[pkg-remote-commits] [xrdp] 01/02: Add patch for CVE-2017-16927.

Dominik George natureshadow-guest at moszumanska.debian.org
Fri Dec 15 01:11:24 UTC 2017


This is an automated email from the git hooks/post-receive script.

natureshadow-guest pushed a commit to branch master
in repository xrdp.

commit 690b1aea2b21dde4d82c154d0f132c5348bd24e9
Author: Dominik George <nik at naturalnet.de>
Date:   Fri Dec 15 02:10:06 2017 +0100

    Add patch for CVE-2017-16927.
---
 debian/changelog                    |   3 +-
 debian/patches/cve-2017-16927.patch | 137 ++++++++++++++++++++++++++++++++++++
 debian/patches/series               |   1 +
 3 files changed, 140 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index a6c0ade..355b3db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ xrdp (0.9.4-2) UNRELEASED; urgency=medium
 
   [ Dominik George ]
   * Fix typo in previous changelog.
+  * Fix CVE-2017-16927. (Closes: #882463)
 
   [ Thorsten Glaser ]
   * Place missing log_end_msg in init script.
@@ -10,7 +11,7 @@ xrdp (0.9.4-2) UNRELEASED; urgency=medium
   * Cherry-pick missing parts from experimental branch.
   * Fix another typo in previous changelog.
 
- -- Thorsten Glaser <tg at mirbsd.de>  Tue, 10 Oct 2017 20:21:09 +0200
+ -- Dominik George <nik at naturalnet.de>  Fri, 15 Dec 2017 02:10:18 +0100
 
 xrdp (0.9.4-1) unstable; urgency=medium
 
diff --git a/debian/patches/cve-2017-16927.patch b/debian/patches/cve-2017-16927.patch
new file mode 100644
index 0000000..9208213
--- /dev/null
+++ b/debian/patches/cve-2017-16927.patch
@@ -0,0 +1,137 @@
+From: Idan Freiberg
+Subject: sesman: scpv0, accept variable length data fields
+Origin: https://github.com/neutrinolabs/xrdp/commit/ebd0510a7d4dab906b6e01570205dfa530d1f7bf.diff
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882463
+--- a/sesman/libscp/libscp_v0.c
++++ b/sesman/libscp/libscp_v0.c
+@@ -161,7 +161,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+     struct SCP_SESSION *session = 0;
+     tui16 sz;
+     tui32 code = 0;
+-    char buf[257];
++    char *buf = 0;
+ 
+     if (!skipVchk)
+     {
+@@ -226,27 +226,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+ 
+         /* reading username */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
++        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+-
++        buf[sz] = '\0';
+         if (0 != scp_session_set_username(session, buf))
+         {
+             scp_session_destroy(session);
+             log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
++            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
++        g_free(buf);
+ 
+         /* reading password */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
++        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+-
++        buf[sz] = '\0';
+         if (0 != scp_session_set_password(session, buf))
+         {
+             scp_session_destroy(session);
+             log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
++            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
++        g_free(buf);
+ 
+         /* width */
+         in_uint16_be(c->in_s, sz);
+@@ -272,9 +276,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+ 
+             if (sz > 0)
+             {
++                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_domain(session, buf);
++                g_free(buf);
+             }
+         }
+ 
+@@ -285,9 +291,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+ 
+             if (sz > 0)
+             {
++                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_program(session, buf);
++                g_free(buf);
+             }
+         }
+ 
+@@ -298,9 +306,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+ 
+             if (sz > 0)
+             {
++                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_directory(session, buf);
++                g_free(buf);
+             }
+         }
+ 
+@@ -311,9 +321,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+ 
+             if (sz > 0)
+             {
++                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_client_ip(session, buf);
++                g_free(buf);
+             }
+         }
+     }
+@@ -332,29 +344,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+         scp_session_set_type(session, SCP_GW_AUTHENTICATION);
+         /* reading username */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
++        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
++        buf[sz] = '\0';
+ 
+         /* g_writeln("Received user name: %s",buf); */
+         if (0 != scp_session_set_username(session, buf))
+         {
+             scp_session_destroy(session);
+             /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting        username", __LINE__);*/
++            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
++        g_free(buf);
+ 
+         /* reading password */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
++        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
++        buf[sz] = '\0';
+ 
+         /* g_writeln("Received password: %s",buf); */
+         if (0 != scp_session_set_password(session, buf))
+         {
+             scp_session_destroy(session);
+             /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
++            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
++        g_free(buf);
+     }
+     else
+     {
diff --git a/debian/patches/series b/debian/patches/series
index 8d13f9b..9abfa5d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ fix_perms.diff
 shutup-daemon.diff
 systemd.diff
 lfs.diff
+cve-2017-16927.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-remote/xrdp.git



More information about the pkg-remote-commits mailing list