xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in session manager

Debian Bug report logs - #882463
xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in session manager

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in session manager

Date: Thu, 23 Nov 2017 09:57:28 +0100

Source: xrdp
Version: 0.9.1-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/neutrinolabs/xrdp/pull/958

Hi,

the following vulnerability was published for xrdp.

CVE-2017-16927[0]:
| The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session
| manager in xrdp through 0.9.4 uses an untrusted integer as a write
| length, which allows local users to cause a denial of service (buffer
| overflow and application crash) or possibly have unspecified other
| impact via a crafted input stream.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16927
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16927
[1] https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA
[2] https://github.com/neutrinolabs/xrdp/pull/958

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 882463@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Dominik George <nik@naturalnet.de>, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>

Cc: debian-lts@lists.debian.org, 882463@bugs.debian.org

Subject: Wheezy update of xrdp?

Date: Thu, 23 Nov 2017 12:51:49 +0100

Hello Dominik,

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of xrdp:
https://security-tracker.debian.org/tracker/CVE-2017-16927

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of xrdp updates
for the LTS releases.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #19 received at 882463-submitter@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 882463-submitter@bugs.debian.org

Subject: Bug#882463 marked as pending

Date: Fri, 15 Dec 2017 01:06:36 +0000

tag 882463 pending
thanks

Hello,

Bug #882463 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/pkg-remote/xrdp.git/commit/?id=180d149

---
commit 180d1495f0729e6afdda2e60c1c0aeaf2bec05b5
Author: Dominik George <nik@naturalnet.de>
Date:   Fri Dec 15 02:05:25 2017 +0100

    Add patch for CVE-2017-16927.

diff --git a/debian/changelog b/debian/changelog
index ce894b1..422df4c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xrdp (0.9.1-9+deb9u2) stretch; urgency=medium
+
+  * Fix CVE-2017-16927. (Closes: #882463)
+
+ -- Dominik George <nik@naturalnet.de>  Fri, 15 Dec 2017 02:05:40 +0100
+
 xrdp (0.9.1-9+deb9u1) stretch; urgency=medium
 
   * Fix high CPU load on SSL shutdown. (Closes: #876976)

Message #22 received at 882463-submitter@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 882463-submitter@bugs.debian.org

Subject: Bug#882463 marked as pending

Date: Fri, 15 Dec 2017 01:11:25 +0000

tag 882463 pending
thanks

Hello,

Bug #882463 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/pkg-remote/xrdp.git/commit/?id=690b1ae

---
commit 690b1aea2b21dde4d82c154d0f132c5348bd24e9
Author: Dominik George <nik@naturalnet.de>
Date:   Fri Dec 15 02:10:06 2017 +0100

    Add patch for CVE-2017-16927.

diff --git a/debian/changelog b/debian/changelog
index a6c0ade..355b3db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ xrdp (0.9.4-2) UNRELEASED; urgency=medium
 
   [ Dominik George ]
   * Fix typo in previous changelog.
+  * Fix CVE-2017-16927. (Closes: #882463)
 
   [ Thorsten Glaser ]
   * Place missing log_end_msg in init script.
@@ -10,7 +11,7 @@ xrdp (0.9.4-2) UNRELEASED; urgency=medium
   * Cherry-pick missing parts from experimental branch.
   * Fix another typo in previous changelog.
 
- -- Thorsten Glaser <tg@mirbsd.de>  Tue, 10 Oct 2017 20:21:09 +0200
+ -- Dominik George <nik@naturalnet.de>  Fri, 15 Dec 2017 02:10:18 +0100
 
 xrdp (0.9.4-1) unstable; urgency=medium
 

Message #25 received at 882463-submitter@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 882463-submitter@bugs.debian.org

Subject: Bug#882463 marked as pending

Date: Fri, 15 Dec 2017 01:17:31 +0000

tag 882463 pending
thanks

Hello,

Bug #882463 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/pkg-remote/xrdp.git/commit/?id=d852069

---
commit d8520695e237c8853380e247e82d22d155c8b7e3
Author: Dominik George <nik@naturalnet.de>
Date:   Fri Dec 15 02:05:25 2017 +0100

    Add patch for CVE-2017-16927.

diff --git a/debian/changelog b/debian/changelog
index ce894b1..b430e2a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xrdp (0.9.1-9+deb9u2) stretch-security; urgency=high
+
+  * Fix CVE-2017-16927. (Closes: #882463)
+
+ -- Dominik George <nik@naturalnet.de>  Fri, 15 Dec 2017 02:05:40 +0100
+
 xrdp (0.9.1-9+deb9u1) stretch; urgency=medium
 
   * Fix high CPU load on SSL shutdown. (Closes: #876976)

Message #32 received at 882463-close@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 882463-close@bugs.debian.org

Subject: Bug#882463: fixed in xrdp 0.9.4-2

Date: Fri, 15 Dec 2017 01:49:23 +0000

Source: xrdp
Source-Version: 0.9.4-2

We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882463@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominik George <nik@naturalnet.de> (supplier of updated xrdp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 15 Dec 2017 02:10:18 +0100
Source: xrdp
Binary: xrdp xorgxrdp
Architecture: source amd64
Version: 0.9.4-2
Distribution: unstable
Urgency: high
Maintainer: Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
Changed-By: Dominik George <nik@naturalnet.de>
Description:
 xorgxrdp   - Remote Desktop Protocol (RDP) modules for X.org
 xrdp       - Remote Desktop Protocol (RDP) server
Closes: 882463
Changes:
 xrdp (0.9.4-2) unstable; urgency=high
 .
   [ Dominik George ]
   * Fix typo in previous changelog.
   * Fix CVE-2017-16927. (Closes: #882463)
   * Bump Standards-Version.
     + No changes needed.
 .
   [ Thorsten Glaser ]
   * Place missing log_end_msg in init script.
   * Run libpainter/bootstrap as well.
   * Re-enable SIMD on any-i386.
   * Cherry-pick missing parts from experimental branch.
   * Fix another typo in previous changelog.
Checksums-Sha1:
 b1cde0d1c99637a015bdfa3c50b9daa8c3f22e05 2668 xrdp_0.9.4-2.dsc
 7b16f45d926cab36ce369dbf953ae3b29533ea60 24692 xrdp_0.9.4-2.debian.tar.xz
 a1bf0e0e3f72234142cb77e482e1e10d69ce225b 907692 xorgxrdp-dbgsym_0.9.4-2_amd64.deb
 a54bbfc36a76eb711b9fabf507f82fad2981c694 83748 xorgxrdp_0.9.4-2_amd64.deb
 f6cac895b9efbf3507dbb08029503694d33bd390 689996 xrdp-dbgsym_0.9.4-2_amd64.deb
 febe0a93bc08b9e59fed91296c8b783609e11068 10562 xrdp_0.9.4-2_amd64.buildinfo
 e6e08824b2cd25dd4c23130a2d8842177b1d0cfe 423532 xrdp_0.9.4-2_amd64.deb
Checksums-Sha256:
 84cbe65db64b63a829baf96a9d138bb3c4ce8e3464a20304e67993bc3000c1e1 2668 xrdp_0.9.4-2.dsc
 af5bf78ac6fce04db69c9d59eb079f1c71877dc93dc727e672c73132158725fb 24692 xrdp_0.9.4-2.debian.tar.xz
 e8792d001062b3f96eafc8182e82139c35d18496a2fa3d1babb1fdfa262b0a69 907692 xorgxrdp-dbgsym_0.9.4-2_amd64.deb
 dd72b1736275148a308e18631d4ea4d80c0c8ed1a9937c4447198e97468122ac 83748 xorgxrdp_0.9.4-2_amd64.deb
 460cbc5ec1c333b0e6d6f0adf57c7dfc7729b5da0f2864faebd4920d845d09eb 689996 xrdp-dbgsym_0.9.4-2_amd64.deb
 7a9a9d5488c44e31ea44d4324e8f5f3b403b67514205b727424192db5277e793 10562 xrdp_0.9.4-2_amd64.buildinfo
 20ad910e145adc7969b08ac4a84e7f3c4a98c37b0421782e907c15d6c19a3f56 423532 xrdp_0.9.4-2_amd64.deb
Files:
 fba6ff6b7ef2456ebb4ad3446711574f 2668 net optional xrdp_0.9.4-2.dsc
 4823776abc8e9a3eb1691efbd8b46b77 24692 net optional xrdp_0.9.4-2.debian.tar.xz
 8488f6f19fb7db59b13f4aaa9c81dee2 907692 debug optional xorgxrdp-dbgsym_0.9.4-2_amd64.deb
 d150d85fdd0eb395813f5ad6664c550e 83748 net optional xorgxrdp_0.9.4-2_amd64.deb
 be398e91fc5f21a06c124bfd2dbe9328 689996 debug optional xrdp-dbgsym_0.9.4-2_amd64.deb
 fd174aa32adc438cd7bd8e98145b37f3 10562 net optional xrdp_0.9.4-2_amd64.buildinfo
 acff5267d5a63241d9d82bf63363d1c0 423532 net optional xrdp_0.9.4-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJlBAEBCABPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlozJDkxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylq6QD/9+gTDy6BcN1YUYVBCCJGOqe/Y5SUJpwmpVbdXGINRvxu3HUpHeB1Ck
t0NVEqjvgE86RrJnsdnLKZjlQeGltDEYCqfVb/P9AXFPtCmZ6PdLTDePfOxCdZfk
XRkTRDPQe5dzjLDDx/MHOkBrzP7J3Le9xDZZEJ5MLqL1omivmwpg1J1Nb4wQkjmu
ZasjXDMtICIKr4Wf57LLvmEqSEAi1q542N4dDLelwS3SD8XxXVwxN8NVYlOb5FRs
mR+j3xiYkoGSUCNFGUHV6bTe90oExrGZVc+SGv5kKD24wBSS5NOoQjkUBPZrf9nh
GjwxrdsZctE6RUtdUGAStOrTw3L7xDEFB/vXQX0mWPMS6l08tXlFlJvmmPsN44ou
acjAHyTBSWe2rz36O92Hj3n7Q/VvznY2FygADE6+uxlEaULN6fROihJBBoKqF/0p
fbZMntr6XtHSZM+LuGCpJyKyiT7tvc2R3N5cLeRugJIW1BHz0EzSlld+J15exTFq
0DosIvjc15LaK5Kta6LAN2ujrSCNGNvBcH01EDL9EYWLvpcxM7zq00iFiyAaYWRj
z0YScjs+MR7J9fYA22OSMSURZX9ee0HD7EfToZj0xCBtQ+0biIwAtodTByduI/Uh
K50PWh4y5U/sqSM2JMOWX37Cvt+7VeJ4Vg2Rx3hy/6crfVWh4n2i5A==
=Q/P5
-----END PGP SIGNATURE-----

Message #37 received at 882463@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: Raphael Hertzog <hertzog@debian.org>, 882463@bugs.debian.org

Cc: Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>, debian-lts@lists.debian.org

Subject: Re: Bug#882463: Wheezy update of xrdp?

Date: Fri, 15 Dec 2017 03:15:46 +0100

[Message part 1 (text/plain, inline)]

Hi,

> Would you like to take care of this yourself?

Not really. Go ahead ☺.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Phone: +49 228 92934581 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 882463-close@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 882463-close@bugs.debian.org

Subject: Bug#882463: fixed in xrdp 0.9.1-9+deb9u2

Date: Fri, 23 Feb 2018 12:47:10 +0000

Source: xrdp
Source-Version: 0.9.1-9+deb9u2

We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 882463@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominik George <nik@naturalnet.de> (supplier of updated xrdp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 15 Dec 2017 19:28:28 +0100
Source: xrdp
Binary: xrdp xorgxrdp
Architecture: source amd64
Version: 0.9.1-9+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
Changed-By: Dominik George <nik@naturalnet.de>
Description:
 xorgxrdp   - Remote Desktop Protocol (RDP) modules for X.org
 xrdp       - Remote Desktop Protocol (RDP) server
Closes: 882463 884453
Changes:
 xrdp (0.9.1-9+deb9u2) stretch; urgency=medium
 .
   * Fix CVE-2017-16927. (Closes: #882463)
   * Fix high CPU load on ssl_tls_accept. (Closes: #884453)
Checksums-Sha1:
 de2c8a3e38b054a98f99a159f4629ecc7058ae0d 2667 xrdp_0.9.1-9+deb9u2.dsc
 dc1bb7b6ce2fb7a46eb90f5f18a7a4b46acbbad5 29464 xrdp_0.9.1-9+deb9u2.debian.tar.xz
 12ed5c7105e61c93e27d9e9918de5af6fe6762a8 898410 xorgxrdp-dbgsym_0.9.1-9+deb9u2_amd64.deb
 86641f6e164b48d2208a3a30a5ce07c3abfad1fc 80536 xorgxrdp_0.9.1-9+deb9u2_amd64.deb
 fae0ce86e009764605eb5fc7bd2f56c5c0b92cec 729496 xrdp-dbgsym_0.9.1-9+deb9u2_amd64.deb
 166e83a63ee2015428d882a1d22e6eefa54c5f5d 10628 xrdp_0.9.1-9+deb9u2_amd64.buildinfo
 f2e861769ec1697ee341ab38be6e8347b9a93b35 438424 xrdp_0.9.1-9+deb9u2_amd64.deb
Checksums-Sha256:
 0d0876631b77fa2574a2d5650313e7d006d428d4ce7542ba88a2e165d22b6b71 2667 xrdp_0.9.1-9+deb9u2.dsc
 c504d134b279358121b00228cdb0a76aae410e900cd67038564f44d102900d32 29464 xrdp_0.9.1-9+deb9u2.debian.tar.xz
 38a3d21c16e6db71148e7d15a48effb210120f940002ed4fa93054330133dd97 898410 xorgxrdp-dbgsym_0.9.1-9+deb9u2_amd64.deb
 924cf0d0146e561edf4ab3697f8a3ea3fd50e59c644233414ea5e2064b000f69 80536 xorgxrdp_0.9.1-9+deb9u2_amd64.deb
 bbdeb747c49db82b4069bac3d1c1c224579ac5e33efffcf33e3cd68257e0e02c 729496 xrdp-dbgsym_0.9.1-9+deb9u2_amd64.deb
 63723f753721751aeed5b94b4cebed8e34a226ec172dfa8da548ccdead12e8e7 10628 xrdp_0.9.1-9+deb9u2_amd64.buildinfo
 83dc60644dd6f30d160b7e50d904c5ebfa3e632d83600ab5251cbf4e6da5dfab 438424 xrdp_0.9.1-9+deb9u2_amd64.deb
Files:
 1127b6c11ce7c68b0a8421477629198d 2667 net optional xrdp_0.9.1-9+deb9u2.dsc
 5f83fc3f40a5f12656586b4ccac79707 29464 net optional xrdp_0.9.1-9+deb9u2.debian.tar.xz
 c9e974f7707f10ac5f7c93621b9eef7f 898410 debug extra xorgxrdp-dbgsym_0.9.1-9+deb9u2_amd64.deb
 2020d7fc2525a30c63bd5d8ef297928c 80536 net optional xorgxrdp_0.9.1-9+deb9u2_amd64.deb
 e5eca75ceb3cba61c5d4383690bff104 729496 debug extra xrdp-dbgsym_0.9.1-9+deb9u2_amd64.deb
 9e9e03d0040029669b285501eaa395c0 10628 net optional xrdp_0.9.1-9+deb9u2_amd64.buildinfo
 b3897b68539b17b2c79ede6806f770fe 438424 net optional xrdp_0.9.1-9+deb9u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJlBAEBCABPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlqKCzwxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTyll+aEADYSCTLUn7R48eF0yPi+9+tZBT1hcscBiwtvG+8HfPE7VLkwu72CS23
ZfAw0YNse9B42XcXX87DRq7Pzb3f15D5JhXgbS+Q1KGmY2cbPYN+naTT2tlPRacR
+GlpNFLjLSoODs095haN8TY2kyo1Sgscq7w5Tf+ZQgP1oF39t58h+S+HF3PcAHX2
CQsoX7AuEerARBkHJ1Q54T9+hleo+uV6S+18VfW4TY+qId2KPoZdveDHDXLjw9im
fYu5sZTXUc5EN1glN8hxT+VdY0JH/2ydVrH6j5h9aV5WT1kp7lSP3AR1JhIU7VaW
FFGkb7tiDL8V74v71zG6c5tMdcoqg+nhANzcjnEN7/sAuACApAbkQB1gnoNkRhcl
IsmnxlRs8d5UKuI4wv4TNB/6yYOQtxP6kLWSrKmmOPwYUlA2BMom0ojXFZC1K+fb
VURM7Sjx+nsXRb06jrbmpOzsMaWlZJoRJxaFPqm18Zs9KtybXD4TOES0YeSu2nGr
cAjWYc0JTZBxIJSLajO+J8pyqUJ3/VbbsGQny7xRHD7yrldaLS7xGGbi+X2SmylE
tJ4x658UxvP6hKGogBxopKD6QlGNrlnPksn+9LDwFl5JIKBflpRO9ibCioJWrCLe
N/5H3NIF+mO2wFnBGfdPj7lCeWki4OkMwBJ+NfZEq/N5QaQxhDQPqQ==
=Hfb/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.