Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2008-5903 CVE-2008-5902 CVE-2008-5904

Source

Debian Bug report logs - #511641
xrdp: CVE-2008-590[2-4] arbitrary code execution

Package: xrdp; Maintainer for xrdp is Debian Remote Maintainers <debian-remote@lists.debian.org>; Source for xrdp is src:xrdp (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 13 Jan 2009 00:03:02 UTC

Severity: grave

Tags: patch, security

Fixed in version xrdp/0.4.0~dfsg-9

Done: Vincent Bernat <bernat@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Vincent Bernat <bernat@debian.org>:
Bug#511641; Package xrdp. (Tue, 13 Jan 2009 00:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Vincent Bernat <bernat@debian.org>. (Tue, 13 Jan 2009 00:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: xrdp
Severity: grave
Tags: security
Justification: user security hole

Several vulnerabilities in xrdp have been spotted on the oss-security
list. Please see this PDF for details:

http://packetstormsecurity.org/0812-advisories/VA_VD_87_08_XRDP.pdf

Cheers,
        Moritz

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages xrdp depends on:
ii  adduser                       3.110      add and remove users and groups
ii  libc6                         2.7-16     GNU C Library: Shared libraries
ii  libpam0g                      1.0.1-4    Pluggable Authentication Modules l
ii  libssl0.9.8                   0.9.8g-14  SSL shared libraries

Versions of packages xrdp recommends:
pn  vnc4server | tightvncserver | <none>     (no description available)

xrdp suggests no packages.

Information forwarded to debian-bugs-dist@lists.debian.org, Vincent Bernat <bernat@debian.org>:
Bug#511641; Package xrdp. (Sat, 17 Jan 2009 13:06:02 GMT) (full text, mbox, link).

Acknowledgement sent to Vincent Bernat <bernat@luffy.cx>:
Extra info received and forwarded to list. Copy sent to Vincent Bernat <bernat@debian.org>. (Sat, 17 Jan 2009 13:06:03 GMT) (full text, mbox, link).

Message #10 received at 511641@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

tags 511641 + patch
thanks

Hi!

Here are patches proposed by Ondrej Kolacek.

[Message part 2 (message/rfc822, inline)]

From: "Ondrej Kolacek" <ondrej.kolacek@centrum.cz>

To: <bernat@debian.org>

Subject: Debian bug #511641 [xrdp] xrdp: Multiple security issues fix

Date: Sat, 17 Jan 2009 00:11:12 +0100
[Message part 3 (text/plain, inline)]
Hello, 
I have looked at and hopefully fixed the aforementioned bug; the diffs are against latest testing source (0.4.0~dfsg8) and thus potentially worthless but I am afraid I do not know the procedures at all.
Have a nice day,
Ondrej
[patch_xrdp_bitmap.patch (application/octet-stream, inline)]
[patch_rdp_rdp.patch (application/octet-stream, inline)]

[Message part 6 (text/plain, inline)]

-- 
 /* After several hours of tedious analysis, the following hash
  * function won.  Do not mess with it... -DaveM
  */
	2.2.16 /usr/src/linux/fs/buffer.c

Tags added: patch Request was from Vincent Bernat <bernat@luffy.cx> to control@bugs.debian.org. (Sat, 17 Jan 2009 13:06:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Vincent Bernat <bernat@debian.org>:
Bug#511641; Package xrdp. (Sat, 17 Jan 2009 16:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Vincent Bernat <bernat@debian.org>. (Sat, 17 Jan 2009 16:45:03 GMT) (full text, mbox, link).

Message #17 received at 511641@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

retitle 511641 xrdp: CVE-2008-590{2,3} arbitrary code execution
thanks

Hi,
CVE-2008-5903 and CVE-2008-5902 have been assigned to these 
vulnerabilities, please reference them in the changelog if 
you fix this bug.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `xrdp: CVE-2008-590{2,3} arbitrary code execution' from `xrdp: Multiple security issues'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 17 Jan 2009 16:45:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Vincent Bernat <bernat@debian.org>:
Bug#511641; Package xrdp. (Sat, 17 Jan 2009 16:48:02 GMT) (full text, mbox, link).

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Vincent Bernat <bernat@debian.org>. (Sat, 17 Jan 2009 16:48:03 GMT) (full text, mbox, link).

Message #24 received at 511641@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

retitle 511641 xrdp: CVE-2008-590[2-4] arbitrary code execution
thanks

CVE-2008-5904 was also assigned. So we can sum this up as:
CVE-2008-5904[0]:
| The rdp_rdp_process_color_pointer_pdu function in rdp/rdp_rdp.c in
| xrdp 0.4.1 and earlier allows remote RDP servers to have an unknown
| impact via input data that sets crafted values for certain length
| variables, leading to a buffer overflow.

CVE-2008-5903[1]:
| Array index error in the xrdp_bitmap_def_proc function in xrdp/funcs.c
| in xrdp 0.4.1 and earlier allows remote attackers to execute arbitrary
| code via vectors that manipulate the value of the edit_pos structure
| member.

CVE-2008-5902[2]:
| Buffer overflow in the xrdp_bitmap_invalidate function in
| xrdp/xrdp_bitmap.c in xrdp 0.4.1 and earlier allows remote attackers
| to execute arbitrary code via a crafted request.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5904
    http://security-tracker.debian.net/tracker/CVE-2008-5904
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5903
    http://security-tracker.debian.net/tracker/CVE-2008-5903
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5902
    http://security-tracker.debian.net/tracker/CVE-2008-5902

Cheers
Nico


-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `xrdp: CVE-2008-590[2-4] arbitrary code execution' from `xrdp: CVE-2008-590{2,3} arbitrary code execution'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sat, 17 Jan 2009 16:48:04 GMT) (full text, mbox, link).

Tags added: pending Request was from Vincent Bernat <bernat@luffy.cx> to control@bugs.debian.org. (Fri, 23 Jan 2009 21:24:08 GMT) (full text, mbox, link).

Reply sent to Vincent Bernat <bernat@debian.org>:
You have taken responsibility. (Sun, 25 Jan 2009 00:48:12 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Sun, 25 Jan 2009 00:48:12 GMT) (full text, mbox, link).

Message #33 received at 511641-close@bugs.debian.org (full text, mbox, reply):

Source: xrdp
Source-Version: 0.4.0~dfsg-9

We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive:

xrdp_0.4.0~dfsg-9.diff.gz
  to pool/main/x/xrdp/xrdp_0.4.0~dfsg-9.diff.gz
xrdp_0.4.0~dfsg-9.dsc
  to pool/main/x/xrdp/xrdp_0.4.0~dfsg-9.dsc
xrdp_0.4.0~dfsg-9_amd64.deb
  to pool/main/x/xrdp/xrdp_0.4.0~dfsg-9_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 511641@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated xrdp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 23 Jan 2009 21:29:14 +0100
Source: xrdp
Binary: xrdp
Architecture: source amd64
Version: 0.4.0~dfsg-9
Distribution: unstable
Urgency: high
Maintainer: Vincent Bernat <bernat@debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description: 
 xrdp       - Remote Desktop Protocol (RDP) server
Closes: 511641
Changes: 
 xrdp (0.4.0~dfsg-9) unstable; urgency=high
 .
   * Fix CVE-2008-5902 and CVE-2008-5904 with the help of patches proposed
     by Ondrej Kolacek. The patch fixing CVE-2008-5902 also happens to fix
     CVE-2008-5903 by checking boundary before calling add_char_at(). This
     closes: #511641.
   * Really add patch to fix monochrome cursor issue.
   * Also updates Standards-Version and add ${misc:Depends} macro.
   * Don't use Pa macro in xrdp-keygen manual page.
Checksums-Sha1: 
 ded6f104fc0f799b14193f8719d847600e587f85 1159 xrdp_0.4.0~dfsg-9.dsc
 dd2d59a2e4368fea609f30eb16156b76abb6e188 21129 xrdp_0.4.0~dfsg-9.diff.gz
 e4d140c7b52d9890e12e84352634102e49788549 228688 xrdp_0.4.0~dfsg-9_amd64.deb
Checksums-Sha256: 
 5665b7a615f3e2f60c07b67c77d5cc0cbf4a1497218df9e104535d02c6ac3c88 1159 xrdp_0.4.0~dfsg-9.dsc
 463272a455bf229b13bcbcec8fd549129a5e8dcc1d345dca97516f4f7c778306 21129 xrdp_0.4.0~dfsg-9.diff.gz
 d27d7878fc5a0db8e779156f5ea03b6735f515965bcf06516f655ee11b2e9b82 228688 xrdp_0.4.0~dfsg-9_amd64.deb
Files: 
 5c5cb881520c9f0e8700cfe5fb352900 1159 net optional xrdp_0.4.0~dfsg-9.dsc
 2bf52294a895c96151e6a77d89a0e79a 21129 net optional xrdp_0.4.0~dfsg-9.diff.gz
 9d136b98b4346d312425ef3fbfc82071 228688 net optional xrdp_0.4.0~dfsg-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl7olsACgkQKFvXofIqeU7QEQCdFqr5SU5Hs1acM3BkbACDb7Wh
WeQAn0l0nDvdeo19hWdIUQrtWU5H+lFe
=7JJO
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 08:48:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:28:16 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

xrdp: CVE-2008-590[2-4] arbitrary code execution

Debian Bug report logs - #511641
xrdp: CVE-2008-590[2-4] arbitrary code execution

Vulmon Search

About

Products

Connect

xrdp: CVE-2008-590[2-4] arbitrary code execution

Debian Bug report logs - #511641 xrdp: CVE-2008-590[2-4] arbitrary code execution

Vulmon Search

About

Products

Connect

Debian Bug report logs - #511641
xrdp: CVE-2008-590[2-4] arbitrary code execution