Debian Bug report logs -
#511641
xrdp: CVE-2008-590[2-4] arbitrary code execution
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 13 Jan 2009 00:03:02 UTC
Severity: grave
Tags: patch, security
Fixed in version xrdp/0.4.0~dfsg-9
Done: Vincent Bernat <bernat@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Vincent Bernat <bernat@debian.org>
:
Bug#511641
; Package xrdp
.
(Tue, 13 Jan 2009 00:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Vincent Bernat <bernat@debian.org>
.
(Tue, 13 Jan 2009 00:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xrdp
Severity: grave
Tags: security
Justification: user security hole
Several vulnerabilities in xrdp have been spotted on the oss-security
list. Please see this PDF for details:
http://packetstormsecurity.org/0812-advisories/VA_VD_87_08_XRDP.pdf
Cheers,
Moritz
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages xrdp depends on:
ii adduser 3.110 add and remove users and groups
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libpam0g 1.0.1-4 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
Versions of packages xrdp recommends:
pn vnc4server | tightvncserver | <none> (no description available)
xrdp suggests no packages.
Information forwarded
to debian-bugs-dist@lists.debian.org, Vincent Bernat <bernat@debian.org>
:
Bug#511641
; Package xrdp
.
(Sat, 17 Jan 2009 13:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@luffy.cx>
:
Extra info received and forwarded to list. Copy sent to Vincent Bernat <bernat@debian.org>
.
(Sat, 17 Jan 2009 13:06:03 GMT) (full text, mbox, link).
Message #10 received at 511641@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 511641 + patch
thanks
Hi!
Here are patches proposed by Ondrej Kolacek.
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hello,
I have looked at and hopefully fixed the aforementioned bug; the diffs are against latest testing source (0.4.0~dfsg8) and thus potentially worthless but I am afraid I do not know the procedures at all.
Have a nice day,
Ondrej
[patch_xrdp_bitmap.patch (application/octet-stream, inline)]
[patch_rdp_rdp.patch (application/octet-stream, inline)]
[Message part 6 (text/plain, inline)]
--
/* After several hours of tedious analysis, the following hash
* function won. Do not mess with it... -DaveM
*/
2.2.16 /usr/src/linux/fs/buffer.c
Tags added: patch
Request was from Vincent Bernat <bernat@luffy.cx>
to control@bugs.debian.org
.
(Sat, 17 Jan 2009 13:06:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Vincent Bernat <bernat@debian.org>
:
Bug#511641
; Package xrdp
.
(Sat, 17 Jan 2009 16:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Vincent Bernat <bernat@debian.org>
.
(Sat, 17 Jan 2009 16:45:03 GMT) (full text, mbox, link).
Message #17 received at 511641@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 511641 xrdp: CVE-2008-590{2,3} arbitrary code execution
thanks
Hi,
CVE-2008-5903 and CVE-2008-5902 have been assigned to these
vulnerabilities, please reference them in the changelog if
you fix this bug.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `xrdp: CVE-2008-590{2,3} arbitrary code execution' from `xrdp: Multiple security issues'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Sat, 17 Jan 2009 16:45:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Vincent Bernat <bernat@debian.org>
:
Bug#511641
; Package xrdp
.
(Sat, 17 Jan 2009 16:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Vincent Bernat <bernat@debian.org>
.
(Sat, 17 Jan 2009 16:48:03 GMT) (full text, mbox, link).
Message #24 received at 511641@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 511641 xrdp: CVE-2008-590[2-4] arbitrary code execution
thanks
CVE-2008-5904 was also assigned. So we can sum this up as:
CVE-2008-5904[0]:
| The rdp_rdp_process_color_pointer_pdu function in rdp/rdp_rdp.c in
| xrdp 0.4.1 and earlier allows remote RDP servers to have an unknown
| impact via input data that sets crafted values for certain length
| variables, leading to a buffer overflow.
CVE-2008-5903[1]:
| Array index error in the xrdp_bitmap_def_proc function in xrdp/funcs.c
| in xrdp 0.4.1 and earlier allows remote attackers to execute arbitrary
| code via vectors that manipulate the value of the edit_pos structure
| member.
CVE-2008-5902[2]:
| Buffer overflow in the xrdp_bitmap_invalidate function in
| xrdp/xrdp_bitmap.c in xrdp 0.4.1 and earlier allows remote attackers
| to execute arbitrary code via a crafted request.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5904
http://security-tracker.debian.net/tracker/CVE-2008-5904
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5903
http://security-tracker.debian.net/tracker/CVE-2008-5903
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5902
http://security-tracker.debian.net/tracker/CVE-2008-5902
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `xrdp: CVE-2008-590[2-4] arbitrary code execution' from `xrdp: CVE-2008-590{2,3} arbitrary code execution'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Sat, 17 Jan 2009 16:48:04 GMT) (full text, mbox, link).
Tags added: pending
Request was from Vincent Bernat <bernat@luffy.cx>
to control@bugs.debian.org
.
(Fri, 23 Jan 2009 21:24:08 GMT) (full text, mbox, link).
Reply sent
to Vincent Bernat <bernat@debian.org>
:
You have taken responsibility.
(Sun, 25 Jan 2009 00:48:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Sun, 25 Jan 2009 00:48:12 GMT) (full text, mbox, link).
Message #33 received at 511641-close@bugs.debian.org (full text, mbox, reply):
Source: xrdp
Source-Version: 0.4.0~dfsg-9
We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive:
xrdp_0.4.0~dfsg-9.diff.gz
to pool/main/x/xrdp/xrdp_0.4.0~dfsg-9.diff.gz
xrdp_0.4.0~dfsg-9.dsc
to pool/main/x/xrdp/xrdp_0.4.0~dfsg-9.dsc
xrdp_0.4.0~dfsg-9_amd64.deb
to pool/main/x/xrdp/xrdp_0.4.0~dfsg-9_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 511641@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Bernat <bernat@debian.org> (supplier of updated xrdp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 23 Jan 2009 21:29:14 +0100
Source: xrdp
Binary: xrdp
Architecture: source amd64
Version: 0.4.0~dfsg-9
Distribution: unstable
Urgency: high
Maintainer: Vincent Bernat <bernat@debian.org>
Changed-By: Vincent Bernat <bernat@debian.org>
Description:
xrdp - Remote Desktop Protocol (RDP) server
Closes: 511641
Changes:
xrdp (0.4.0~dfsg-9) unstable; urgency=high
.
* Fix CVE-2008-5902 and CVE-2008-5904 with the help of patches proposed
by Ondrej Kolacek. The patch fixing CVE-2008-5902 also happens to fix
CVE-2008-5903 by checking boundary before calling add_char_at(). This
closes: #511641.
* Really add patch to fix monochrome cursor issue.
* Also updates Standards-Version and add ${misc:Depends} macro.
* Don't use Pa macro in xrdp-keygen manual page.
Checksums-Sha1:
ded6f104fc0f799b14193f8719d847600e587f85 1159 xrdp_0.4.0~dfsg-9.dsc
dd2d59a2e4368fea609f30eb16156b76abb6e188 21129 xrdp_0.4.0~dfsg-9.diff.gz
e4d140c7b52d9890e12e84352634102e49788549 228688 xrdp_0.4.0~dfsg-9_amd64.deb
Checksums-Sha256:
5665b7a615f3e2f60c07b67c77d5cc0cbf4a1497218df9e104535d02c6ac3c88 1159 xrdp_0.4.0~dfsg-9.dsc
463272a455bf229b13bcbcec8fd549129a5e8dcc1d345dca97516f4f7c778306 21129 xrdp_0.4.0~dfsg-9.diff.gz
d27d7878fc5a0db8e779156f5ea03b6735f515965bcf06516f655ee11b2e9b82 228688 xrdp_0.4.0~dfsg-9_amd64.deb
Files:
5c5cb881520c9f0e8700cfe5fb352900 1159 net optional xrdp_0.4.0~dfsg-9.dsc
2bf52294a895c96151e6a77d89a0e79a 21129 net optional xrdp_0.4.0~dfsg-9.diff.gz
9d136b98b4346d312425ef3fbfc82071 228688 net optional xrdp_0.4.0~dfsg-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkl7olsACgkQKFvXofIqeU7QEQCdFqr5SU5Hs1acM3BkbACDb7Wh
WeQAn0l0nDvdeo19hWdIUQrtWU5H+lFe
=7JJO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 16 Mar 2009 08:48:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:28:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.