From f0ddc89311f9d93130ee442cfaf33eb9101766a7395fa8ad65d61ab0f5f6ea4b Mon Sep 17 00:00:00 2001 From: Yifan Jiang Date: Tue, 10 Jan 2023 03:10:49 +0000 Subject: [PATCH] Accepting request 1057176 from home:yudaike:branches:X11:RemoteDesktop - xrdp-CVE-2022-23477.patch (bsc#1206301) + Buffer over flow in audin_send_open() function - Security fixes: + xrdp-CVE-2022-23468.patch (bsc#1206300) * Buffer overflow in xrdp_login_wnd_create() + xrdp-CVE-2022-23478.patch (bsc#1206302) * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan + xrdp-CVE-2022-23479.patch (bsc#1206303) * Buffer overflow in xrdp_mm_chan_data_in() function + xrdp-CVE-2022-23480.patch (bsc#1206306) * Buffer overflow in devredir_proc_client_devlist_announce_req + xrdp-CVE-2022-23481.patch (bsc#1206307) * Out of Bound Read in xrdp_caps_process_confirm_active() + xrdp-CVE-2022-23482.patch (bsc#1206310) + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() + xrdp-CVE-2022-23483.patch (bsc#1206311) + Out of Bound REad in libxrdp_send_to_channel() + xrdp-CVE-2022-23484.patch (bsc#1206312) + Integer Overflow in xrdp_mm_process_rail_update_window_text() + xrdp-CVE-2022-23493.patch (bsc#1206313) + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() OBS-URL: https://build.opensuse.org/request/show/1057176 OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=106 --- xrdp-CVE-2022-23468.patch | 33 ++++ xrdp-CVE-2022-23477.patch | 37 ++++ xrdp-CVE-2022-23478.patch | 84 +++++++++ xrdp-CVE-2022-23479.patch | 82 +++++++++ xrdp-CVE-2022-23480.patch | 355 ++++++++++++++++++++++++++++++++++++++ xrdp-CVE-2022-23481.patch | 45 +++++ xrdp-CVE-2022-23482.patch | 68 ++++++++ xrdp-CVE-2022-23483.patch | 63 +++++++ xrdp-CVE-2022-23484.patch | 30 ++++ xrdp-CVE-2022-23493.patch | 32 ++++ xrdp.changes | 29 ++++ xrdp.spec | 55 ++++-- 12 files changed, 901 insertions(+), 12 deletions(-) create mode 100644 xrdp-CVE-2022-23468.patch create mode 100644 xrdp-CVE-2022-23477.patch create mode 100644 xrdp-CVE-2022-23478.patch create mode 100644 xrdp-CVE-2022-23479.patch create mode 100644 xrdp-CVE-2022-23480.patch create mode 100644 xrdp-CVE-2022-23481.patch create mode 100644 xrdp-CVE-2022-23482.patch create mode 100644 xrdp-CVE-2022-23483.patch create mode 100644 xrdp-CVE-2022-23484.patch create mode 100644 xrdp-CVE-2022-23493.patch diff --git a/xrdp-CVE-2022-23468.patch b/xrdp-CVE-2022-23468.patch new file mode 100644 index 0000000..4683aeb --- /dev/null +++ b/xrdp-CVE-2022-23468.patch @@ -0,0 +1,33 @@ +From a0b5de1d09ed149cbbee8697f001adbbe9476a06 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 09:16:44 +0000 +Subject: [PATCH 1/9] CVE-2022-23468 + +Login window - replace g_sprintf() withl g_snprintf() calls +--- + xrdp/xrdp_login_wnd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c +index 7a3134fd..28748676 100644 +--- a/xrdp/xrdp_login_wnd.c ++++ b/xrdp/xrdp_login_wnd.c +@@ -722,13 +722,13 @@ xrdp_login_wnd_create(struct xrdp_wm *self) + if (globals->ls_title[0] == 0) + { + g_gethostname(buf1, 256); +- g_sprintf(buf, "Login to %s", buf1); ++ g_snprintf(buf, sizeof(buf), "Login to %s", buf1); + set_string(&self->login_window->caption1, buf); + } + else + { + /*self->login_window->caption1 = globals->ls_title[0];*/ +- g_sprintf(buf, "%s", globals->ls_title); ++ g_snprintf(buf, sizeof(buf), "%s", globals->ls_title); + set_string(&self->login_window->caption1, buf); + } + +-- +2.39.0 + diff --git a/xrdp-CVE-2022-23477.patch b/xrdp-CVE-2022-23477.patch new file mode 100644 index 0000000..eb27e2f --- /dev/null +++ b/xrdp-CVE-2022-23477.patch @@ -0,0 +1,37 @@ +From c57c32e6cfeda40b3f006a5ba63a3ff161e8d497 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Tue, 6 Dec 2022 11:31:31 +0000 +Subject: [PATCH] CVE-2022-23477 + +Prevent buffer overflow for oversized audio format from client +--- + sesman/chansrv/audin.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c +index cd802fa5..36a8027a 100644 +--- a/sesman/chansrv/audin.c ++++ b/sesman/chansrv/audin.c +@@ -181,15 +181,16 @@ audin_send_open(int chan_id) + int error; + int bytes; + struct stream *s; +- struct xr_wave_format_ex *wf; ++ struct xr_wave_format_ex *wf = g_client_formats[g_current_format]; + + LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:"); + make_stream(s); +- init_stream(s, 8192); ++ /* wf->cbSize was checked when the format was received */ ++ init_stream(s, wf->cbSize + 64); ++ + out_uint8(s, MSG_SNDIN_OPEN); + out_uint32_le(s, 2048); /* FramesPerPacket */ + out_uint32_le(s, g_current_format); /* initialFormat */ +- wf = g_client_formats[g_current_format]; + out_uint16_le(s, wf->wFormatTag); + out_uint16_le(s, wf->nChannels); + out_uint32_le(s, wf->nSamplesPerSec); +-- +2.39.0 + diff --git a/xrdp-CVE-2022-23478.patch b/xrdp-CVE-2022-23478.patch new file mode 100644 index 0000000..72ab0b1 --- /dev/null +++ b/xrdp-CVE-2022-23478.patch @@ -0,0 +1,84 @@ +From 2a71e18fe78529c0d9338eaafe87d4313382b7cc Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 11:12:42 +0000 +Subject: [PATCH 2/9] CVE-2022-23478 + +Fix potential OOB write if invalid chansrv channel opened + +Also removed an unnecessary dynamic memory allocation +--- + xrdp/xrdp_mm.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index 74b0516a..c91e03ab 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, + int error; + int chan_id; + int chansrv_chan_id; +- char *name; ++ char name[1024 + 1]; + struct xrdp_drdynvc_procs procs; + + if (!s_check_rem(s, 2)) +@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, + return 1; + } + in_uint32_le(s, name_bytes); +- if ((name_bytes < 1) || (name_bytes > 1024)) +- { +- return 1; +- } +- name = g_new(char, name_bytes + 1); +- if (name == NULL) ++ if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1))) + { + return 1; + } + if (!s_check_rem(s, name_bytes)) + { +- g_free(name); + return 1; + } + in_uint8a(s, name, name_bytes); + name[name_bytes] = 0; + if (!s_check_rem(s, 8)) + { +- g_free(name); + return 1; + } + in_uint32_le(s, flags); + in_uint32_le(s, chansrv_chan_id); ++ if (chansrv_chan_id < 0 || chansrv_chan_id > 255) ++ { ++ LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d", ++ chansrv_chan_id); ++ return 1; ++ } ++ + if (flags == 0) + { + /* open static channel, not supported */ +- g_free(name); + return 1; + } + else +@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, + &chan_id); + if (error != 0) + { +- g_free(name); + return 1; + } + self->xr2cr_cid_map[chan_id] = chansrv_chan_id; + self->cs2xr_cid_map[chansrv_chan_id] = chan_id; + } +- g_free(name); + return 0; + } + +-- +2.39.0 + diff --git a/xrdp-CVE-2022-23479.patch b/xrdp-CVE-2022-23479.patch new file mode 100644 index 0000000..0cab189 --- /dev/null +++ b/xrdp-CVE-2022-23479.patch @@ -0,0 +1,82 @@ +From de3b0bea6406619632a6583235ba467ff97528f8 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 09:44:56 +0000 +Subject: [PATCH 3/9] CVE-2022-23479 + +Detect attempts to overflow input buffer + +If application code hasn't properly sanitised the header_size +for a transport, it is possible for read requests to be issued +which overflow the input buffer. This change detects this +at a low level and bounces the read request. +--- + common/trans.c | 19 +++++++++++++++---- + common/trans.h | 2 +- + 2 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/common/trans.c b/common/trans.c +index 55d2a638..1d2d3e68 100644 +--- a/common/trans.c ++++ b/common/trans.c +@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self) + tbus in_sck = (tbus) 0; + struct trans *in_trans = (struct trans *) NULL; + int read_bytes = 0; +- int to_read = 0; +- int read_so_far = 0; ++ unsigned int to_read = 0; ++ unsigned int read_so_far = 0; + int rv = 0; + enum xrdp_source cur_source; + +@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self) + } + else if (self->trans_can_recv(self, self->sck, 0)) + { ++ /* CVE-2022-23479 - check a malicious caller hasn't managed ++ * to set the header_size to an unreasonable value */ ++ if (self->header_size > (unsigned int)self->in_s->size) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "trans_check_wait_objs: Reading %u bytes beyond buffer", ++ self->header_size - (unsigned int)self->in_s->size); ++ self->status = TRANS_STATUS_DOWN; ++ return 1; ++ } ++ + cur_source = XRDP_SOURCE_NONE; + if (self->si != 0) + { + cur_source = self->si->cur_source; + self->si->cur_source = self->my_source; + } +- read_so_far = (int) (self->in_s->end - self->in_s->data); ++ read_so_far = self->in_s->end - self->in_s->data; + to_read = self->header_size - read_so_far; + + if (to_read > 0) +@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self) + } + } + +- read_so_far = (int) (self->in_s->end - self->in_s->data); ++ read_so_far = self->in_s->end - self->in_s->data; + + if (read_so_far == self->header_size) + { +diff --git a/common/trans.h b/common/trans.h +index 1cd89fda..313c543b 100644 +--- a/common/trans.h ++++ b/common/trans.h +@@ -98,7 +98,7 @@ struct trans + ttrans_data_in trans_data_in; + ttrans_conn_in trans_conn_in; + void *callback_data; +- int header_size; ++ unsigned int header_size; + struct stream *in_s; + struct stream *out_s; + char *listen_filename; +-- +2.39.0 + diff --git a/xrdp-CVE-2022-23480.patch b/xrdp-CVE-2022-23480.patch new file mode 100644 index 0000000..8e0bf46 --- /dev/null +++ b/xrdp-CVE-2022-23480.patch @@ -0,0 +1,355 @@ +From 6680c506e4562715e3ff500c114208dac88863cb Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Tue, 6 Dec 2022 12:48:57 +0000 +Subject: [PATCH 4/9] CVE-2022-23480 + +Added length checking to redirector response parsing +--- + sesman/chansrv/devredir.c | 151 +++++++++++++++++++++++++++++++------- + 1 file changed, 123 insertions(+), 28 deletions(-) + +diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c +index a44d47e6..7faa9bfc 100644 +--- a/sesman/chansrv/devredir.c ++++ b/sesman/chansrv/devredir.c +@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void); + static void devredir_send_server_clientID_confirm(void); + static void devredir_send_server_user_logged_on(void); + +-static void devredir_proc_client_core_cap_resp(struct stream *s); +-static void devredir_proc_client_devlist_announce_req(struct stream *s); +-static void devredir_proc_client_devlist_remove_req(struct stream *s); +-static void devredir_proc_device_iocompletion(struct stream *s); ++static int devredir_proc_client_core_cap_resp(struct stream *s); ++static int devredir_proc_client_devlist_announce_req(struct stream *s); ++static int devredir_proc_client_devlist_remove_req(struct stream *s); ++static int devredir_proc_device_iocompletion(struct stream *s); + static void devredir_proc_query_dir_response(IRP *irp, + struct stream *s_in, + tui32 DeviceId, +@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, + } + + /* read header from incoming data */ ++ if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER")) ++ { ++ rv = -1; ++ goto done; ++ } + xstream_rd_u16_le(ls, comp_type); + xstream_rd_u16_le(ls, pktID); + +@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, + switch (pktID) + { + case PAKID_CORE_CLIENTID_CONFIRM: +- xstream_seek(ls, 2); /* major version, we ignore it */ +- xstream_rd_u16_le(ls, minor_ver); +- xstream_rd_u32_le(ls, g_clientID); ++ if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS] DR_CORE_CLIENT_ANNOUNCE_RSP")) ++ { ++ rv = -1; ++ } ++ else ++ { ++ xstream_seek(ls, 2); /* major version, we ignore it */ ++ xstream_rd_u16_le(ls, minor_ver); ++ xstream_rd_u32_le(ls, g_clientID); + +- g_client_rdp_version = minor_ver; ++ g_client_rdp_version = minor_ver; + +- switch (minor_ver) +- { +- case RDP_CLIENT_50: +- break; ++ switch (minor_ver) ++ { ++ case RDP_CLIENT_50: ++ break; + +- case RDP_CLIENT_51: +- break; ++ case RDP_CLIENT_51: ++ break; + +- case RDP_CLIENT_52: +- break; ++ case RDP_CLIENT_52: ++ break; + +- case RDP_CLIENT_60_61: +- break; ++ case RDP_CLIENT_60_61: ++ break; ++ } ++ // LK_TODO devredir_send_server_clientID_confirm(); + } +- // LK_TODO devredir_send_server_clientID_confirm(); + break; + + case PAKID_CORE_CLIENT_NAME: +@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, + break; + + case PAKID_CORE_CLIENT_CAPABILITY: +- devredir_proc_client_core_cap_resp(ls); ++ rv = devredir_proc_client_core_cap_resp(ls); + break; + + case PAKID_CORE_DEVICELIST_ANNOUNCE: +- devredir_proc_client_devlist_announce_req(ls); ++ rv = devredir_proc_client_devlist_announce_req(ls); + break; + + case PAKID_CORE_DEVICELIST_REMOVE: +- devredir_proc_client_devlist_remove_req(ls); ++ rv = devredir_proc_client_devlist_remove_req(ls); + break; + + case PAKID_CORE_DEVICE_IOCOMPLETION: +- devredir_proc_device_iocompletion(ls); ++ rv = devredir_proc_device_iocompletion(ls); + break; + + default: +@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id, + * @brief process client's response to our core_capability_req() msg + * + * @param s stream containing client's response ++ * @return 0 for success, -1 otherwise + *****************************************************************************/ +-static void ++static int + devredir_proc_client_core_cap_resp(struct stream *s) + { + int i; +@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s) + tui32 cap_version; + char *holdp; + ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_CAPABLITY_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u16_le(s, num_caps); + xstream_seek(s, 2); /* padding */ + + for (i = 0; i < num_caps; i++) + { + holdp = s->p; ++ if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS] CAPABILITY_HEADER")) ++ { ++ return -1; ++ } + xstream_rd_u16_le(s, cap_type); + xstream_rd_u16_le(s, cap_len); + xstream_rd_u32_le(s, cap_version); ++ /* Convert the length to a remaining length. Underflow is possible, ++ * but this is an unsigned type so that's OK */ ++ cap_len -= (s->p - holdp); ++ if (cap_len > 0 && ++ !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS] CAPABILITY_HEADER length")) ++ { ++ return -1; ++ } + + switch (cap_type) + { +@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s) + scard_init(); + break; + } +- s->p = holdp + cap_len; ++ xstream_seek(s, cap_len); + } ++ return 0; + } + +-static void ++static int + devredir_proc_client_devlist_announce_req(struct stream *s) + { + unsigned int i; +@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + enum NTSTATUS response_status; + + /* get number of devices being announced */ ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_DEVICELIST_ANNOUNCE_REQ")) ++ { ++ return -1; ++ } ++ + xstream_rd_u32_le(s, device_count); + + LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count); + + for (i = 0; i < device_count; i++) + { ++ if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4, ++ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, device_type); + xstream_rd_u32_le(s, g_device_id); + /* get preferred DOS name +@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + + /* Read the device data length from the stream */ + xstream_rd_u32_le(s, device_data_len); ++ if (device_data_len > 0 && ! ++ !s_check_rem_and_log(s, device_data_len, ++ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE devdata")) ++ { ++ return -1; ++ } + + switch (device_type) + { +@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + devredir_send_server_device_announce_resp(g_device_id, + response_status); + } ++ ++ return 0; + } + +-static void ++static int + devredir_proc_client_devlist_remove_req(struct stream *s) + { + unsigned int i; +@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s) + tui32 device_id; + + /* get number of devices being announced */ ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, device_count); ++ if (!s_check_rem_and_log(s, 4 * device_count, ++ "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list")) ++ { ++ return -1; ++ } + + LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count); + { +@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s) + xfuse_delete_share(device_id); + } + } ++ return 0; + } + +-static void ++static int + devredir_proc_device_iocompletion(struct stream *s) + { + IRP *irp = NULL; +@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s) + tui32 Length; + enum COMPLETION_TYPE comp_type; + ++ if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS] DR_DEVICE_IOCOMPLETION")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, DeviceId); + xstream_rd_u32_le(s, CompletionId); + xstream_rd_u32_le(s, IoStatus32); +@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s) + } + else + { ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + devredir_send_drive_dir_request(irp, DeviceId, + 1, irp->pathname); +@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_CREATE_REQ: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + + xfuse_devredir_cb_create_file( +@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_OPEN_REQ: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + + xfuse_devredir_cb_open_file((struct state_open *) irp->fuse_info, +@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_READ: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_READ_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, Length); ++ if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS] DR_READ_RSP")) ++ { ++ return -1; ++ } + xfuse_devredir_cb_read_file((struct state_read *) irp->fuse_info, + IoStatus, + s->p, Length); +@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_WRITE: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_WRITE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, Length); + xfuse_devredir_cb_write_file((struct state_write *) irp->fuse_info, + IoStatus, +@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_RMDIR_OR_FILE: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + devredir_proc_cid_rmdir_or_file(irp, IoStatus); + break; +@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_RENAME_FILE: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + devredir_proc_cid_rename_file(irp, IoStatus); + break; +@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + } + } ++ return 0; + } + + static void +-- +2.39.0 + diff --git a/xrdp-CVE-2022-23481.patch b/xrdp-CVE-2022-23481.patch new file mode 100644 index 0000000..614cbec --- /dev/null +++ b/xrdp-CVE-2022-23481.patch @@ -0,0 +1,45 @@ +From 69888a988b8cf811e4a8e393700c374d31749e76 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:40:25 +0000 +Subject: [PATCH 5/9] CVE-2022-23481 + +Add length checks to client confirm active PDU parsing +--- + libxrdp/xrdp_caps.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c +index 5c5e74a5..ac21cc0a 100644 +--- a/libxrdp/xrdp_caps.c ++++ b/libxrdp/xrdp_caps.c +@@ -667,13 +667,27 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self, struct stream *s) + int len; + char *p; + ++ if (!s_check_rem_and_log(s, 10, ++ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU" ++ " - header")) ++ { ++ return 1; ++ } + in_uint8s(s, 4); /* rdp_shareid */ + in_uint8s(s, 2); /* userid */ + in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */ + in_uint16_le(s, cap_len); ++ ++ if (!s_check_rem_and_log(s, source_len + 2 + 2, ++ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU" ++ " - header2")) ++ { ++ return 1; ++ } + in_uint8s(s, source_len); + in_uint16_le(s, num_caps); + in_uint8s(s, 2); /* pad */ ++ + LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU " + "shareID (ignored), originatorID (ignored), lengthSourceDescriptor %d, " + "lengthCombinedCapabilities %d, sourceDescriptor (ignored), " +-- +2.39.0 + diff --git a/xrdp-CVE-2022-23482.patch b/xrdp-CVE-2022-23482.patch new file mode 100644 index 0000000..4af6cab --- /dev/null +++ b/xrdp-CVE-2022-23482.patch @@ -0,0 +1,68 @@ +From b01a62ac07933e0690eb0fa3329f5288c6069cf6 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 11:05:46 +0000 +Subject: [PATCH 6/9] CVE-2022-23482 + +Check minimum length of TS_UD_CS_CORE message +--- + libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c +index 691d4f04..084fca6b 100644 +--- a/libxrdp/xrdp_sec.c ++++ b/libxrdp/xrdp_sec.c +@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s) + static int + xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + { ++#define CS_CORE_MIN_LENGTH \ ++ (\ ++ 4 + /* Version */ \ ++ 2 + 2 + /* desktopWidth + desktopHeight */ \ ++ 2 + 2 + /* colorDepth + SASSequence */ \ ++ 4 + /* keyboardLayout */ \ ++ 4 + 32 + /* clientBuild + clientName */ \ ++ 4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */ \ ++ 64 + /* imeFileName */ \ ++ 0) ++ + int version; + int colorDepth; + int postBeta2ColorDepth; +@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + + UNUSED_VAR(version); + +- /* TS_UD_CS_CORE requiered fields */ ++ /* TS_UD_CS_CORE required fields */ ++ if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH, ++ "Parsing [MS-RDPBCGR] TS_UD_CS_CORE")) ++ { ++ return 1; ++ } + in_uint32_le(s, version); + in_uint16_le(s, self->rdp_layer->client_info.width); + in_uint16_le(s, self->rdp_layer->client_info.height); +@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + clientName); + + /* TS_UD_CS_CORE optional fields */ ++ if (!s_check_rem(s, 2)) ++ { ++ return 0; ++ } + in_uint16_le(s, postBeta2ColorDepth); + LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE " + " postBeta2ColorDepth %s", +@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + " desktopOrientation (ignored)"); + + return 0; ++#undef CS_CORE_MIN_LENGTH + } + + /*****************************************************************************/ +-- +2.39.0 + diff --git a/xrdp-CVE-2022-23483.patch b/xrdp-CVE-2022-23483.patch new file mode 100644 index 0000000..81c4a3a --- /dev/null +++ b/xrdp-CVE-2022-23483.patch @@ -0,0 +1,63 @@ +From 5c95289b98f10f5a0be098e4bc9c0d189db171ca Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:21:41 +0000 +Subject: [PATCH 7/9] CVE-2022-23483 + +Sanitise channel data being passed from application + +Avoids OOB read if the size field is incorrect. +--- + xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index c91e03ab..bc7b1b83 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans) + static int + xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s) + { +- int size; +- int total_size; ++ unsigned int size; ++ unsigned int total_size; + int chan_id; + int chan_flags; +- int rv; +- +- in_uint16_le(s, chan_id); +- in_uint16_le(s, chan_flags); +- in_uint16_le(s, size); +- in_uint32_le(s, total_size); +- rv = 0; ++ int rv = 0; + +- if (rv == 0) ++ if (!s_check_rem_and_log(s, 10, "Reading channel data header")) ++ { ++ rv = 1; ++ } ++ else + { +- rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size, +- chan_flags); ++ in_uint16_le(s, chan_id); ++ in_uint16_le(s, chan_flags); ++ in_uint16_le(s, size); ++ in_uint32_le(s, total_size); ++ if (!s_check_rem_and_log(s, size, "Reading channel data data")) ++ { ++ rv = 1; ++ } ++ else ++ { ++ rv = libxrdp_send_to_channel(self->wm->session, chan_id, ++ s->p, size, total_size, chan_flags); ++ } + } + + return rv; +-- +2.39.0 + diff --git a/xrdp-CVE-2022-23484.patch b/xrdp-CVE-2022-23484.patch new file mode 100644 index 0000000..860eda0 --- /dev/null +++ b/xrdp-CVE-2022-23484.patch @@ -0,0 +1,30 @@ +From e503ce71bde7ca0817c2f5f4e1561a33a971af46 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:03:24 +0000 +Subject: [PATCH 8/9] CVE-2022-23484 + +Add check for RAIL window text size +--- + xrdp/xrdp_mm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index bc7b1b83..b59345d7 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -938,6 +938,12 @@ xrdp_mm_process_rail_update_window_text(struct xrdp_mm *self, struct stream *s) + + g_memset(&rwso, 0, sizeof(rwso)); + in_uint32_le(s, size); /* title size */ ++ if (size < 0 || !s_check_rem(s, size)) ++ { ++ LOG(LOG_LEVEL_ERROR, "%s : invalid window text size %d", ++ __func__, size); ++ return 1; ++ } + rwso.title_info = g_new(char, size + 1); + in_uint8a(s, rwso.title_info, size); + rwso.title_info[size] = 0; +-- +2.39.0 + diff --git a/xrdp-CVE-2022-23493.patch b/xrdp-CVE-2022-23493.patch new file mode 100644 index 0000000..f7a6ef6 --- /dev/null +++ b/xrdp-CVE-2022-23493.patch @@ -0,0 +1,32 @@ +From 5c1399c30901b98ee9eb0b83be2847eb74b9e80d Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:49:06 +0000 +Subject: [PATCH 9/9] CVE-2022-23493 + +Check chansrv channel ID on a channel close + +Prevent OOB read if an invalid channel ID is sent. +--- + xrdp/xrdp_mm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index b59345d7..c27c2341 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -1447,6 +1447,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct xrdp_mm *self, + return 1; + } + in_uint32_le(s, chansrv_chan_id); ++ if (chansrv_chan_id < 0 || chansrv_chan_id > 255) ++ { ++ LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d", ++ chansrv_chan_id); ++ return 1; ++ } + chan_id = self->cs2xr_cid_map[chansrv_chan_id]; + /* close dynamic channel */ + error = libxrdp_drdynvc_close(self->wm->session, chan_id); +-- +2.39.0 + diff --git a/xrdp.changes b/xrdp.changes index 6a4ec26..12bafd6 100644 --- a/xrdp.changes +++ b/xrdp.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Tue Jan 10 02:08:45 UTC 2023 - Daike Yu + +- xrdp-CVE-2022-23477.patch (bsc#1206301) + + Buffer over flow in audin_send_open() function + +------------------------------------------------------------------- +Wed Dec 28 04:47:31 UTC 2022 - Daike Yu + +- Security fixes: + + xrdp-CVE-2022-23468.patch (bsc#1206300) + * Buffer overflow in xrdp_login_wnd_create() + + xrdp-CVE-2022-23478.patch (bsc#1206302) + * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan + + xrdp-CVE-2022-23479.patch (bsc#1206303) + * Buffer overflow in xrdp_mm_chan_data_in() function + + xrdp-CVE-2022-23480.patch (bsc#1206306) + * Buffer overflow in devredir_proc_client_devlist_announce_req + + xrdp-CVE-2022-23481.patch (bsc#1206307) + * Out of Bound Read in xrdp_caps_process_confirm_active() + + xrdp-CVE-2022-23482.patch (bsc#1206310) + + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() + + xrdp-CVE-2022-23483.patch (bsc#1206311) + + Out of Bound REad in libxrdp_send_to_channel() + + xrdp-CVE-2022-23484.patch (bsc#1206312) + + Integer Overflow in xrdp_mm_process_rail_update_window_text() + + xrdp-CVE-2022-23493.patch (bsc#1206313) + + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() + ------------------------------------------------------------------- Mon Dec 5 02:06:32 UTC 2022 - Daike Yu diff --git a/xrdp.spec b/xrdp.spec index 4b4e8b9..eae6218 100644 --- a/xrdp.spec +++ b/xrdp.spec @@ -1,7 +1,7 @@ # # spec file for package xrdp # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -44,16 +44,37 @@ Patch4: xrdp-disable-8-bpp-vnc-support.patch Patch5: xrdp-support-KillDisconnected-for-Xvnc.patch # PATCH-FIX-OPENSUSE xrdp-systemd-services.patch boo#1138954 boo#1144327 - fezhang@suse.com -- Let systemd handle the daemons Patch6: xrdp-systemd-services.patch -# PATCH-FEATURE-SLE xrdp-avahi.diff bnc#586785 - hfiguiere@novell.com -- Add Avahi support. -Patch11: xrdp-avahi.diff -# PATCH-FIX-SLE xrdp-filter-tab-from-mstsc-on-focus-change.patch bnc#601996 bnc#623534 - dliang@novell.com -- filter the fake tab key which is used to notify the session -Patch12: xrdp-filter-tab-from-mstsc-on-focus-change.patch -# PATCH-FIX-SLE xrdp-bsc965647-allow-admin-choose-desktop.patch bsc#965647 - fezhang@suse.com -- Allow administrator choose the desktop displayed -Patch13: xrdp-bsc965647-allow-admin-choose-desktop.patch -# PATCH-FEATURE-SLE xrdp-fate318398-change-expired-password.patch fate#318398 - fezhang@suse.com -- enable user to update expired password via PAM -Patch14: xrdp-fate318398-change-expired-password.patch # PATCH-FIX-UPSTREAM xrdp-update-pam.d-path.patch bsc#1203468 - yu.daike@suse.com -- update install script to accommodate with pam.d path move -Patch15: xrdp-update-pam.d-path.patch +Patch7: xrdp-update-pam.d-path.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23468.patch bsc#1206300 - yu.daike@suse.com -- Buffer overflow in xrdp_login_wnd_create() +Patch8: xrdp-CVE-2022-23468.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23478.patch bsc#1206302 - yu.daike@suse.com -- Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan +Patch9: xrdp-CVE-2022-23478.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23479.patch bsc#1206303 - yu.daike@suse.com -- Buffer overflow in xrdp_mm_chan_data_in() function +Patch10: xrdp-CVE-2022-23479.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23480.patch bsc#1206306 - yu.daike@suse.com -- Buffer overflow in devredir_proc_client_devlist_announce_req +Patch11: xrdp-CVE-2022-23480.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23481.patch bsc#1206307 - yu.daike@suse.com -- Out of Bound Read in xrdp_caps_process_confirm_active() +Patch12: xrdp-CVE-2022-23481.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23482.patch bsc#1206310 - yu.daike@suse.com -- Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() +Patch13: xrdp-CVE-2022-23482.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23483.patch bsc#1206311 - yu.daike@suse.com -- Out of Bound Read in libxrdp_send_to_channel() +Patch14: xrdp-CVE-2022-23483.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23484.patch bsc#1206312 - yu.daike@suse.com -- Integer Overflow in xrdp_mm_process_rail_update_window_text() +Patch15: xrdp-CVE-2022-23484.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23493.patch bsc#1206313 - yu.daike@suse.com -- Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() +Patch16: xrdp-CVE-2022-23493.patch +# PATCH-FIX-UPSTREAM xrdp-CVE-2022-23477.patch bsc#1206301 - yu.daike@suse.com -- Buffer over flow in audin_send_open() function +Patch17: xrdp-CVE-2022-23477.patch +# Keep SLE only patches on the bottom starting from patch number 1001 +# PATCH-FEATURE-SLE xrdp-avahi.diff bnc#586785 - hfiguiere@novell.com -- Add Avahi support. +Patch1001: xrdp-avahi.diff +# PATCH-FIX-SLE xrdp-filter-tab-from-mstsc-on-focus-change.patch bnc#601996 bnc#623534 - dliang@novell.com -- filter the fake tab key which is used to notify the session +Patch1002: xrdp-filter-tab-from-mstsc-on-focus-change.patch +# PATCH-FIX-SLE xrdp-bsc965647-allow-admin-choose-desktop.patch bsc#965647 - fezhang@suse.com -- Allow administrator choose the desktop displayed +Patch1003: xrdp-bsc965647-allow-admin-choose-desktop.patch +# PATCH-FEATURE-SLE xrdp-fate318398-change-expired-password.patch fate#318398 - fezhang@suse.com -- enable user to update expired password via PAM +Patch1004: xrdp-fate318398-change-expired-password.patch BuildRequires: autoconf BuildRequires: automake @@ -106,13 +127,23 @@ This package contains libraries for the JPEG2000 codec for RDP. %patch4 -p1 %patch5 -p1 %patch6 -p1 -%if 0%{?sle_version} +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 -%endif %patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%if 0%{?sle_version} +%patch1001 -p1 +%patch1002 -p1 +%patch1003 -p1 +%patch1004 -p1 +%endif %build sh ./bootstrap