pool/xrdp
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a390a9a598
xrdp/xrdp-CVE-2022-23484.patch
Yifan Jiang f0ddc89311 Accepting request 1057176 from home:yudaike:branches:X11:RemoteDesktop 
- xrdp-CVE-2022-23477.patch (bsc#1206301)
  + Buffer over flow in audin_send_open() function

- Security fixes:
  + xrdp-CVE-2022-23468.patch (bsc#1206300)
    * Buffer overflow in xrdp_login_wnd_create()
  + xrdp-CVE-2022-23478.patch (bsc#1206302)
    * Out of Bound Write in xrdp_mm_trans_process_drdynvc_chan
  + xrdp-CVE-2022-23479.patch (bsc#1206303)
    * Buffer overflow in xrdp_mm_chan_data_in() function
  + xrdp-CVE-2022-23480.patch (bsc#1206306)
    * Buffer overflow in devredir_proc_client_devlist_announce_req
  + xrdp-CVE-2022-23481.patch (bsc#1206307)
    * Out of Bound Read in xrdp_caps_process_confirm_active()
  + xrdp-CVE-2022-23482.patch (bsc#1206310)
    + Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE()
  + xrdp-CVE-2022-23483.patch (bsc#1206311)
    + Out of Bound REad in libxrdp_send_to_channel()
  + xrdp-CVE-2022-23484.patch (bsc#1206312)
    + Integer Overflow in xrdp_mm_process_rail_update_window_text()
  + xrdp-CVE-2022-23493.patch (bsc#1206313)
    + Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()

OBS-URL: https://build.opensuse.org/request/show/1057176
OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/xrdp?expand=0&rev=106
2023-01-10 03:10:49 +00:00

31 lines
921 B
Diff
Raw Blame History

From e503ce71bde7ca0817c2f5f4e1561a33a971af46 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Wed, 7 Dec 2022 10:03:24 +0000
Subject: [PATCH 8/9] CVE-2022-23484
Add check for RAIL window text size
---
xrdp/xrdp_mm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index bc7b1b83..b59345d7 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -938,6 +938,12 @@ xrdp_mm_process_rail_update_window_text(struct xrdp_mm *self, struct stream *s)
g_memset(&rwso, 0, sizeof(rwso));
in_uint32_le(s, size); /* title size */
+ if (size < 0 || !s_check_rem(s, size))
+ {
+ LOG(LOG_LEVEL_ERROR, "%s : invalid window text size %d",
+ __func__, size);
+ return 1;
+ }
rwso.title_info = g_new(char, size + 1);
in_uint8a(s, rwso.title_info, size);
rwso.title_info[size] = 0;
--
2.39.0
Reference in New Issue View Git Blame Copy Permalink