From 8222d51000fcad595f70b238d8121c46e1751fef9d05d68f566b03056dbe3249 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Tue, 8 Aug 2023 07:00:45 +0000 Subject: [PATCH] Accepting request 1102086 from home:linnaea:branches:X11:RemoteDesktop - Update to version 0.9.22 + New features - Empty passwords are no longer automatically passed through to sesman for authentication - Don't try to listen on the scard socket if it isn't there - The directory where PAM configuration files are installed can now be set with --with-pamconfdir - Sesman can now be configured to ignore alternate shells passed from the client - Allow longer UserWindowManager strings - openSuSE Tumbleweed move to /usr/lib/pam.d is now supported in the installation scripts - VNC backend session now supports extra mouse buttons 6, 7 and 8 + Bug fixes - Minor documentation fixes - Memory management fixes to list module - Fix some noise when MP3/AAC are in use and some logging improvements - Fix potential NULL dereferences in chansrv - An erroneous free in the smartcard handling code has been removed - Passwords are no longer left on the heap in sesman - Set permissions on pcsc socket dir to owner only - Drop upstreamed patches: xrdp-CVE-2022-23468.patch xrdp-CVE-2022-23477.patch xrdp-CVE-2022-23478.patch xrdp-CVE-2022-23479.patch xrdp-CVE-2022-23480.patch xrdp-CVE-2022-23481.patch xrdp-CVE-2022-23482.patch xrdp-CVE-2022-23483.patch xrdp-CVE-2022-23484.patch xrdp-CVE-2022-23493.patch xrdp-make-pamconfdir-configurable.patch xrdp-update-pam.d-path.patch OBS-URL: https://build.opensuse.org/request/show/1102086 OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=119 --- xrdp-0.9.20.tar.gz | 3 - xrdp-0.9.20.tar.gz.asc | 16 -- xrdp-0.9.22.1.tar.gz | 3 + xrdp-0.9.22.1.tar.gz.asc | 16 ++ xrdp-CVE-2022-23468.patch | 33 --- xrdp-CVE-2022-23477.patch | 37 --- xrdp-CVE-2022-23478.patch | 84 ------ xrdp-CVE-2022-23479.patch | 82 ------ xrdp-CVE-2022-23480.patch | 355 ------------------------ xrdp-CVE-2022-23481.patch | 45 --- xrdp-CVE-2022-23482.patch | 68 ----- xrdp-CVE-2022-23483.patch | 63 ----- xrdp-CVE-2022-23484.patch | 30 -- xrdp-CVE-2022-23493.patch | 32 --- xrdp-make-pamconfdir-configurable.patch | 96 ------- xrdp-update-pam.d-path.patch | 35 --- xrdp.changes | 45 +++ xrdp.spec | 38 +-- 18 files changed, 65 insertions(+), 1016 deletions(-) delete mode 100644 xrdp-0.9.20.tar.gz delete mode 100644 xrdp-0.9.20.tar.gz.asc create mode 100644 xrdp-0.9.22.1.tar.gz create mode 100644 xrdp-0.9.22.1.tar.gz.asc delete mode 100644 xrdp-CVE-2022-23468.patch delete mode 100644 xrdp-CVE-2022-23477.patch delete mode 100644 xrdp-CVE-2022-23478.patch delete mode 100644 xrdp-CVE-2022-23479.patch delete mode 100644 xrdp-CVE-2022-23480.patch delete mode 100644 xrdp-CVE-2022-23481.patch delete mode 100644 xrdp-CVE-2022-23482.patch delete mode 100644 xrdp-CVE-2022-23483.patch delete mode 100644 xrdp-CVE-2022-23484.patch delete mode 100644 xrdp-CVE-2022-23493.patch delete mode 100644 xrdp-make-pamconfdir-configurable.patch delete mode 100644 xrdp-update-pam.d-path.patch diff --git a/xrdp-0.9.20.tar.gz b/xrdp-0.9.20.tar.gz deleted file mode 100644 index 4f83442..0000000 --- a/xrdp-0.9.20.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb -size 2062157 diff --git a/xrdp-0.9.20.tar.gz.asc b/xrdp-0.9.20.tar.gz.asc deleted file mode 100644 index fb3e3c1..0000000 --- a/xrdp-0.9.20.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEGKuDipBxZ3RZFIcZA5k7QGXnGTsFAmMiv48ACgkQA5k7QGXn -GTulEhAAnTDBCyslV+m1Z9cJ/Pkt08vVGcOS+O9tDZIFu/oCRGKqjS/h/tOWMPaK -zbPT0U9Lf/EfyqBeJYc6UwZdEijL2QV1kSyeKYTIlGomecxJERDbh38q6iJYTkHf -l3tiShaT1jxWQyeTMDPLuOC4UE0d1R2RYpCIm1c9MWPx9pTiBvvtIespzjeAM5Sp -7/o5d+8aIp1XL8/v0I//zPUCHdvADwqEgwDh76OdNIqWBpIoRfdIdmZYsR8a/ZcF -Y8+UIrYHt5tXHnAgiAXQep5l96JNH+tMZQ2n4w0tO7FSKmC+L8lLqaAfSBrgFbHF -BMVs+IV9HrTA9TLogzAAheZ5lIrw2DHswHS/3tgYl5++BCWC++TWkV04/+FY2Cbc -YNAeQ5vOfolsagWraSDr/DQOcar+GEjMLX4b2KYoKnBU6RoSHgkXaaxrO9ruXUZd -V3U0zqtEGJDVelLaZ4cV/Z9OGYtmr3NrKI4Xb+PjI6DFLoimx1g58VN6A5Fku33W -MnaXRXKZBsbJWe9FmoA1q7oERuFDQTkRgJyi4rIZiZDHQtNHeoF7T5R8yVtFjk5R -g3Lq9KAzuw84vCzg30THd228gV3ookGu7L5JWvsaVDb8CdN2uxIMYQoijCQbgw/p -CMrqNiH3KvjlnPoLn9iYYhhe84io+HQk1ZNwIIQ/yWYjU0z2RJQ= -=egk+ ------END PGP SIGNATURE----- diff --git a/xrdp-0.9.22.1.tar.gz b/xrdp-0.9.22.1.tar.gz new file mode 100644 index 0000000..ccbd54a --- /dev/null +++ b/xrdp-0.9.22.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6dd320cfe9594a2aaa78f90adfe1bb550f9ce3f58bd9fc312dd30d003cb7f3cb +size 2059401 diff --git a/xrdp-0.9.22.1.tar.gz.asc b/xrdp-0.9.22.1.tar.gz.asc new file mode 100644 index 0000000..17b7fd3 --- /dev/null +++ b/xrdp-0.9.22.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEGKuDipBxZ3RZFIcZA5k7QGXnGTsFAmRsEM0ACgkQA5k7QGXn +GTvOXA//cvi3R0CMIOtTCb8LYXEeH6+S8c4Mr/FDvvWn/7+lKcDG2T/d5dLkLobn +oQjmdnFT/aTlcQau5tlbpRms5zYjT9uAx4CCQ6pQENEbzlq4hB4yQ8ue8b9Up08v +4W0JyMZYpq96Hd1VgNOf+MBkLsHbKsCPB8f6GqEWvdMIrRtBTvP4pb+BxLgKxcZ8 +afWRcjymgVUBRgwzAP2KAiOhFM6aVCUVf0JQ97YxhZWMt2+IWwl0MvJW4otztMC/ +FgOomfdXnkhUKjdN5GTbG4mwBF4NiLSQirQfdFp+mkpZMTQNoqkahymXbAv9O525 +mqpItW59MjkonlvpPwX3ZiRBjOezOFhq/tAyKUWJ2FxYG7YRuVM50rrI8bhIQ90N +JO2KIwfLcki+wNDNlYYZvUFV6vdjwIOWy26gtsu0sTCSH7BIZ9kezxhfYiY9BBGN +6XuCtz6/rbcF89a7pMJoME+obGDlemp7vmhAf5R3pjtXjfj62eIfxefvjt0w1rvU +fujowcsgOUWAQ3evMSedrjThdD6fETbNc9nHCtum0SzMcupTZp4bBhDR2eaVv4QF +kd+BwG0vE+tiWDs6xeKrxhNS/Ok80B7coFeynuzALQXxVQk69e7mTmZtotkRAwx2 ++hXaVl+EjuskKFPevrz6TlIzQYNj7qyjhgGbJ4HllUcsJdc7Wa4= +=ePiK +-----END PGP SIGNATURE----- diff --git a/xrdp-CVE-2022-23468.patch b/xrdp-CVE-2022-23468.patch deleted file mode 100644 index 4683aeb..0000000 --- a/xrdp-CVE-2022-23468.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a0b5de1d09ed149cbbee8697f001adbbe9476a06 Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Wed, 7 Dec 2022 09:16:44 +0000 -Subject: [PATCH 1/9] CVE-2022-23468 - -Login window - replace g_sprintf() withl g_snprintf() calls ---- - xrdp/xrdp_login_wnd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c -index 7a3134fd..28748676 100644 ---- a/xrdp/xrdp_login_wnd.c -+++ b/xrdp/xrdp_login_wnd.c -@@ -722,13 +722,13 @@ xrdp_login_wnd_create(struct xrdp_wm *self) - if (globals->ls_title[0] == 0) - { - g_gethostname(buf1, 256); -- g_sprintf(buf, "Login to %s", buf1); -+ g_snprintf(buf, sizeof(buf), "Login to %s", buf1); - set_string(&self->login_window->caption1, buf); - } - else - { - /*self->login_window->caption1 = globals->ls_title[0];*/ -- g_sprintf(buf, "%s", globals->ls_title); -+ g_snprintf(buf, sizeof(buf), "%s", globals->ls_title); - set_string(&self->login_window->caption1, buf); - } - --- -2.39.0 - diff --git a/xrdp-CVE-2022-23477.patch b/xrdp-CVE-2022-23477.patch deleted file mode 100644 index eb27e2f..0000000 --- a/xrdp-CVE-2022-23477.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c57c32e6cfeda40b3f006a5ba63a3ff161e8d497 Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Tue, 6 Dec 2022 11:31:31 +0000 -Subject: [PATCH] CVE-2022-23477 - -Prevent buffer overflow for oversized audio format from client ---- - sesman/chansrv/audin.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c -index cd802fa5..36a8027a 100644 ---- a/sesman/chansrv/audin.c -+++ b/sesman/chansrv/audin.c -@@ -181,15 +181,16 @@ audin_send_open(int chan_id) - int error; - int bytes; - struct stream *s; -- struct xr_wave_format_ex *wf; -+ struct xr_wave_format_ex *wf = g_client_formats[g_current_format]; - - LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:"); - make_stream(s); -- init_stream(s, 8192); -+ /* wf->cbSize was checked when the format was received */ -+ init_stream(s, wf->cbSize + 64); -+ - out_uint8(s, MSG_SNDIN_OPEN); - out_uint32_le(s, 2048); /* FramesPerPacket */ - out_uint32_le(s, g_current_format); /* initialFormat */ -- wf = g_client_formats[g_current_format]; - out_uint16_le(s, wf->wFormatTag); - out_uint16_le(s, wf->nChannels); - out_uint32_le(s, wf->nSamplesPerSec); --- -2.39.0 - diff --git a/xrdp-CVE-2022-23478.patch b/xrdp-CVE-2022-23478.patch deleted file mode 100644 index 72ab0b1..0000000 --- a/xrdp-CVE-2022-23478.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 2a71e18fe78529c0d9338eaafe87d4313382b7cc Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Wed, 7 Dec 2022 11:12:42 +0000 -Subject: [PATCH 2/9] CVE-2022-23478 - -Fix potential OOB write if invalid chansrv channel opened - -Also removed an unnecessary dynamic memory allocation ---- - xrdp/xrdp_mm.c | 21 +++++++++------------ - 1 file changed, 9 insertions(+), 12 deletions(-) - -diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c -index 74b0516a..c91e03ab 100644 ---- a/xrdp/xrdp_mm.c -+++ b/xrdp/xrdp_mm.c -@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, - int error; - int chan_id; - int chansrv_chan_id; -- char *name; -+ char name[1024 + 1]; - struct xrdp_drdynvc_procs procs; - - if (!s_check_rem(s, 2)) -@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, - return 1; - } - in_uint32_le(s, name_bytes); -- if ((name_bytes < 1) || (name_bytes > 1024)) -- { -- return 1; -- } -- name = g_new(char, name_bytes + 1); -- if (name == NULL) -+ if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1))) - { - return 1; - } - if (!s_check_rem(s, name_bytes)) - { -- g_free(name); - return 1; - } - in_uint8a(s, name, name_bytes); - name[name_bytes] = 0; - if (!s_check_rem(s, 8)) - { -- g_free(name); - return 1; - } - in_uint32_le(s, flags); - in_uint32_le(s, chansrv_chan_id); -+ if (chansrv_chan_id < 0 || chansrv_chan_id > 255) -+ { -+ LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d", -+ chansrv_chan_id); -+ return 1; -+ } -+ - if (flags == 0) - { - /* open static channel, not supported */ -- g_free(name); - return 1; - } - else -@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, - &chan_id); - if (error != 0) - { -- g_free(name); - return 1; - } - self->xr2cr_cid_map[chan_id] = chansrv_chan_id; - self->cs2xr_cid_map[chansrv_chan_id] = chan_id; - } -- g_free(name); - return 0; - } - --- -2.39.0 - diff --git a/xrdp-CVE-2022-23479.patch b/xrdp-CVE-2022-23479.patch deleted file mode 100644 index 0cab189..0000000 --- a/xrdp-CVE-2022-23479.patch +++ /dev/null @@ -1,82 +0,0 @@ -From de3b0bea6406619632a6583235ba467ff97528f8 Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Wed, 7 Dec 2022 09:44:56 +0000 -Subject: [PATCH 3/9] CVE-2022-23479 - -Detect attempts to overflow input buffer - -If application code hasn't properly sanitised the header_size -for a transport, it is possible for read requests to be issued -which overflow the input buffer. This change detects this -at a low level and bounces the read request. ---- - common/trans.c | 19 +++++++++++++++---- - common/trans.h | 2 +- - 2 files changed, 16 insertions(+), 5 deletions(-) - -diff --git a/common/trans.c b/common/trans.c -index 55d2a638..1d2d3e68 100644 ---- a/common/trans.c -+++ b/common/trans.c -@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self) - tbus in_sck = (tbus) 0; - struct trans *in_trans = (struct trans *) NULL; - int read_bytes = 0; -- int to_read = 0; -- int read_so_far = 0; -+ unsigned int to_read = 0; -+ unsigned int read_so_far = 0; - int rv = 0; - enum xrdp_source cur_source; - -@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self) - } - else if (self->trans_can_recv(self, self->sck, 0)) - { -+ /* CVE-2022-23479 - check a malicious caller hasn't managed -+ * to set the header_size to an unreasonable value */ -+ if (self->header_size > (unsigned int)self->in_s->size) -+ { -+ LOG(LOG_LEVEL_ERROR, -+ "trans_check_wait_objs: Reading %u bytes beyond buffer", -+ self->header_size - (unsigned int)self->in_s->size); -+ self->status = TRANS_STATUS_DOWN; -+ return 1; -+ } -+ - cur_source = XRDP_SOURCE_NONE; - if (self->si != 0) - { - cur_source = self->si->cur_source; - self->si->cur_source = self->my_source; - } -- read_so_far = (int) (self->in_s->end - self->in_s->data); -+ read_so_far = self->in_s->end - self->in_s->data; - to_read = self->header_size - read_so_far; - - if (to_read > 0) -@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self) - } - } - -- read_so_far = (int) (self->in_s->end - self->in_s->data); -+ read_so_far = self->in_s->end - self->in_s->data; - - if (read_so_far == self->header_size) - { -diff --git a/common/trans.h b/common/trans.h -index 1cd89fda..313c543b 100644 ---- a/common/trans.h -+++ b/common/trans.h -@@ -98,7 +98,7 @@ struct trans - ttrans_data_in trans_data_in; - ttrans_conn_in trans_conn_in; - void *callback_data; -- int header_size; -+ unsigned int header_size; - struct stream *in_s; - struct stream *out_s; - char *listen_filename; --- -2.39.0 - diff --git a/xrdp-CVE-2022-23480.patch b/xrdp-CVE-2022-23480.patch deleted file mode 100644 index 8e0bf46..0000000 --- a/xrdp-CVE-2022-23480.patch +++ /dev/null @@ -1,355 +0,0 @@ -From 6680c506e4562715e3ff500c114208dac88863cb Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Tue, 6 Dec 2022 12:48:57 +0000 -Subject: [PATCH 4/9] CVE-2022-23480 - -Added length checking to redirector response parsing ---- - sesman/chansrv/devredir.c | 151 +++++++++++++++++++++++++++++++------- - 1 file changed, 123 insertions(+), 28 deletions(-) - -diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c -index a44d47e6..7faa9bfc 100644 ---- a/sesman/chansrv/devredir.c -+++ b/sesman/chansrv/devredir.c -@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void); - static void devredir_send_server_clientID_confirm(void); - static void devredir_send_server_user_logged_on(void); - --static void devredir_proc_client_core_cap_resp(struct stream *s); --static void devredir_proc_client_devlist_announce_req(struct stream *s); --static void devredir_proc_client_devlist_remove_req(struct stream *s); --static void devredir_proc_device_iocompletion(struct stream *s); -+static int devredir_proc_client_core_cap_resp(struct stream *s); -+static int devredir_proc_client_devlist_announce_req(struct stream *s); -+static int devredir_proc_client_devlist_remove_req(struct stream *s); -+static int devredir_proc_device_iocompletion(struct stream *s); - static void devredir_proc_query_dir_response(IRP *irp, - struct stream *s_in, - tui32 DeviceId, -@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, - } - - /* read header from incoming data */ -+ if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER")) -+ { -+ rv = -1; -+ goto done; -+ } - xstream_rd_u16_le(ls, comp_type); - xstream_rd_u16_le(ls, pktID); - -@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, - switch (pktID) - { - case PAKID_CORE_CLIENTID_CONFIRM: -- xstream_seek(ls, 2); /* major version, we ignore it */ -- xstream_rd_u16_le(ls, minor_ver); -- xstream_rd_u32_le(ls, g_clientID); -+ if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS] DR_CORE_CLIENT_ANNOUNCE_RSP")) -+ { -+ rv = -1; -+ } -+ else -+ { -+ xstream_seek(ls, 2); /* major version, we ignore it */ -+ xstream_rd_u16_le(ls, minor_ver); -+ xstream_rd_u32_le(ls, g_clientID); - -- g_client_rdp_version = minor_ver; -+ g_client_rdp_version = minor_ver; - -- switch (minor_ver) -- { -- case RDP_CLIENT_50: -- break; -+ switch (minor_ver) -+ { -+ case RDP_CLIENT_50: -+ break; - -- case RDP_CLIENT_51: -- break; -+ case RDP_CLIENT_51: -+ break; - -- case RDP_CLIENT_52: -- break; -+ case RDP_CLIENT_52: -+ break; - -- case RDP_CLIENT_60_61: -- break; -+ case RDP_CLIENT_60_61: -+ break; -+ } -+ // LK_TODO devredir_send_server_clientID_confirm(); - } -- // LK_TODO devredir_send_server_clientID_confirm(); - break; - - case PAKID_CORE_CLIENT_NAME: -@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, - break; - - case PAKID_CORE_CLIENT_CAPABILITY: -- devredir_proc_client_core_cap_resp(ls); -+ rv = devredir_proc_client_core_cap_resp(ls); - break; - - case PAKID_CORE_DEVICELIST_ANNOUNCE: -- devredir_proc_client_devlist_announce_req(ls); -+ rv = devredir_proc_client_devlist_announce_req(ls); - break; - - case PAKID_CORE_DEVICELIST_REMOVE: -- devredir_proc_client_devlist_remove_req(ls); -+ rv = devredir_proc_client_devlist_remove_req(ls); - break; - - case PAKID_CORE_DEVICE_IOCOMPLETION: -- devredir_proc_device_iocompletion(ls); -+ rv = devredir_proc_device_iocompletion(ls); - break; - - default: -@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id, - * @brief process client's response to our core_capability_req() msg - * - * @param s stream containing client's response -+ * @return 0 for success, -1 otherwise - *****************************************************************************/ --static void -+static int - devredir_proc_client_core_cap_resp(struct stream *s) - { - int i; -@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s) - tui32 cap_version; - char *holdp; - -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_CAPABLITY_RSP")) -+ { -+ return -1; -+ } - xstream_rd_u16_le(s, num_caps); - xstream_seek(s, 2); /* padding */ - - for (i = 0; i < num_caps; i++) - { - holdp = s->p; -+ if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS] CAPABILITY_HEADER")) -+ { -+ return -1; -+ } - xstream_rd_u16_le(s, cap_type); - xstream_rd_u16_le(s, cap_len); - xstream_rd_u32_le(s, cap_version); -+ /* Convert the length to a remaining length. Underflow is possible, -+ * but this is an unsigned type so that's OK */ -+ cap_len -= (s->p - holdp); -+ if (cap_len > 0 && -+ !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS] CAPABILITY_HEADER length")) -+ { -+ return -1; -+ } - - switch (cap_type) - { -@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s) - scard_init(); - break; - } -- s->p = holdp + cap_len; -+ xstream_seek(s, cap_len); - } -+ return 0; - } - --static void -+static int - devredir_proc_client_devlist_announce_req(struct stream *s) - { - unsigned int i; -@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream *s) - enum NTSTATUS response_status; - - /* get number of devices being announced */ -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_DEVICELIST_ANNOUNCE_REQ")) -+ { -+ return -1; -+ } -+ - xstream_rd_u32_le(s, device_count); - - LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count); - - for (i = 0; i < device_count; i++) - { -+ if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4, -+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, device_type); - xstream_rd_u32_le(s, g_device_id); - /* get preferred DOS name -@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s) - - /* Read the device data length from the stream */ - xstream_rd_u32_le(s, device_data_len); -+ if (device_data_len > 0 && ! -+ !s_check_rem_and_log(s, device_data_len, -+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE devdata")) -+ { -+ return -1; -+ } - - switch (device_type) - { -@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s) - devredir_send_server_device_announce_resp(g_device_id, - response_status); - } -+ -+ return 0; - } - --static void -+static int - devredir_proc_client_devlist_remove_req(struct stream *s) - { - unsigned int i; -@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s) - tui32 device_id; - - /* get number of devices being announced */ -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, device_count); -+ if (!s_check_rem_and_log(s, 4 * device_count, -+ "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list")) -+ { -+ return -1; -+ } - - LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count); - { -@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s) - xfuse_delete_share(device_id); - } - } -+ return 0; - } - --static void -+static int - devredir_proc_device_iocompletion(struct stream *s) - { - IRP *irp = NULL; -@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s) - tui32 Length; - enum COMPLETION_TYPE comp_type; - -+ if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS] DR_DEVICE_IOCOMPLETION")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, DeviceId); - xstream_rd_u32_le(s, CompletionId); - xstream_rd_u32_le(s, IoStatus32); -@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s) - } - else - { -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, irp->FileId); - devredir_send_drive_dir_request(irp, DeviceId, - 1, irp->pathname); -@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s) - break; - - case CID_CREATE_REQ: -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, irp->FileId); - - xfuse_devredir_cb_create_file( -@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s) - break; - - case CID_OPEN_REQ: -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, irp->FileId); - - xfuse_devredir_cb_open_file((struct state_open *) irp->fuse_info, -@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s) - break; - - case CID_READ: -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_READ_RSP")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, Length); -+ if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS] DR_READ_RSP")) -+ { -+ return -1; -+ } - xfuse_devredir_cb_read_file((struct state_read *) irp->fuse_info, - IoStatus, - s->p, Length); -@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s) - break; - - case CID_WRITE: -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_WRITE_RSP")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, Length); - xfuse_devredir_cb_write_file((struct state_write *) irp->fuse_info, - IoStatus, -@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s) - break; - - case CID_RMDIR_OR_FILE: -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, irp->FileId); - devredir_proc_cid_rmdir_or_file(irp, IoStatus); - break; -@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s) - break; - - case CID_RENAME_FILE: -+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) -+ { -+ return -1; -+ } - xstream_rd_u32_le(s, irp->FileId); - devredir_proc_cid_rename_file(irp, IoStatus); - break; -@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s) - break; - } - } -+ return 0; - } - - static void --- -2.39.0 - diff --git a/xrdp-CVE-2022-23481.patch b/xrdp-CVE-2022-23481.patch deleted file mode 100644 index 614cbec..0000000 --- a/xrdp-CVE-2022-23481.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 69888a988b8cf811e4a8e393700c374d31749e76 Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Wed, 7 Dec 2022 10:40:25 +0000 -Subject: [PATCH 5/9] CVE-2022-23481 - -Add length checks to client confirm active PDU parsing ---- - libxrdp/xrdp_caps.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c -index 5c5e74a5..ac21cc0a 100644 ---- a/libxrdp/xrdp_caps.c -+++ b/libxrdp/xrdp_caps.c -@@ -667,13 +667,27 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self, struct stream *s) - int len; - char *p; - -+ if (!s_check_rem_and_log(s, 10, -+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU" -+ " - header")) -+ { -+ return 1; -+ } - in_uint8s(s, 4); /* rdp_shareid */ - in_uint8s(s, 2); /* userid */ - in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */ - in_uint16_le(s, cap_len); -+ -+ if (!s_check_rem_and_log(s, source_len + 2 + 2, -+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU" -+ " - header2")) -+ { -+ return 1; -+ } - in_uint8s(s, source_len); - in_uint16_le(s, num_caps); - in_uint8s(s, 2); /* pad */ -+ - LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU " - "shareID (ignored), originatorID (ignored), lengthSourceDescriptor %d, " - "lengthCombinedCapabilities %d, sourceDescriptor (ignored), " --- -2.39.0 - diff --git a/xrdp-CVE-2022-23482.patch b/xrdp-CVE-2022-23482.patch deleted file mode 100644 index 4af6cab..0000000 --- a/xrdp-CVE-2022-23482.patch +++ /dev/null @@ -1,68 +0,0 @@ -From b01a62ac07933e0690eb0fa3329f5288c6069cf6 Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Wed, 7 Dec 2022 11:05:46 +0000 -Subject: [PATCH 6/9] CVE-2022-23482 - -Check minimum length of TS_UD_CS_CORE message ---- - libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c -index 691d4f04..084fca6b 100644 ---- a/libxrdp/xrdp_sec.c -+++ b/libxrdp/xrdp_sec.c -@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s) - static int - xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) - { -+#define CS_CORE_MIN_LENGTH \ -+ (\ -+ 4 + /* Version */ \ -+ 2 + 2 + /* desktopWidth + desktopHeight */ \ -+ 2 + 2 + /* colorDepth + SASSequence */ \ -+ 4 + /* keyboardLayout */ \ -+ 4 + 32 + /* clientBuild + clientName */ \ -+ 4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */ \ -+ 64 + /* imeFileName */ \ -+ 0) -+ - int version; - int colorDepth; - int postBeta2ColorDepth; -@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) - - UNUSED_VAR(version); - -- /* TS_UD_CS_CORE requiered fields */ -+ /* TS_UD_CS_CORE required fields */ -+ if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH, -+ "Parsing [MS-RDPBCGR] TS_UD_CS_CORE")) -+ { -+ return 1; -+ } - in_uint32_le(s, version); - in_uint16_le(s, self->rdp_layer->client_info.width); - in_uint16_le(s, self->rdp_layer->client_info.height); -@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) - clientName); - - /* TS_UD_CS_CORE optional fields */ -+ if (!s_check_rem(s, 2)) -+ { -+ return 0; -+ } - in_uint16_le(s, postBeta2ColorDepth); - LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE " - " postBeta2ColorDepth %s", -@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) - " desktopOrientation (ignored)"); - - return 0; -+#undef CS_CORE_MIN_LENGTH - } - - /*****************************************************************************/ --- -2.39.0 - diff --git a/xrdp-CVE-2022-23483.patch b/xrdp-CVE-2022-23483.patch deleted file mode 100644 index 81c4a3a..0000000 --- a/xrdp-CVE-2022-23483.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 5c95289b98f10f5a0be098e4bc9c0d189db171ca Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Wed, 7 Dec 2022 10:21:41 +0000 -Subject: [PATCH 7/9] CVE-2022-23483 - -Sanitise channel data being passed from application - -Avoids OOB read if the size field is incorrect. ---- - xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------ - 1 file changed, 21 insertions(+), 12 deletions(-) - -diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c -index c91e03ab..bc7b1b83 100644 ---- a/xrdp/xrdp_mm.c -+++ b/xrdp/xrdp_mm.c -@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans) - static int - xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s) - { -- int size; -- int total_size; -+ unsigned int size; -+ unsigned int total_size; - int chan_id; - int chan_flags; -- int rv; -- -- in_uint16_le(s, chan_id); -- in_uint16_le(s, chan_flags); -- in_uint16_le(s, size); -- in_uint32_le(s, total_size); -- rv = 0; -+ int rv = 0; - -- if (rv == 0) -+ if (!s_check_rem_and_log(s, 10, "Reading channel data header")) -+ { -+ rv = 1; -+ } -+ else - { -- rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size, -- chan_flags); -+ in_uint16_le(s, chan_id); -+ in_uint16_le(s, chan_flags); -+ in_uint16_le(s, size); -+ in_uint32_le(s, total_size); -+ if (!s_check_rem_and_log(s, size, "Reading channel data data")) -+ { -+ rv = 1; -+ } -+ else -+ { -+ rv = libxrdp_send_to_channel(self->wm->session, chan_id, -+ s->p, size, total_size, chan_flags); -+ } - } - - return rv; --- -2.39.0 - diff --git a/xrdp-CVE-2022-23484.patch b/xrdp-CVE-2022-23484.patch deleted file mode 100644 index 860eda0..0000000 --- a/xrdp-CVE-2022-23484.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e503ce71bde7ca0817c2f5f4e1561a33a971af46 Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Wed, 7 Dec 2022 10:03:24 +0000 -Subject: [PATCH 8/9] CVE-2022-23484 - -Add check for RAIL window text size ---- - xrdp/xrdp_mm.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c -index bc7b1b83..b59345d7 100644 ---- a/xrdp/xrdp_mm.c -+++ b/xrdp/xrdp_mm.c -@@ -938,6 +938,12 @@ xrdp_mm_process_rail_update_window_text(struct xrdp_mm *self, struct stream *s) - - g_memset(&rwso, 0, sizeof(rwso)); - in_uint32_le(s, size); /* title size */ -+ if (size < 0 || !s_check_rem(s, size)) -+ { -+ LOG(LOG_LEVEL_ERROR, "%s : invalid window text size %d", -+ __func__, size); -+ return 1; -+ } - rwso.title_info = g_new(char, size + 1); - in_uint8a(s, rwso.title_info, size); - rwso.title_info[size] = 0; --- -2.39.0 - diff --git a/xrdp-CVE-2022-23493.patch b/xrdp-CVE-2022-23493.patch deleted file mode 100644 index f7a6ef6..0000000 --- a/xrdp-CVE-2022-23493.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 5c1399c30901b98ee9eb0b83be2847eb74b9e80d Mon Sep 17 00:00:00 2001 -From: matt335672 <30179339+matt335672@users.noreply.github.com> -Date: Wed, 7 Dec 2022 10:49:06 +0000 -Subject: [PATCH 9/9] CVE-2022-23493 - -Check chansrv channel ID on a channel close - -Prevent OOB read if an invalid channel ID is sent. ---- - xrdp/xrdp_mm.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c -index b59345d7..c27c2341 100644 ---- a/xrdp/xrdp_mm.c -+++ b/xrdp/xrdp_mm.c -@@ -1447,6 +1447,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct xrdp_mm *self, - return 1; - } - in_uint32_le(s, chansrv_chan_id); -+ if (chansrv_chan_id < 0 || chansrv_chan_id > 255) -+ { -+ LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d", -+ chansrv_chan_id); -+ return 1; -+ } - chan_id = self->cs2xr_cid_map[chansrv_chan_id]; - /* close dynamic channel */ - error = libxrdp_drdynvc_close(self->wm->session, chan_id); --- -2.39.0 - diff --git a/xrdp-make-pamconfdir-configurable.patch b/xrdp-make-pamconfdir-configurable.patch deleted file mode 100644 index 8580ec8..0000000 --- a/xrdp-make-pamconfdir-configurable.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 8be6bc137e44939d15a8b28eff4df53c961ca84c Mon Sep 17 00:00:00 2001 -From: Yifan J -Date: Tue, 21 Feb 2023 09:50:46 +0800 -Subject: [PATCH] Make pam.d directory configurable - ---- - configure.ac | 7 +++++++ - instfiles/pam.d/Makefile.am | 2 +- - sesman/Makefile.am | 1 + - sesman/tools/Makefile.am | 1 + - sesman/verify_user_pam.c | 10 +++++++++- - 5 files changed, 19 insertions(+), 2 deletions(-) - -Index: xrdp-0.9.20/configure.ac -=================================================================== ---- xrdp-0.9.20.orig/configure.ac -+++ xrdp-0.9.20/configure.ac -@@ -464,6 +464,12 @@ if test "x$enable_strict_locations" != " - localstatedir="/var"; - fi - -+AC_ARG_WITH([pamconfdir], -+ [AS_HELP_STRING([--with-pamconfdir=DIR], -+ [Use directory for pam.d config (default: /etc/pam.d)])], -+ [], [with_pamconfdir="$sysconfdir/pam.d"]) -+AC_SUBST([pamconfdir], [$with_pamconfdir]) -+ - PKG_INSTALLDIR - - AC_CHECK_HEADERS([sys/prctl.h]) -@@ -542,6 +548,7 @@ echo " exec_prefix $exec_pr - echo " libdir $libdir" - echo " bindir $bindir" - echo " sysconfdir $sysconfdir" -+echo " pamconfdir $pamconfdir" - echo "" - echo " unit tests performable $perform_unit_tests" - echo "" -Index: xrdp-0.9.20/instfiles/pam.d/Makefile.am -=================================================================== ---- xrdp-0.9.20.orig/instfiles/pam.d/Makefile.am -+++ xrdp-0.9.20/instfiles/pam.d/Makefile.am -@@ -25,7 +25,7 @@ endif - endif - endif - --pamddir = $(sysconfdir)/pam.d -+pamddir = $(pamconfdir) - - pamd_DATA = \ - $(PAMFILE) -Index: xrdp-0.9.20/sesman/Makefile.am -=================================================================== ---- xrdp-0.9.20.orig/sesman/Makefile.am -+++ xrdp-0.9.20/sesman/Makefile.am -@@ -8,6 +8,7 @@ AM_CPPFLAGS = \ - -DXRDP_SHARE_PATH=\"${datadir}/xrdp\" \ - -DXRDP_PID_PATH=\"${localstatedir}/run\" \ - -DXRDP_SOCKET_PATH=\"${socketdir}\" \ -+ -DXRDP_PAMCONF_PATH=\"${pamconfdir}\" \ - -I$(top_srcdir)/common \ - -I$(top_srcdir)/sesman/libscp - -Index: xrdp-0.9.20/sesman/tools/Makefile.am -=================================================================== ---- xrdp-0.9.20.orig/sesman/tools/Makefile.am -+++ xrdp-0.9.20/sesman/tools/Makefile.am -@@ -4,6 +4,7 @@ AM_CPPFLAGS = \ - -DXRDP_SHARE_PATH=\"${datadir}/xrdp\" \ - -DXRDP_PID_PATH=\"${localstatedir}/run\" \ - -DXRDP_SOCKET_PATH=\"${socketdir}\" \ -+ -DXRDP_PAMCONF_PATH=\"${pamconfdir}\" \ - -I$(top_srcdir)/common \ - -I$(top_srcdir)/sesman/libscp \ - -I$(top_srcdir)/sesman -Index: xrdp-0.9.20/sesman/verify_user_pam.c -=================================================================== ---- xrdp-0.9.20.orig/sesman/verify_user_pam.c -+++ xrdp-0.9.20/sesman/verify_user_pam.c -@@ -197,7 +197,15 @@ get_service_name(char *service_name) - service_name[0] = 0; - - if (g_file_exist("/etc/pam.d/xrdp-sesman") || -- g_file_exist(XRDP_SYSCONF_PATH "/pam.d/xrdp-sesman")) -+#ifdef __LINUX_PAM__ -+ /* /usr/lib/pam.d is hardcoded into Linux-PAM */ -+ g_file_exist("/usr/lib/pam.d/xrdp-sesman") || -+#endif -+#ifdef OPENPAM_VERSION -+ /* /usr/local/etc/pam.d is hardcoded into OpenPAM */ -+ g_file_exist("/usr/local/etc/pam.d/xrdp-sesman") || -+#endif -+ g_file_exist(XRDP_PAMCONF_PATH "/xrdp-sesman")) - { - g_strncpy(service_name, "xrdp-sesman", 255); - } diff --git a/xrdp-update-pam.d-path.patch b/xrdp-update-pam.d-path.patch deleted file mode 100644 index e5f4f76..0000000 --- a/xrdp-update-pam.d-path.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 76716169e3fe95b14c75b5571717b148b524909c Mon Sep 17 00:00:00 2001 -From: Daike Yu -Date: Mon, 7 Nov 2022 18:27:07 +0800 -Subject: [PATCH] Update pamdir_suse to accommodate with TW pam.d move -References: bsc#1203468 -Upstream: submitted - -On newer builds of openSUSE tumbleweed the path of pam.d has moved from -/usr/etc/pam.d to /usr/lib/pam.d, which prevents install script to -correctly guess pam rules. Updating path in mkpamrules solves the -problem. ---- - instfiles/pam.d/mkpamrules | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/instfiles/pam.d/mkpamrules b/instfiles/pam.d/mkpamrules -index 989a52f4..230d92be 100755 ---- a/instfiles/pam.d/mkpamrules -+++ b/instfiles/pam.d/mkpamrules -@@ -8,7 +8,11 @@ outfile="$3" - - service="xrdp-sesman" - pamdir="/etc/pam.d" --pamdir_suse="/usr/etc/pam.d" -+pamdir_suse="/usr/lib/pam.d" -+if [ ! -d $pamdir_suse ]; then -+ # Older SUSE distros uses /usr/etc/pam.d -+ pamdir_suse="/usr/etc/pam.d" -+fi - - # Modules needed by xrdp-sesman.unix, if we get to that - unix_modules_needed="pam_unix.so pam_env.so pam_nologin.so" --- -2.35.3 - diff --git a/xrdp.changes b/xrdp.changes index 8a82c46..83ff2bf 100644 --- a/xrdp.changes +++ b/xrdp.changes @@ -1,3 +1,48 @@ +------------------------------------------------------------------- +Thu Aug 3 04:01:39 UTC 2023 - Linnaea Lavia + +- Update to version 0.9.22 + + New features + - Empty passwords are no longer automatically passed through to sesman for authentication + - Don't try to listen on the scard socket if it isn't there + - The directory where PAM configuration files are installed can now be set with --with-pamconfdir + - Sesman can now be configured to ignore alternate shells passed from the client + - Allow longer UserWindowManager strings + - openSuSE Tumbleweed move to /usr/lib/pam.d is now supported in the installation scripts + - VNC backend session now supports extra mouse buttons 6, 7 and 8 + + Bug fixes + - Minor documentation fixes + - Memory management fixes to list module + - Fix some noise when MP3/AAC are in use and some logging improvements + - Fix potential NULL dereferences in chansrv + - An erroneous free in the smartcard handling code has been removed + - Passwords are no longer left on the heap in sesman + - Set permissions on pcsc socket dir to owner only + + Security fixes + - CVE-2022-23468 + - CVE-2022-23477 + - CVE-2022-23478 + - CVE-2022-23479 + - CVE-2022-23480 + - CVE-2022-23481 + - CVE-2022-23482 + - CVE-2022-23483 + - CVE-2022-23484 + - CVE-2022-23493 +- Drop upstreamed patches: + xrdp-CVE-2022-23468.patch + xrdp-CVE-2022-23477.patch + xrdp-CVE-2022-23478.patch + xrdp-CVE-2022-23479.patch + xrdp-CVE-2022-23480.patch + xrdp-CVE-2022-23481.patch + xrdp-CVE-2022-23482.patch + xrdp-CVE-2022-23483.patch + xrdp-CVE-2022-23484.patch + xrdp-CVE-2022-23493.patch + xrdp-make-pamconfdir-configurable.patch + xrdp-update-pam.d-path.patch + ------------------------------------------------------------------- Tue Jun 6 14:19:55 UTC 2023 - Dominique Leuenberger diff --git a/xrdp.spec b/xrdp.spec index 786f7ce..26e8160 100644 --- a/xrdp.spec +++ b/xrdp.spec @@ -22,7 +22,7 @@ %endif Name: xrdp -Version: 0.9.20 +Version: 0.9.22.1 Release: 0 Summary: Remote desktop protocol (RDP) server License: Apache-2.0 AND GPL-2.0-or-later @@ -44,30 +44,6 @@ Patch4: xrdp-disable-8-bpp-vnc-support.patch Patch5: xrdp-support-KillDisconnected-for-Xvnc.patch # PATCH-FIX-OPENSUSE xrdp-systemd-services.patch boo#1138954 boo#1144327 - fezhang@suse.com -- Let systemd handle the daemons Patch6: xrdp-systemd-services.patch -# PATCH-FIX-UPSTREAM xrdp-update-pam.d-path.patch bsc#1203468 - yu.daike@suse.com -- update install script to accommodate with pam.d path move -Patch7: xrdp-update-pam.d-path.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23468.patch bsc#1206300 - yu.daike@suse.com -- Buffer overflow in xrdp_login_wnd_create() -Patch8: xrdp-CVE-2022-23468.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23478.patch bsc#1206302 - yu.daike@suse.com -- Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan -Patch9: xrdp-CVE-2022-23478.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23479.patch bsc#1206303 - yu.daike@suse.com -- Buffer overflow in xrdp_mm_chan_data_in() function -Patch10: xrdp-CVE-2022-23479.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23480.patch bsc#1206306 - yu.daike@suse.com -- Buffer overflow in devredir_proc_client_devlist_announce_req -Patch11: xrdp-CVE-2022-23480.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23481.patch bsc#1206307 - yu.daike@suse.com -- Out of Bound Read in xrdp_caps_process_confirm_active() -Patch12: xrdp-CVE-2022-23481.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23482.patch bsc#1206310 - yu.daike@suse.com -- Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() -Patch13: xrdp-CVE-2022-23482.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23483.patch bsc#1206311 - yu.daike@suse.com -- Out of Bound Read in libxrdp_send_to_channel() -Patch14: xrdp-CVE-2022-23483.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23484.patch bsc#1206312 - yu.daike@suse.com -- Integer Overflow in xrdp_mm_process_rail_update_window_text() -Patch15: xrdp-CVE-2022-23484.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23493.patch bsc#1206313 - yu.daike@suse.com -- Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() -Patch16: xrdp-CVE-2022-23493.patch -# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23477.patch bsc#1206301 - yu.daike@suse.com -- Buffer over flow in audin_send_open() function -Patch17: xrdp-CVE-2022-23477.patch -# PATCH-FIX-UPSTREAM xrdp-make-pamconfdir-configurable.patch gh#neutrinolabs/xrdp!2552 bsc#1208121 - yfjiang@suse.com -- Configure pam.d directory at build time -Patch18: xrdp-make-pamconfdir-configurable.patch # Keep SLE only patches on the bottom starting from patch number 1001 # PATCH-FEATURE-SLE xrdp-avahi.diff bnc#586785 - hfiguiere@novell.com -- Add Avahi support. @@ -130,18 +106,6 @@ This package contains libraries for the JPEG2000 codec for RDP. %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 %if 0%{?sle_version} %patch1001 -p1 %patch1002 -p1