[pkg-remote-commits] [xrdp] 01/01: Add patch for CVE-2017-16927.
Dominik George
natureshadow-guest at moszumanska.debian.org
Fri Dec 15 01:06:35 UTC 2017
This is an automated email from the git hooks/post-receive script.
natureshadow-guest pushed a commit to branch stretch
in repository xrdp.
commit 180d1495f0729e6afdda2e60c1c0aeaf2bec05b5
Author: Dominik George <nik at naturalnet.de>
Date: Fri Dec 15 02:05:25 2017 +0100
Add patch for CVE-2017-16927.
---
debian/changelog | 6 ++
debian/patches/cve-2017-16927.patch | 137 ++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 144 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index ce894b1..422df4c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xrdp (0.9.1-9+deb9u2) stretch; urgency=medium
+
+ * Fix CVE-2017-16927. (Closes: #882463)
+
+ -- Dominik George <nik at naturalnet.de> Fri, 15 Dec 2017 02:05:40 +0100
+
xrdp (0.9.1-9+deb9u1) stretch; urgency=medium
* Fix high CPU load on SSL shutdown. (Closes: #876976)
diff --git a/debian/patches/cve-2017-16927.patch b/debian/patches/cve-2017-16927.patch
new file mode 100644
index 0000000..af8ea58
--- /dev/null
+++ b/debian/patches/cve-2017-16927.patch
@@ -0,0 +1,137 @@
+From: Idan Freiberg
+Subject: sesman: scpv0, accept variable length data fields
+Origin: https://github.com/neutrinolabs/xrdp/commit/ebd0510a7d4dab906b6e01570205dfa530d1f7bf.diff
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882463
+--- a/sesman/libscp/libscp_v0.c
++++ b/sesman/libscp/libscp_v0.c
+@@ -157,7 +157,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+ struct SCP_SESSION *session = 0;
+ tui16 sz;
+ tui32 code = 0;
+- char buf[257];
++ char *buf = 0;
+
+ if (!skipVchk)
+ {
+@@ -222,27 +222,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ /* reading username */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+-
++ buf[sz] = '\0';
+ if (0 != scp_session_set_username(session, buf))
+ {
+ scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+
+ /* reading password */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+-
++ buf[sz] = '\0';
+ if (0 != scp_session_set_password(session, buf))
+ {
+ scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+
+ /* width */
+ in_uint16_be(c->in_s, sz);
+@@ -268,9 +272,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_domain(session, buf);
++ g_free(buf);
+ }
+ }
+
+@@ -281,9 +287,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_program(session, buf);
++ g_free(buf);
+ }
+ }
+
+@@ -294,9 +302,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_directory(session, buf);
++ g_free(buf);
+ }
+ }
+
+@@ -307,9 +317,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_client_ip(session, buf);
++ g_free(buf);
+ }
+ }
+ }
+@@ -328,29 +340,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+ scp_session_set_type(session, SCP_GW_AUTHENTICATION);
+ /* reading username */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
++ buf[sz] = '\0';
+
+ /* g_writeln("Received user name: %s",buf); */
+ if (0 != scp_session_set_username(session, buf))
+ {
+ scp_session_destroy(session);
+ /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+
+ /* reading password */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
++ buf[sz] = '\0';
+
+ /* g_writeln("Received password: %s",buf); */
+ if (0 != scp_session_set_password(session, buf))
+ {
+ scp_session_destroy(session);
+ /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+ }
+ else
+ {
diff --git a/debian/patches/series b/debian/patches/series
index a2ae49b..ca1ecfd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ kb_jp.diff
highres.diff
cve-2017-6967.diff
fix-876976.patch
+cve-2017-16927.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-remote/xrdp.git
More information about the pkg-remote-commits
mailing list