Patch CVE-2017-16927.
This commit is contained in:
parent
ebf3964dd6
commit
95313000bd
144
xrdp-0.9.4-CVE-2017-16927.patch
Normal file
144
xrdp-0.9.4-CVE-2017-16927.patch
Normal file
@ -0,0 +1,144 @@
|
||||
From ebd0510a7d4dab906b6e01570205dfa530d1f7bf Mon Sep 17 00:00:00 2001
|
||||
From: speidy <speidy@gmail.com>
|
||||
Date: Wed, 22 Nov 2017 02:32:28 +0200
|
||||
Subject: [PATCH] sesman: scpv0, accept variable length data fields
|
||||
|
||||
---
|
||||
sesman/libscp/libscp_v0.c | 32 +++++++++++++++++++++++++-------
|
||||
1 file changed, 25 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c
|
||||
index 5a0c8bfa0..569340786 100644
|
||||
--- a/sesman/libscp/libscp_v0.c
|
||||
+++ b/sesman/libscp/libscp_v0.c
|
||||
@@ -161,7 +161,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
|
||||
struct SCP_SESSION *session = 0;
|
||||
tui16 sz;
|
||||
tui32 code = 0;
|
||||
- char buf[257];
|
||||
+ char *buf = 0;
|
||||
|
||||
if (!skipVchk)
|
||||
{
|
||||
@@ -226,27 +226,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
|
||||
|
||||
/* reading username */
|
||||
in_uint16_be(c->in_s, sz);
|
||||
- buf[sz] = '\0';
|
||||
+ buf = g_new0(char, sz);
|
||||
in_uint8a(c->in_s, buf, sz);
|
||||
-
|
||||
+ buf[sz] = '\0';
|
||||
if (0 != scp_session_set_username(session, buf))
|
||||
{
|
||||
scp_session_destroy(session);
|
||||
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
|
||||
+ g_free(buf);
|
||||
return SCP_SERVER_STATE_INTERNAL_ERR;
|
||||
}
|
||||
+ g_free(buf);
|
||||
|
||||
/* reading password */
|
||||
in_uint16_be(c->in_s, sz);
|
||||
- buf[sz] = '\0';
|
||||
+ buf = g_new0(char, sz);
|
||||
in_uint8a(c->in_s, buf, sz);
|
||||
-
|
||||
+ buf[sz] = '\0';
|
||||
if (0 != scp_session_set_password(session, buf))
|
||||
{
|
||||
scp_session_destroy(session);
|
||||
log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
|
||||
+ g_free(buf);
|
||||
return SCP_SERVER_STATE_INTERNAL_ERR;
|
||||
}
|
||||
+ g_free(buf);
|
||||
|
||||
/* width */
|
||||
in_uint16_be(c->in_s, sz);
|
||||
@@ -272,9 +276,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
|
||||
|
||||
if (sz > 0)
|
||||
{
|
||||
+ buf = g_new0(char, sz);
|
||||
in_uint8a(c->in_s, buf, sz);
|
||||
buf[sz] = '\0';
|
||||
scp_session_set_domain(session, buf);
|
||||
+ g_free(buf);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -285,9 +291,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
|
||||
|
||||
if (sz > 0)
|
||||
{
|
||||
+ buf = g_new0(char, sz);
|
||||
in_uint8a(c->in_s, buf, sz);
|
||||
buf[sz] = '\0';
|
||||
scp_session_set_program(session, buf);
|
||||
+ g_free(buf);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -298,9 +306,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
|
||||
|
||||
if (sz > 0)
|
||||
{
|
||||
+ buf = g_new0(char, sz);
|
||||
in_uint8a(c->in_s, buf, sz);
|
||||
buf[sz] = '\0';
|
||||
scp_session_set_directory(session, buf);
|
||||
+ g_free(buf);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -311,9 +321,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
|
||||
|
||||
if (sz > 0)
|
||||
{
|
||||
+ buf = g_new0(char, sz);
|
||||
in_uint8a(c->in_s, buf, sz);
|
||||
buf[sz] = '\0';
|
||||
scp_session_set_client_ip(session, buf);
|
||||
+ g_free(buf);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -332,29 +344,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
|
||||
scp_session_set_type(session, SCP_GW_AUTHENTICATION);
|
||||
/* reading username */
|
||||
in_uint16_be(c->in_s, sz);
|
||||
- buf[sz] = '\0';
|
||||
+ buf = g_new0(char, sz);
|
||||
in_uint8a(c->in_s, buf, sz);
|
||||
+ buf[sz] = '\0';
|
||||
|
||||
/* g_writeln("Received user name: %s",buf); */
|
||||
if (0 != scp_session_set_username(session, buf))
|
||||
{
|
||||
scp_session_destroy(session);
|
||||
/* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/
|
||||
+ g_free(buf);
|
||||
return SCP_SERVER_STATE_INTERNAL_ERR;
|
||||
}
|
||||
+ g_free(buf);
|
||||
|
||||
/* reading password */
|
||||
in_uint16_be(c->in_s, sz);
|
||||
- buf[sz] = '\0';
|
||||
+ buf = g_new0(char, sz);
|
||||
in_uint8a(c->in_s, buf, sz);
|
||||
+ buf[sz] = '\0';
|
||||
|
||||
/* g_writeln("Received password: %s",buf); */
|
||||
if (0 != scp_session_set_password(session, buf))
|
||||
{
|
||||
scp_session_destroy(session);
|
||||
/* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
|
||||
+ g_free(buf);
|
||||
return SCP_SERVER_STATE_INTERNAL_ERR;
|
||||
}
|
||||
+ g_free(buf);
|
||||
}
|
||||
else
|
||||
{
|
@ -7,7 +7,7 @@ Summary: Open source remote desktop protocol (RDP) server
|
||||
Name: xrdp
|
||||
Epoch: 1
|
||||
Version: 0.9.4
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: ASL 2.0
|
||||
Group: Applications/Internet
|
||||
URL: http://www.xrdp.org/
|
||||
@ -23,6 +23,7 @@ Patch1: xrdp-0.9.2-xrdp-ini.patch
|
||||
Patch2: xrdp-0.9.4-service.patch
|
||||
Patch3: xrdp-0.9.2-setpriv.patch
|
||||
Patch4: xrdp-0.9.2-scripts-libexec.patch
|
||||
Patch5: xrdp-0.9.4-CVE-2017-16927.patch
|
||||
|
||||
BuildRequires: libX11-devel
|
||||
BuildRequires: libXfixes-devel
|
||||
@ -258,6 +259,9 @@ fi
|
||||
%{_datadir}/selinux/*/%{name}.pp
|
||||
|
||||
%changelog
|
||||
* Fri Nov 24 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.4-2
|
||||
- Patch CVE-2017-16927
|
||||
|
||||
* Fri Oct 6 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.4-1
|
||||
- Bump up to 0.9.4
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user