pool/xrdp
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1057176 from home:yudaike:branches:X11:RemoteDesktop

Browse Source 
- xrdp-CVE-2022-23477.patch (bsc#1206301)
  + Buffer over flow in audin_send_open() function

- Security fixes:
  + xrdp-CVE-2022-23468.patch (bsc#1206300)
    * Buffer overflow in xrdp_login_wnd_create()
  + xrdp-CVE-2022-23478.patch (bsc#1206302)
    * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan
  + xrdp-CVE-2022-23479.patch (bsc#1206303)
    * Buffer overflow in xrdp_mm_chan_data_in() function
  + xrdp-CVE-2022-23480.patch (bsc#1206306)
    * Buffer overflow in devredir_proc_client_devlist_announce_req
  + xrdp-CVE-2022-23481.patch (bsc#1206307)
    * Out of Bound Read in xrdp_caps_process_confirm_active()
  + xrdp-CVE-2022-23482.patch (bsc#1206310)
    + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE()
  + xrdp-CVE-2022-23483.patch (bsc#1206311)
    + Out of Bound REad in libxrdp_send_to_channel()
  + xrdp-CVE-2022-23484.patch (bsc#1206312)
    + Integer Overflow in xrdp_mm_process_rail_update_window_text()
  + xrdp-CVE-2022-23493.patch (bsc#1206313)
    + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()

OBS-URL: https://build.opensuse.org/request/show/1057176
OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=106
This commit is contained in:
Yifan Jiang 2023-01-10 03:10:49 +00:00 committed by Git OBS Bridge
parent 843cab38ae
commit f0ddc89311
12 changed files with 901 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
xrdp-CVE-2022-23468.patch Normal file
View File

@ -0,0 +1,33 @@
From a0b5de1d09ed149cbbee8697f001adbbe9476a06 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 09:16:44 +0000
Subject: [PATCH 1/9] CVE-2022-23468
Login window - replace g_sprintf() withl g_snprintf() calls
---
xrdp/xrdp_login_wnd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c
index 7a3134fd..28748676 100644
--- a/xrdp/xrdp_login_wnd.c
+++ b/xrdp/xrdp_login_wnd.c
@@ -722,13 +722,13 @@ xrdp_login_wnd_create(struct xrdp_wm *self)
if (globals->ls_title[0] == 0)
{
g_gethostname(buf1, 256);
- g_sprintf(buf, "Login to %s", buf1);
+ g_snprintf(buf, sizeof(buf), "Login to %s", buf1);
set_string(&self->login_window->caption1, buf);
}
else
{
/*self->login_window->caption1 = globals->ls_title[0];*/
- g_sprintf(buf, "%s", globals->ls_title);
+ g_snprintf(buf, sizeof(buf), "%s", globals->ls_title);
set_string(&self->login_window->caption1, buf);
}
--
2.39.0

37
xrdp-CVE-2022-23477.patch Normal file
View File

@ -0,0 +1,37 @@
From c57c32e6cfeda40b3f006a5ba63a3ff161e8d497 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Tue, 6 Dec 2022 11:31:31 +0000
Subject: [PATCH] CVE-2022-23477
Prevent buffer overflow for oversized audio format from client
---
sesman/chansrv/audin.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c
index cd802fa5..36a8027a 100644
--- a/sesman/chansrv/audin.c
+++ b/sesman/chansrv/audin.c
@@ -181,15 +181,16 @@ audin_send_open(int chan_id)
int error;
int bytes;
struct stream *s;
- struct xr_wave_format_ex *wf;
+ struct xr_wave_format_ex *wf = g_client_formats[g_current_format];
LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:");
make_stream(s);
- init_stream(s, 8192);
+ /* wf->cbSize was checked when the format was received */
+ init_stream(s, wf->cbSize + 64);
+
out_uint8(s, MSG_SNDIN_OPEN);
out_uint32_le(s, 2048); /* FramesPerPacket */
out_uint32_le(s, g_current_format); /* initialFormat */
- wf = g_client_formats[g_current_format];
out_uint16_le(s, wf->wFormatTag);
out_uint16_le(s, wf->nChannels);
out_uint32_le(s, wf->nSamplesPerSec);
--
2.39.0

84
xrdp-CVE-2022-23478.patch Normal file
View File

@ -0,0 +1,84 @@
From 2a71e18fe78529c0d9338eaafe87d4313382b7cc Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:12:42 +0000
Subject: [PATCH 2/9] CVE-2022-23478
Fix potential OOB write if invalid chansrv channel opened
Also removed an unnecessary dynamic memory allocation
---
xrdp/xrdp_mm.c | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index 74b0516a..c91e03ab 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
int error;
int chan_id;
int chansrv_chan_id;
- char *name;
+ char name[1024 + 1];
struct xrdp_drdynvc_procs procs;
if (!s_check_rem(s, 2))
@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
return 1;
}
in_uint32_le(s, name_bytes);
- if ((name_bytes < 1) || (name_bytes > 1024))
- {
- return 1;
- }
- name = g_new(char, name_bytes + 1);
- if (name == NULL)
+ if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1)))
{
return 1;
}
if (!s_check_rem(s, name_bytes))
{
- g_free(name);
return 1;
}
in_uint8a(s, name, name_bytes);
name[name_bytes] = 0;
if (!s_check_rem(s, 8))
{
- g_free(name);
return 1;
}
in_uint32_le(s, flags);
in_uint32_le(s, chansrv_chan_id);
+ if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
+ {
+ LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d",
+ chansrv_chan_id);
+ return 1;
+ }
+
if (flags == 0)
{
/* open static channel, not supported */
- g_free(name);
return 1;
}
else
@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
&chan_id);
if (error != 0)
{
- g_free(name);
return 1;
}
self->xr2cr_cid_map[chan_id] = chansrv_chan_id;
self->cs2xr_cid_map[chansrv_chan_id] = chan_id;
}
- g_free(name);
return 0;
}
--
2.39.0

82
xrdp-CVE-2022-23479.patch Normal file
View File

@ -0,0 +1,82 @@
From de3b0bea6406619632a6583235ba467ff97528f8 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 09:44:56 +0000
Subject: [PATCH 3/9] CVE-2022-23479
Detect attempts to overflow input buffer
If application code hasn't properly sanitised the header_size
for a transport, it is possible for read requests to be issued
which overflow the input buffer. This change detects this
at a low level and bounces the read request.
---
common/trans.c | 19 +++++++++++++++----
common/trans.h | 2 +-
2 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/common/trans.c b/common/trans.c
index 55d2a638..1d2d3e68 100644
--- a/common/trans.c
+++ b/common/trans.c
@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self)
tbus in_sck = (tbus) 0;
struct trans *in_trans = (struct trans *) NULL;
int read_bytes = 0;
- int to_read = 0;
- int read_so_far = 0;
+ unsigned int to_read = 0;
+ unsigned int read_so_far = 0;
int rv = 0;
enum xrdp_source cur_source;
@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self)
}
else if (self->trans_can_recv(self, self->sck, 0))
{
+ /* CVE-2022-23479 - check a malicious caller hasn't managed
+ * to set the header_size to an unreasonable value */
+ if (self->header_size > (unsigned int)self->in_s->size)
+ {
+ LOG(LOG_LEVEL_ERROR,
+ "trans_check_wait_objs: Reading %u bytes beyond buffer",
+ self->header_size - (unsigned int)self->in_s->size);
+ self->status = TRANS_STATUS_DOWN;
+ return 1;
+ }
+
cur_source = XRDP_SOURCE_NONE;
if (self->si != 0)
{
cur_source = self->si->cur_source;
self->si->cur_source = self->my_source;
}
- read_so_far = (int) (self->in_s->end - self->in_s->data);
+ read_so_far = self->in_s->end - self->in_s->data;
to_read = self->header_size - read_so_far;
if (to_read > 0)
@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self)
}
}
- read_so_far = (int) (self->in_s->end - self->in_s->data);
+ read_so_far = self->in_s->end - self->in_s->data;
if (read_so_far == self->header_size)
{
diff --git a/common/trans.h b/common/trans.h
index 1cd89fda..313c543b 100644
--- a/common/trans.h
+++ b/common/trans.h
@@ -98,7 +98,7 @@ struct trans
ttrans_data_in trans_data_in;
ttrans_conn_in trans_conn_in;
void *callback_data;
- int header_size;
+ unsigned int header_size;
struct stream *in_s;
struct stream *out_s;
char *listen_filename;
--
2.39.0

355
xrdp-CVE-2022-23480.patch Normal file
View File

@ -0,0 +1,355 @@
From 6680c506e4562715e3ff500c114208dac88863cb Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Tue, 6 Dec 2022 12:48:57 +0000
Subject: [PATCH 4/9] CVE-2022-23480
Added length checking to redirector response parsing
---
sesman/chansrv/devredir.c | 151 +++++++++++++++++++++++++++++++-------
1 file changed, 123 insertions(+), 28 deletions(-)
diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c
index a44d47e6..7faa9bfc 100644
--- a/sesman/chansrv/devredir.c
+++ b/sesman/chansrv/devredir.c
@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void);
static void devredir_send_server_clientID_confirm(void);
static void devredir_send_server_user_logged_on(void);
-static void devredir_proc_client_core_cap_resp(struct stream *s);
-static void devredir_proc_client_devlist_announce_req(struct stream *s);
-static void devredir_proc_client_devlist_remove_req(struct stream *s);
-static void devredir_proc_device_iocompletion(struct stream *s);
+static int devredir_proc_client_core_cap_resp(struct stream *s);
+static int devredir_proc_client_devlist_announce_req(struct stream *s);
+static int devredir_proc_client_devlist_remove_req(struct stream *s);
+static int devredir_proc_device_iocompletion(struct stream *s);
static void devredir_proc_query_dir_response(IRP *irp,
struct stream *s_in,
tui32 DeviceId,
@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
}
/* read header from incoming data */
+ if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER"))
+ {
+ rv = -1;
+ goto done;
+ }
xstream_rd_u16_le(ls, comp_type);
xstream_rd_u16_le(ls, pktID);
@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
switch (pktID)
{
case PAKID_CORE_CLIENTID_CONFIRM:
- xstream_seek(ls, 2); /* major version, we ignore it */
- xstream_rd_u16_le(ls, minor_ver);
- xstream_rd_u32_le(ls, g_clientID);
+ if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS] DR_CORE_CLIENT_ANNOUNCE_RSP"))
+ {
+ rv = -1;
+ }
+ else
+ {
+ xstream_seek(ls, 2); /* major version, we ignore it */
+ xstream_rd_u16_le(ls, minor_ver);
+ xstream_rd_u32_le(ls, g_clientID);
- g_client_rdp_version = minor_ver;
+ g_client_rdp_version = minor_ver;
- switch (minor_ver)
- {
- case RDP_CLIENT_50:
- break;
+ switch (minor_ver)
+ {
+ case RDP_CLIENT_50:
+ break;
- case RDP_CLIENT_51:
- break;
+ case RDP_CLIENT_51:
+ break;
- case RDP_CLIENT_52:
- break;
+ case RDP_CLIENT_52:
+ break;
- case RDP_CLIENT_60_61:
- break;
+ case RDP_CLIENT_60_61:
+ break;
+ }
+ // LK_TODO devredir_send_server_clientID_confirm();
}
- // LK_TODO devredir_send_server_clientID_confirm();
break;
case PAKID_CORE_CLIENT_NAME:
@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
break;
case PAKID_CORE_CLIENT_CAPABILITY:
- devredir_proc_client_core_cap_resp(ls);
+ rv = devredir_proc_client_core_cap_resp(ls);
break;
case PAKID_CORE_DEVICELIST_ANNOUNCE:
- devredir_proc_client_devlist_announce_req(ls);
+ rv = devredir_proc_client_devlist_announce_req(ls);
break;
case PAKID_CORE_DEVICELIST_REMOVE:
- devredir_proc_client_devlist_remove_req(ls);
+ rv = devredir_proc_client_devlist_remove_req(ls);
break;
case PAKID_CORE_DEVICE_IOCOMPLETION:
- devredir_proc_device_iocompletion(ls);
+ rv = devredir_proc_device_iocompletion(ls);
break;
default:
@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id,
* @brief process client's response to our core_capability_req() msg
*
* @param s stream containing client's response
+ * @return 0 for success, -1 otherwise
*****************************************************************************/
-static void
+static int
devredir_proc_client_core_cap_resp(struct stream *s)
{
int i;
@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s)
tui32 cap_version;
char *holdp;
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_CAPABLITY_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u16_le(s, num_caps);
xstream_seek(s, 2); /* padding */
for (i = 0; i < num_caps; i++)
{
holdp = s->p;
+ if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS] CAPABILITY_HEADER"))
+ {
+ return -1;
+ }
xstream_rd_u16_le(s, cap_type);
xstream_rd_u16_le(s, cap_len);
xstream_rd_u32_le(s, cap_version);
+ /* Convert the length to a remaining length. Underflow is possible,
+ * but this is an unsigned type so that's OK */
+ cap_len -= (s->p - holdp);
+ if (cap_len > 0 &&
+ !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS] CAPABILITY_HEADER length"))
+ {
+ return -1;
+ }
switch (cap_type)
{
@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s)
scard_init();
break;
}
- s->p = holdp + cap_len;
+ xstream_seek(s, cap_len);
}
+ return 0;
}
-static void
+static int
devredir_proc_client_devlist_announce_req(struct stream *s)
{
unsigned int i;
@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
enum NTSTATUS response_status;
/* get number of devices being announced */
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_DEVICELIST_ANNOUNCE_REQ"))
+ {
+ return -1;
+ }
+
xstream_rd_u32_le(s, device_count);
LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count);
for (i = 0; i < device_count; i++)
{
+ if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4,
+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, device_type);
xstream_rd_u32_le(s, g_device_id);
/* get preferred DOS name
@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
/* Read the device data length from the stream */
xstream_rd_u32_le(s, device_data_len);
+ if (device_data_len > 0 && !
+ !s_check_rem_and_log(s, device_data_len,
+ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE devdata"))
+ {
+ return -1;
+ }
switch (device_type)
{
@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
devredir_send_server_device_announce_resp(g_device_id,
response_status);
}
+
+ return 0;
}
-static void
+static int
devredir_proc_client_devlist_remove_req(struct stream *s)
{
unsigned int i;
@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
tui32 device_id;
/* get number of devices being announced */
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, device_count);
+ if (!s_check_rem_and_log(s, 4 * device_count,
+ "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list"))
+ {
+ return -1;
+ }
LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count);
{
@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
xfuse_delete_share(device_id);
}
}
+ return 0;
}
-static void
+static int
devredir_proc_device_iocompletion(struct stream *s)
{
IRP *irp = NULL;
@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s)
tui32 Length;
enum COMPLETION_TYPE comp_type;
+ if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS] DR_DEVICE_IOCOMPLETION"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, DeviceId);
xstream_rd_u32_le(s, CompletionId);
xstream_rd_u32_le(s, IoStatus32);
@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s)
}
else
{
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
devredir_send_drive_dir_request(irp, DeviceId,
1, irp->pathname);
@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_CREATE_REQ:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
xfuse_devredir_cb_create_file(
@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_OPEN_REQ:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
xfuse_devredir_cb_open_file((struct state_open *) irp->fuse_info,
@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_READ:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_READ_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, Length);
+ if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS] DR_READ_RSP"))
+ {
+ return -1;
+ }
xfuse_devredir_cb_read_file((struct state_read *) irp->fuse_info,
IoStatus,
s->p, Length);
@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_WRITE:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_WRITE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, Length);
xfuse_devredir_cb_write_file((struct state_write *) irp->fuse_info,
IoStatus,
@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_RMDIR_OR_FILE:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
devredir_proc_cid_rmdir_or_file(irp, IoStatus);
break;
@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
case CID_RENAME_FILE:
+ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
+ {
+ return -1;
+ }
xstream_rd_u32_le(s, irp->FileId);
devredir_proc_cid_rename_file(irp, IoStatus);
break;
@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s)
break;
}
}
+ return 0;
}
static void
--
2.39.0

45
xrdp-CVE-2022-23481.patch Normal file
View File

@ -0,0 +1,45 @@
From 69888a988b8cf811e4a8e393700c374d31749e76 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:40:25 +0000
Subject: [PATCH 5/9] CVE-2022-23481
Add length checks to client confirm active PDU parsing
---
libxrdp/xrdp_caps.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c
index 5c5e74a5..ac21cc0a 100644
--- a/libxrdp/xrdp_caps.c
+++ b/libxrdp/xrdp_caps.c
@@ -667,13 +667,27 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self, struct stream *s)
int len;
char *p;
+ if (!s_check_rem_and_log(s, 10,
+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+ " - header"))
+ {
+ return 1;
+ }
in_uint8s(s, 4); /* rdp_shareid */
in_uint8s(s, 2); /* userid */
in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */
in_uint16_le(s, cap_len);
+
+ if (!s_check_rem_and_log(s, source_len + 2 + 2,
+ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
+ " - header2"))
+ {
+ return 1;
+ }
in_uint8s(s, source_len);
in_uint16_le(s, num_caps);
in_uint8s(s, 2); /* pad */
+
LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU "
"shareID (ignored), originatorID (ignored), lengthSourceDescriptor %d, "
"lengthCombinedCapabilities %d, sourceDescriptor (ignored), "
--
2.39.0

68
xrdp-CVE-2022-23482.patch Normal file
View File

@ -0,0 +1,68 @@
From b01a62ac07933e0690eb0fa3329f5288c6069cf6 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 11:05:46 +0000
Subject: [PATCH 6/9] CVE-2022-23482
Check minimum length of TS_UD_CS_CORE message
---
libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index 691d4f04..084fca6b 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
static int
xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
{
+#define CS_CORE_MIN_LENGTH \
+ (\
+ 4 + /* Version */ \
+ 2 + 2 + /* desktopWidth + desktopHeight */ \
+ 2 + 2 + /* colorDepth + SASSequence */ \
+ 4 + /* keyboardLayout */ \
+ 4 + 32 + /* clientBuild + clientName */ \
+ 4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
+ 64 + /* imeFileName */ \
+ 0)
+
int version;
int colorDepth;
int postBeta2ColorDepth;
@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
UNUSED_VAR(version);
- /* TS_UD_CS_CORE requiered fields */
+ /* TS_UD_CS_CORE required fields */
+ if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
+ "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
+ {
+ return 1;
+ }
in_uint32_le(s, version);
in_uint16_le(s, self->rdp_layer->client_info.width);
in_uint16_le(s, self->rdp_layer->client_info.height);
@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
clientName);
/* TS_UD_CS_CORE optional fields */
+ if (!s_check_rem(s, 2))
+ {
+ return 0;
+ }
in_uint16_le(s, postBeta2ColorDepth);
LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
"<Optional Field> postBeta2ColorDepth %s",
@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
"<Optional Field> desktopOrientation (ignored)");
return 0;
+#undef CS_CORE_MIN_LENGTH
}
/*****************************************************************************/
--
2.39.0

63
xrdp-CVE-2022-23483.patch Normal file
View File

@ -0,0 +1,63 @@
From 5c95289b98f10f5a0be098e4bc9c0d189db171ca Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:21:41 +0000
Subject: [PATCH 7/9] CVE-2022-23483
Sanitise channel data being passed from application
Avoids OOB read if the size field is incorrect.
---
xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index c91e03ab..bc7b1b83 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans)
static int
xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s)
{
- int size;
- int total_size;
+ unsigned int size;
+ unsigned int total_size;
int chan_id;
int chan_flags;
- int rv;
-
- in_uint16_le(s, chan_id);
- in_uint16_le(s, chan_flags);
- in_uint16_le(s, size);
- in_uint32_le(s, total_size);
- rv = 0;
+ int rv = 0;
- if (rv == 0)
+ if (!s_check_rem_and_log(s, 10, "Reading channel data header"))
+ {
+ rv = 1;
+ }
+ else
{
- rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size,
- chan_flags);
+ in_uint16_le(s, chan_id);
+ in_uint16_le(s, chan_flags);
+ in_uint16_le(s, size);
+ in_uint32_le(s, total_size);
+ if (!s_check_rem_and_log(s, size, "Reading channel data data"))
+ {
+ rv = 1;
+ }
+ else
+ {
+ rv = libxrdp_send_to_channel(self->wm->session, chan_id,
+ s->p, size, total_size, chan_flags);
+ }
}
return rv;
--
2.39.0

30
xrdp-CVE-2022-23484.patch Normal file
View File

@ -0,0 +1,30 @@
From e503ce71bde7ca0817c2f5f4e1561a33a971af46 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:03:24 +0000
Subject: [PATCH 8/9] CVE-2022-23484
Add check for RAIL window text size
---
xrdp/xrdp_mm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index bc7b1b83..b59345d7 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -938,6 +938,12 @@ xrdp_mm_process_rail_update_window_text(struct xrdp_mm *self, struct stream *s)
g_memset(&rwso, 0, sizeof(rwso));
in_uint32_le(s, size); /* title size */
+ if (size < 0 || !s_check_rem(s, size))
+ {
+ LOG(LOG_LEVEL_ERROR, "%s : invalid window text size %d",
+ __func__, size);
+ return 1;
+ }
rwso.title_info = g_new(char, size + 1);
in_uint8a(s, rwso.title_info, size);
rwso.title_info[size] = 0;
--
2.39.0

32
xrdp-CVE-2022-23493.patch Normal file
View File

@ -0,0 +1,32 @@
From 5c1399c30901b98ee9eb0b83be2847eb74b9e80d Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:49:06 +0000
Subject: [PATCH 9/9] CVE-2022-23493
Check chansrv channel ID on a channel close
Prevent OOB read if an invalid channel ID is sent.
---
xrdp/xrdp_mm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index b59345d7..c27c2341 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1447,6 +1447,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct xrdp_mm *self,
return 1;
}
in_uint32_le(s, chansrv_chan_id);
+ if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
+ {
+ LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d",
+ chansrv_chan_id);
+ return 1;
+ }
chan_id = self->cs2xr_cid_map[chansrv_chan_id];
/* close dynamic channel */
error = libxrdp_drdynvc_close(self->wm->session, chan_id);
--
2.39.0

29
xrdp.changes
View File

@ -1,3 +1,32 @@
-------------------------------------------------------------------
Tue Jan 10 02:08:45 UTC 2023 - Daike Yu <yu.daike@suse.com>
- xrdp-CVE-2022-23477.patch (bsc#1206301)
+ Buffer over flow in audin_send_open() function
-------------------------------------------------------------------
Wed Dec 28 04:47:31 UTC 2022 - Daike Yu <yu.daike@suse.com>
- Security fixes:
+ xrdp-CVE-2022-23468.patch (bsc#1206300)
* Buffer overflow in xrdp_login_wnd_create()
+ xrdp-CVE-2022-23478.patch (bsc#1206302)
* Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan
+ xrdp-CVE-2022-23479.patch (bsc#1206303)
* Buffer overflow in xrdp_mm_chan_data_in() function
+ xrdp-CVE-2022-23480.patch (bsc#1206306)
* Buffer overflow in devredir_proc_client_devlist_announce_req
+ xrdp-CVE-2022-23481.patch (bsc#1206307)
* Out of Bound Read in xrdp_caps_process_confirm_active()
+ xrdp-CVE-2022-23482.patch (bsc#1206310)
+ Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE()
+ xrdp-CVE-2022-23483.patch (bsc#1206311)
+ Out of Bound REad in libxrdp_send_to_channel()
+ xrdp-CVE-2022-23484.patch (bsc#1206312)
+ Integer Overflow in xrdp_mm_process_rail_update_window_text()
+ xrdp-CVE-2022-23493.patch (bsc#1206313)
+ Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()
-------------------------------------------------------------------
Mon Dec 5 02:06:32 UTC 2022 - Daike Yu <yu.daike@suse.com>

55
xrdp.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package xrdp
#
# Copyright (c) 2022 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -44,16 +44,37 @@ Patch4: xrdp-disable-8-bpp-vnc-support.patch
Patch5: xrdp-support-KillDisconnected-for-Xvnc.patch
# PATCH-FIX-OPENSUSE xrdp-systemd-services.patch boo#1138954 boo#1144327 - fezhang@suse.com -- Let systemd handle the daemons
Patch6: xrdp-systemd-services.patch
# PATCH-FEATURE-SLE xrdp-avahi.diff bnc#586785 - hfiguiere@novell.com -- Add Avahi support.
Patch11: xrdp-avahi.diff
# PATCH-FIX-SLE xrdp-filter-tab-from-mstsc-on-focus-change.patch bnc#601996 bnc#623534 - dliang@novell.com -- filter the fake tab key which is used to notify the session
Patch12: xrdp-filter-tab-from-mstsc-on-focus-change.patch
# PATCH-FIX-SLE xrdp-bsc965647-allow-admin-choose-desktop.patch bsc#965647 - fezhang@suse.com -- Allow administrator choose the desktop displayed
Patch13: xrdp-bsc965647-allow-admin-choose-desktop.patch
# PATCH-FEATURE-SLE xrdp-fate318398-change-expired-password.patch fate#318398 - fezhang@suse.com -- enable user to update expired password via PAM
Patch14: xrdp-fate318398-change-expired-password.patch
# PATCH-FIX-UPSTREAM xrdp-update-pam.d-path.patch bsc#1203468 - yu.daike@suse.com -- update install script to accommodate with pam.d path move
Patch15: xrdp-update-pam.d-path.patch
Patch7: xrdp-update-pam.d-path.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23468.patch bsc#1206300 - yu.daike@suse.com -- Buffer overflow in xrdp_login_wnd_create()
Patch8: xrdp-CVE-2022-23468.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23478.patch bsc#1206302 - yu.daike@suse.com -- Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan
Patch9: xrdp-CVE-2022-23478.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23479.patch bsc#1206303 - yu.daike@suse.com -- Buffer overflow in xrdp_mm_chan_data_in() function
Patch10: xrdp-CVE-2022-23479.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23480.patch bsc#1206306 - yu.daike@suse.com -- Buffer overflow in devredir_proc_client_devlist_announce_req
Patch11: xrdp-CVE-2022-23480.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23481.patch bsc#1206307 - yu.daike@suse.com -- Out of Bound Read in xrdp_caps_process_confirm_active()
Patch12: xrdp-CVE-2022-23481.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23482.patch bsc#1206310 - yu.daike@suse.com -- Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE()
Patch13: xrdp-CVE-2022-23482.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23483.patch bsc#1206311 - yu.daike@suse.com -- Out of Bound Read in libxrdp_send_to_channel()
Patch14: xrdp-CVE-2022-23483.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23484.patch bsc#1206312 - yu.daike@suse.com -- Integer Overflow in xrdp_mm_process_rail_update_window_text()
Patch15: xrdp-CVE-2022-23484.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23493.patch bsc#1206313 - yu.daike@suse.com -- Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()
Patch16: xrdp-CVE-2022-23493.patch
# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23477.patch bsc#1206301 - yu.daike@suse.com -- Buffer over flow in audin_send_open() function
Patch17: xrdp-CVE-2022-23477.patch
# Keep SLE only patches on the bottom starting from patch number 1001
# PATCH-FEATURE-SLE xrdp-avahi.diff bnc#586785 - hfiguiere@novell.com -- Add Avahi support.
Patch1001: xrdp-avahi.diff
# PATCH-FIX-SLE xrdp-filter-tab-from-mstsc-on-focus-change.patch bnc#601996 bnc#623534 - dliang@novell.com -- filter the fake tab key which is used to notify the session
Patch1002: xrdp-filter-tab-from-mstsc-on-focus-change.patch
# PATCH-FIX-SLE xrdp-bsc965647-allow-admin-choose-desktop.patch bsc#965647 - fezhang@suse.com -- Allow administrator choose the desktop displayed
Patch1003: xrdp-bsc965647-allow-admin-choose-desktop.patch
# PATCH-FEATURE-SLE xrdp-fate318398-change-expired-password.patch fate#318398 - fezhang@suse.com -- enable user to update expired password via PAM
Patch1004: xrdp-fate318398-change-expired-password.patch
BuildRequires: autoconf
BuildRequires: automake
@ -106,13 +127,23 @@ This package contains libraries for the JPEG2000 codec for RDP.
%patch4 -p1
%patch5 -p1
%patch6 -p1
%if 0%{?sle_version}
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%endif
%patch15 -p1
%patch16 -p1
%patch17 -p1
%if 0%{?sle_version}
%patch1001 -p1
%patch1002 -p1
%patch1003 -p1
%patch1004 -p1
%endif
%build
sh ./bootstrap