman/Makefile.am
===================================================================
--- xrdp-0.9.20.orig/sesman/Makefile.am
+++ xrdp-0.9.20/sesman/Makefile.am
@@ -8,6 +8,7 @@ AM_CPPFLAGS = \
-DXRDP_SHARE_PATH=\"${datadir}/xrdp\" \
-DXRDP_PID_PATH=\"${localstatedir}/run\" \
-DXRDP_SOCKET_PATH=\"${socketdir}\" \
+ -DXRDP_PAMCONF_PATH=\"${pamconfdir}\" \
-I$(top_srcdir)/common \
-I$(top_srcdir)/sesman/libscp
Index: xrdp-0.9.20/sesman/tools/Makefile.am
===================================================================
--- xrdp-0.9.20.orig/sesman/tools/Makefile.am
+++ xrdp-0.9.20/sesman/tools/Makefile.am
@@ -4,6 +4,7 @@ AM_CPPFLAGS = \
-DXRDP_SHARE_PATH=\"${datadir}/xrdp\" \
-DXRDP_PID_PATH=\"${localstatedir}/run\" \
-DXRDP_SOCKET_PATH=\"${socketdir}\" \
+ -DXRDP_PAMCONF_PATH=\"${pamconfdir}\" \
-I$(top_srcdir)/common \
-I$(top_srcdir)/sesman/libscp \
-I$(top_srcdir)/sesman
Index: xrdp-0.9.20/sesman/verify_user_pam.c
===================================================================
--- xrdp-0.9.20.orig/sesman/verify_user_pam.c
+++ xrdp-0.9.20/sesman/verify_user_pam.c
@@ -197,7 +197,15 @@ get_service_name(char *service_name)
service_name[0] = 0;
if (g_file_exist("/etc/pam.d/xrdp-sesman") ||
- g_file_exist(XRDP_SYSCONF_PATH "/pam.d/xrdp-sesman"))
+#ifdef __LINUX_PAM__
+ /* /usr/lib/pam.d is hardcoded into Linux-PAM */
+ g_file_exist("/usr/lib/pam.d/xrdp-sesman") ||
+#endif
+#ifdef OPENPAM_VERSION
+ /* /usr/local/etc/pam.d is hardcoded into OpenPAM */
+ g_file_exist("/usr/local/etc/pam.d/xrdp-sesman") ||
+#endif
+ g_file_exist(XRDP_PAMCONF_PATH "/xrdp-sesman"))
{
g_strncpy(service_name, "xrdp-sesman", 255);
}

35
xrdp-update-pam.d-path.patch
View File

@ -1,35 +0,0 @@
From 76716169e3fe95b14c75b5571717b148b524909c Mon Sep 17 00:00:00 2001
From: Daike Yu <yu.daike@suse.com>
Date: Mon, 7 Nov 2022 18:27:07 +0800
Subject: [PATCH] Update pamdir_suse to accommodate with TW pam.d move
References: bsc#1203468
Upstream: submitted
On newer builds of openSUSE tumbleweed the path of pam.d has moved from
/usr/etc/pam.d to /usr/lib/pam.d, which prevents install script to
correctly guess pam rules. Updating path in mkpamrules solves the
problem.
---
instfiles/pam.d/mkpamrules | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/instfiles/pam.d/mkpamrules b/instfiles/pam.d/mkpamrules
index 989a52f4..230d92be 100755
--- a/instfiles/pam.d/mkpamrules
+++ b/instfiles/pam.d/mkpamrules
@@ -8,7 +8,11 @@ outfile="$3"
service="xrdp-sesman"
pamdir="/etc/pam.d"
-pamdir_suse="/usr/etc/pam.d"
+pamdir_suse="/usr/lib/pam.d"
+if [ ! -d $pamdir_suse ]; then
+ # Older SUSE distros uses /usr/etc/pam.d
+ pamdir_suse="/usr/etc/pam.d"
+fi
# Modules needed by xrdp-sesman.unix, if we get to that
unix_modules_needed="pam_unix.so pam_env.so pam_nologin.so"
--
2.35.3

45
xrdp.changes
View File

@ -1,3 +1,48 @@
-------------------------------------------------------------------
Thu Aug 3 04:01:39 UTC 2023 - Linnaea Lavia <linnaea@lavia.moe>
- Update to version 0.9.22
+ New features
- Empty passwords are no longer automatically passed through to sesman for authentication
- Don't try to listen on the scard socket if it isn't there
- The directory where PAM configuration files are installed can now be set with --with-pamconfdir
- Sesman can now be configured to ignore alternate shells passed from the client
- Allow longer UserWindowManager strings
- openSuSE Tumbleweed move to /usr/lib/pam.d is now supported in the installation scripts
- VNC backend session now supports extra mouse buttons 6, 7 and 8
+ Bug fixes
- Minor documentation fixes
- Memory management fixes to list module
- Fix some noise when MP3/AAC are in use and some logging improvements
- Fix potential NULL dereferences in chansrv
- An erroneous free in the smartcard handling code has been removed
- Passwords are no longer left on the heap in sesman
- Set permissions on pcsc socket dir to owner only
+ Security fixes
- CVE-2022-23468
- CVE-2022-23477
- CVE-2022-23478
- CVE-2022-23479
- CVE-2022-23480
- CVE-2022-23481
- CVE-2022-23482
- CVE-2022-23483
- CVE-2022-23484
- CVE-2022-23493
- Drop upstreamed patches:
xrdp-CVE-2022-23468.patch
xrdp-CVE-2022-23477.patch
xrdp-CVE-2022-23478.patch
xrdp-CVE-2022-23479.patch
xrdp-CVE-2022-23480.patch
xrdp-CVE-2022-23481.patch
xrdp-CVE-2022-23482.patch
xrdp-CVE-2022-23483.patch
xrdp-CVE-2022-23484.patch
xrdp-CVE-2022-23493.patch
xrdp-make-pamconfdir-configurable.patch
xrdp-update-pam.d-path.patch
-------------------------------------------------------------------
Tue Jun 6 14:19:55 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>

38
xrdp.spec
View File

@ -22,7 +22,7 @@
%endif
Name: xrdp
Version: 0.9.20
Version: 0.9.22.1
Release: 0
Summary: Remote desktop protocol (RDP) server
License: Apache-2.0 AND GPL-2.0-or-later
@ -44,30 +44,6 @@ Patch4: xrdp-disable-8-bpp-vnc-support.patch
Patch5: xrdp-support-KillDisconnected-for-Xvnc.patch
# PATCH-FIX-OPENSUSE xrdp-systemd-services.patch boo#1138954 boo#1144327 - fezhang@suse.com -- Let systemd handle the daemons
Patch6: xrdp-systemd-services.patch
# PATCH-FIX-UPSTREAM xrdp-update-pam.d-path.patch bsc#1203468 - yu.daike@suse.com -- update install script to accommodate with pam.d path move
Patch7: xrdp-update-pam.d-path.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23468.patch bsc#1206300 - yu.daike@suse.com -- Buffer overflow in xrdp_login_wnd_create()
Patch8: xrdp-CVE-2022-23468.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23478.patch bsc#1206302 - yu.daike@suse.com -- Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan
Patch9: xrdp-CVE-2022-23478.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23479.patch bsc#1206303 - yu.daike@suse.com -- Buffer overflow in xrdp_mm_chan_data_in() function
Patch10: xrdp-CVE-2022-23479.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23480.patch bsc#1206306 - yu.daike@suse.com -- Buffer overflow in devredir_proc_client_devlist_announce_req
Patch11: xrdp-CVE-2022-23480.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23481.patch bsc#1206307 - yu.daike@suse.com -- Out of Bound Read in xrdp_caps_process_confirm_active()
Patch12: xrdp-CVE-2022-23481.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23482.patch bsc#1206310 - yu.daike@suse.com -- Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE()
Patch13: xrdp-CVE-2022-23482.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23483.patch bsc#1206311 - yu.daike@suse.com -- Out of Bound Read in libxrdp_send_to_channel()
Patch14: xrdp-CVE-2022-23483.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23484.patch bsc#1206312 - yu.daike@suse.com -- Integer Overflow in xrdp_mm_process_rail_update_window_text()
Patch15: xrdp-CVE-2022-23484.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23493.patch bsc#1206313 - yu.daike@suse.com -- Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()
Patch16: xrdp-CVE-2022-23493.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23477.patch bsc#1206301 - yu.daike@suse.com -- Buffer over flow in audin_send_open() function
Patch17: xrdp-CVE-2022-23477.patch
# PATCH-FIX-UPSTREAM xrdp-make-pamconfdir-configurable.patch gh#neutrinolabs/xrdp!2552 bsc#1208121 - yfjiang@suse.com -- Configure pam.d directory at build time
Patch18: xrdp-make-pamconfdir-configurable.patch
# Keep SLE only patches on the bottom starting from patch number 1001
# PATCH-FEATURE-SLE xrdp-avahi.diff bnc#586785 - hfiguiere@novell.com -- Add Avahi support.
@ -130,18 +106,6 @@ This package contains libraries for the JPEG2000 codec for RDP.
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%if 0%{?sle_version}
%patch1001 -p1
%patch1002 -p1