Patch CVE-2017-16927.

2017-11-24 10:53:52 +11:00 · 2017-11-24 10:53:52 +11:00 · 95313000bd
commit 95313000bd
parent ebf3964dd6
2 changed files with 149 additions and 1 deletions
--- a/xrdp-0.9.4-CVE-2017-16927.patch
+++ b/xrdp-0.9.4-CVE-2017-16927.patch
@ -0,0 +1,144 @@
+From ebd0510a7d4dab906b6e01570205dfa530d1f7bf Mon Sep 17 00:00:00 2001
+From: speidy <speidy@gmail.com>
+Date: Wed, 22 Nov 2017 02:32:28 +0200
+Subject: [PATCH] sesman: scpv0, accept variable length data fields
+
+---
+ sesman/libscp/libscp_v0.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c
+index 5a0c8bfa0..569340786 100644
+--- a/sesman/libscp/libscp_v0.c
+++ b/sesman/libscp/libscp_v0.c
+@@ -161,7 +161,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+     struct SCP_SESSION *session = 0;
+     tui16 sz;
+     tui32 code = 0;
+-    char buf[257];
+    char *buf = 0;
+ 
+     if (!skipVchk)
+     {
+@@ -226,27 +226,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+         /* reading username */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
+        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+-
+        buf[sz] = '\0';
+         if (0 != scp_session_set_username(session, buf))
+         {
+             scp_session_destroy(session);
+             log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
+            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
+        g_free(buf);
+ 
+         /* reading password */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
+        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+-
+        buf[sz] = '\0';
+         if (0 != scp_session_set_password(session, buf))
+         {
+             scp_session_destroy(session);
+             log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
+            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
+        g_free(buf);
+ 
+         /* width */
+         in_uint16_be(c->in_s, sz);
+@@ -272,9 +276,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+             if (sz > 0)
+             {
+                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_domain(session, buf);
+                g_free(buf);
+             }
+         }
+ 
+@@ -285,9 +291,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+             if (sz > 0)
+             {
+                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_program(session, buf);
+                g_free(buf);
+             }
+         }
+ 
+@@ -298,9 +306,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+             if (sz > 0)
+             {
+                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_directory(session, buf);
+                g_free(buf);
+             }
+         }
+ 
+@@ -311,9 +321,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+             if (sz > 0)
+             {
+                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_client_ip(session, buf);
+                g_free(buf);
+             }
+         }
+     }
+@@ -332,29 +344,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+         scp_session_set_type(session, SCP_GW_AUTHENTICATION);
+         /* reading username */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
+        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+        buf[sz] = '\0';
+ 
+         /* g_writeln("Received user name: %s",buf); */
+         if (0 != scp_session_set_username(session, buf))
+         {
+             scp_session_destroy(session);
+             /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting        username", __LINE__);*/
+            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
+        g_free(buf);
+ 
+         /* reading password */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
+        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+        buf[sz] = '\0';
+ 
+         /* g_writeln("Received password: %s",buf); */
+         if (0 != scp_session_set_password(session, buf))
+         {
+             scp_session_destroy(session);
+             /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
+            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
+        g_free(buf);
+     }
+     else
+     {
--- a/xrdp.spec
+++ b/xrdp.spec
@ -7,7 +7,7 @@ Summary:   Open source remote desktop protocol (RDP) server
 Name:      xrdp
 Epoch:     1
 Version:   0.9.4
-Release:   1%{?dist}
+Release:   2%{?dist}
 License:   ASL 2.0
 Group:     Applications/Internet
 URL:       http://www.xrdp.org/
@ -23,6 +23,7 @@ Patch1:    xrdp-0.9.2-xrdp-ini.patch
 Patch2:    xrdp-0.9.4-service.patch
 Patch3:    xrdp-0.9.2-setpriv.patch
 Patch4:    xrdp-0.9.2-scripts-libexec.patch
+Patch5:    xrdp-0.9.4-CVE-2017-16927.patch

 BuildRequires: libX11-devel
 BuildRequires: libXfixes-devel
@ -258,6 +259,9 @@ fi
 %{_datadir}/selinux/*/%{name}.pp

 %changelog
+* Fri Nov 24 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.4-2
+- Patch CVE-2017-16927
+
 * Fri Oct  6 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.4-1
 - Bump up to 0.9.4