From e170ac2818e6c031b09d21a7f459d6b1c1ade245 Mon Sep 17 00:00:00 2001 From: Zheng Ruoqin Date: Mon, 25 Dec 2017 18:30:16 +0800 Subject: xrdp: CVE-2017-16927 Fix of CVE-2017-16927 Signed-off-by: Zheng Ruoqin Signed-off-by: Armin Kuster --- .../xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch | 148 +++++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb | 1 + 2 files changed, 149 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch (limited to 'meta-oe') diff --git a/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch new file mode 100644 index 0000000000..4c93647f67 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch @@ -0,0 +1,148 @@ +Subject: [PATCH] Fix CVE-2017-16927 + +sesman: scpv0, accept variable length data fields + +Upstream-Status: Backport + +--- + sesman/libscp/libscp_v0.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c +index 5a0c8bf..5693407 100644 +--- a/sesman/libscp/libscp_v0.c ++++ b/sesman/libscp/libscp_v0.c +@@ -161,7 +161,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + struct SCP_SESSION *session = 0; + tui16 sz; + tui32 code = 0; +- char buf[257]; ++ char *buf = 0; + + if (!skipVchk) + { +@@ -226,27 +226,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + /* reading username */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); +- ++ buf[sz] = '\0'; + if (0 != scp_session_set_username(session, buf)) + { + scp_session_destroy(session); + log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__); ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + + /* reading password */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); +- ++ buf[sz] = '\0'; + if (0 != scp_session_set_password(session, buf)) + { + scp_session_destroy(session); + log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + + /* width */ + in_uint16_be(c->in_s, sz); +@@ -272,9 +276,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_domain(session, buf); ++ g_free(buf); + } + } + +@@ -285,9 +291,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_program(session, buf); ++ g_free(buf); + } + } + +@@ -298,9 +306,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_directory(session, buf); ++ g_free(buf); + } + } + +@@ -311,9 +321,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_client_ip(session, buf); ++ g_free(buf); + } + } + } +@@ -332,29 +344,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + scp_session_set_type(session, SCP_GW_AUTHENTICATION); + /* reading username */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); ++ buf[sz] = '\0'; + + /* g_writeln("Received user name: %s",buf); */ + if (0 != scp_session_set_username(session, buf)) + { + scp_session_destroy(session); + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/ ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + + /* reading password */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); ++ buf[sz] = '\0'; + + /* g_writeln("Received password: %s",buf); */ + if (0 != scp_session_set_password(session, buf)) + { + scp_session_destroy(session); + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */ ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + } + else + { +-- +2.7.4 + diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb index e7a77e4493..ccc8e359a7 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/neutrinolabs/xrdp.git \ file://0001-Fix-sesman.ini-and-xrdp.ini.patch \ file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \ file://0001-Fix-the-compile-error.patch \ + file://0001-Fix-of-CVE-2017-16927.patch \ " SRCREV = "c295dd61b882e8b56677cf12791f43634f9190b5" -- cgit 1.2.3-korg