Debian Bug report logs -
#858143
xrdp: CVE-2017-6967: incorrect placement of auth_start_session()
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
:
Bug#858143
; Package src:xrdp
.
(Sat, 18 Mar 2017 20:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
.
(Sat, 18 Mar 2017 20:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xrdp
Version: 0.9.1-7
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/neutrinolabs/xrdp/issues/350
Hi,
the following vulnerability was published for xrdp.
CVE-2017-6967[0]:
| xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect
| location, leading to PAM session modules not being properly
| initialized, with a potential consequence of incorrect configurations
| or elevation of privileges, aka a pam_limits.so bypass.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6967
[1] http://www.openwall.com/lists/oss-security/2017/03/18/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions xrdp/0.6.1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 18 Mar 2017 20:57:06 GMT) (full text, mbox, link).
Marked as fixed in versions xrdp/0.9.2~20170325-1~exp1.
Request was from Thorsten Glaser <tg@mirbsd.de>
to control@bugs.debian.org
.
(Sun, 26 Mar 2017 23:27:03 GMT) (full text, mbox, link).
Added tag(s) fixed-in-experimental.
Request was from Thorsten Glaser <t.glaser@tarent.de>
to control@bugs.debian.org
.
(Tue, 28 Mar 2017 18:12:13 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Dominik George <nik@naturalnet.de>
to control@bugs.debian.org
.
(Mon, 24 Apr 2017 18:45:10 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#858143.
(Mon, 24 Apr 2017 18:45:15 GMT) (full text, mbox, link).
Message #16 received at 858143-submitter@bugs.debian.org (full text, mbox, reply):
tag 858143 pending
thanks
Hello,
Bug #858143 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-remote/xrdp.git/commit/?id=69bdd1a
---
commit 69bdd1a6b7b278e2343fce0d988a7590177b901c
Author: Dominik George <nik@naturalnet.de>
Date: Mon Apr 24 20:15:26 2017 +0200
Fix CVE-2017-6967.
diff --git a/debian/changelog b/debian/changelog
index 8dd5b11..d1af752 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xrdp (0.9.1-8) unstable; urgency=medium
+
+ * Fix CVE-2017-6967. (Closes: #858143)
+
+ -- Dominik George <nik@naturalnet.de> Mon, 24 Apr 2017 20:14:36 +0200
+
xrdp (0.9.1-7) unstable; urgency=medium
* Fix RFX with large tile sets, e.g. full HD displays. (Closes: #855387)
Reply sent
to Dominik George <nik@naturalnet.de>
:
You have taken responsibility.
(Mon, 24 Apr 2017 19:06:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 24 Apr 2017 19:06:15 GMT) (full text, mbox, link).
Message #21 received at 858143-close@bugs.debian.org (full text, mbox, reply):
Source: xrdp
Source-Version: 0.9.1-8
We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858143@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominik George <nik@naturalnet.de> (supplier of updated xrdp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 24 Apr 2017 20:14:36 +0200
Source: xrdp
Binary: xrdp xorgxrdp
Architecture: source
Version: 0.9.1-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
Changed-By: Dominik George <nik@naturalnet.de>
Description:
xorgxrdp - Remote Desktop Protocol (RDP) modules for X.org
xrdp - Remote Desktop Protocol (RDP) server
Closes: 855536 858143
Changes:
xrdp (0.9.1-8) unstable; urgency=medium
.
* Fix CVE-2017-6967. (Closes: #858143, #855536)
Checksums-Sha1:
95ec24ee5676d0d787ea84adc9a2a3f46a6f6c65 2635 xrdp_0.9.1-8.dsc
6530007cfe2c9af4a83a9817d7031995c903d66c 27848 xrdp_0.9.1-8.debian.tar.xz
69e2e435fa647bc663b5574fd01eab44899e0856 10053 xrdp_0.9.1-8_source.buildinfo
Checksums-Sha256:
5863b3ca472b62525670dab94813f558cb0395c7320d454e790ad5053d3b66fe 2635 xrdp_0.9.1-8.dsc
8264bbb4c3e4fbcb855cd528c1c0a2a099c969aed5948097a4228e5e7aa789e6 27848 xrdp_0.9.1-8.debian.tar.xz
882da959a5507201d29ed89c5bd2a7433ad0435789c9b2f9a11347a00a72efc4 10053 xrdp_0.9.1-8_source.buildinfo
Files:
f6f38927d74a013fe4b5e6d03a7921d5 2635 net optional xrdp_0.9.1-8.dsc
021837e442c8220d7b9a97a7e8d570ae 27848 net optional xrdp_0.9.1-8.debian.tar.xz
5668a9d356050cffbf1bf7da39f50770 10053 net optional xrdp_0.9.1-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCABPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlj+RjsxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylgUxD/9yqfUApAzzbsWP0yVvql9h4dRuv5b+YWGLSmpRXlEl3g8ovNzvMUlf
Q1MGfxF/LDirgl3EBrXTQ+GGDuVteJLgQGLqdsU0rHigDhpec//1Z9lea3JG26f+
8lhy3v0AYJE5zJSspmqWetxgYmuPb25CMGAEuW/de3FXSTMeznFFT1CLCJUlT11+
DFBkzbTXeS3rue08coE80jVpGaMMubWKf3lhBWL+7L5tHwlxvcrui1nc04BeI3i+
sJmKCfdwx6t4U91J/AjMjnj7MUxTGapEbJJLtBRIyUYkgJNX6uV+LZRaG5rVpS5W
aLxdTBvbZWYEYM6dKSsKqxvB7sp33QrqdHzP50iFCDjoIE2zEP3UFMQOlWedklfU
aeD7Ap3Adx3lgjE6rRYxQWiCqGLeFyIyGKtwkJHVOkbzi4QAfPvFQInZlu15xQ9b
Y7c/y+9u+mfKQYlkBH6dWwwN5c2OtgjoQ1VujyRiQSCkeZbTMttC0HB/7Z9BMzUT
mLDRwyZqd2wvW29zo/KG4N7kE2PJ+D8XLJ+og4LcqVgj5ZUx3SvyVi/MLMc/6Gpb
JoRCQQzmfyitZ82IL6J42OjCTdt3yVSUhSJTNb1xU2PnQwFHBSbo85Py3KN34+Xd
fqb21zKSaPoKOdYE5vEhm1gs9eycyRYiUqzDVAWs9ywas9GekX5x0A==
=h4r5
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
:
Bug#858143
; Package src:xrdp
.
(Wed, 26 Apr 2017 04:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to rolnas@gmail.com
:
Extra info received and forwarded to list. Copy sent to Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
.
(Wed, 26 Apr 2017 04:42:05 GMT) (full text, mbox, link).
Message #26 received at 858143@bugs.debian.org (full text, mbox, reply):
Version: 0.9.1-8
Dear all,
I'm investigated content of debian/patches/cve-2017-6967.diff from
version 0.9.1-8 in unstable and by comparison with
https://github.com/neutrinolabs/xrdp/commit/4b8a33e087ee9cf5556b40b717cd7e8ff243b3c3
it is missing important sesman/session.c part of patch.
The version 0.9.2 would be much better solution, because it solves many
more problems.
Regards,
Rolandas
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
:
Bug#858143
; Package src:xrdp
.
(Thu, 27 Apr 2017 10:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <nik@naturalnet.de>
:
Extra info received and forwarded to list. Copy sent to Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
.
(Thu, 27 Apr 2017 10:39:03 GMT) (full text, mbox, link).
Message #31 received at 858143@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: reopen -1
Hi,
> I'm investigated content of debian/patches/cve-2017-6967.diff from version
> 0.9.1-8 in unstable and by comparison with https://github.com/neutrinolabs/xrdp/commit/4b8a33e087ee9cf5556b40b717cd7e8ff243b3c3
> it is missing important sesman/session.c part of patch.
You are right, a part went missing when rebasing.
Please have a look at the new patch now: https://anonscm.debian.org/cgit/pkg-remote/xrdp.git/tree/debian/patches/cve-2017-6967.diff
> The version 0.9.2 would be much better solution, because it solves many more
> problems.
I know, but 0.9.2 won't get a freeze exception.
Thanks,
Nik
--
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296
Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Phone: +49 228 92934581 · https://www.dominik-george.de/
Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer
LPIC-3 Linux Enterprise Professional (Security)
[signature.asc (application/pgp-signature, inline)]
Bug reopened
Request was from Dominik George <nik@naturalnet.de>
to 858143-submit@bugs.debian.org
.
(Thu, 27 Apr 2017 10:39:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions xrdp/0.9.1-8 and xrdp/0.9.2~20170325-1~exp1.
Request was from Dominik George <nik@naturalnet.de>
to 858143-submit@bugs.debian.org
.
(Thu, 27 Apr 2017 10:39:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Dominik George <nik@naturalnet.de>
to control@bugs.debian.org
.
(Thu, 27 Apr 2017 10:39:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#858143.
(Thu, 27 Apr 2017 10:39:10 GMT) (full text, mbox, link).
Message #40 received at 858143-submitter@bugs.debian.org (full text, mbox, reply):
tag 858143 pending
thanks
Hello,
Bug #858143 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-remote/xrdp.git/commit/?id=4c1ca9d
---
commit 4c1ca9db53aa048348da866f40be3024ac61a515
Author: Dominik George <nik@naturalnet.de>
Date: Thu Apr 27 12:34:23 2017 +0200
Revisit fix for CVE-2017-6967.
diff --git a/debian/changelog b/debian/changelog
index 8aa2d92..cb7c144 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xrdp (0.9.1-9) unstable; urgency=medium
+
+ * Revisit incomplete fix for CVE-2017-6967. (Closes: #858143)
+
+ -- Dominik George <nik@naturalnet.de> Thu, 27 Apr 2017 12:33:21 +0200
+
xrdp (0.9.1-8) unstable; urgency=medium
* Fix CVE-2017-6967. (Closes: #858143, #855536)
Marked as fixed in versions xrdp/0.9.2~20170325-1~exp1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 27 Apr 2017 10:51:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
:
Bug#858143
; Package src:xrdp
.
(Sat, 29 Apr 2017 08:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
.
(Sat, 29 Apr 2017 08:27:02 GMT) (full text, mbox, link).
Message #47 received at 858143@bugs.debian.org (full text, mbox, reply):
Control: severity -1 serious
Rationale: fix should make it to stretch before the release.
Regards,
Salvatore
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 858143-submit@bugs.debian.org
.
(Sat, 29 Apr 2017 08:27:03 GMT) (full text, mbox, link).
Reply sent
to Dominik George <nik@naturalnet.de>
:
You have taken responsibility.
(Thu, 04 May 2017 17:21:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 04 May 2017 17:21:13 GMT) (full text, mbox, link).
Message #54 received at 858143-close@bugs.debian.org (full text, mbox, reply):
Source: xrdp
Source-Version: 0.9.1-9
We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858143@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominik George <nik@naturalnet.de> (supplier of updated xrdp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 04 May 2017 18:59:10 +0200
Source: xrdp
Binary: xrdp xorgxrdp
Architecture: source
Version: 0.9.1-9
Distribution: unstable
Urgency: high
Maintainer: Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
Changed-By: Dominik George <nik@naturalnet.de>
Description:
xorgxrdp - Remote Desktop Protocol (RDP) modules for X.org
xrdp - Remote Desktop Protocol (RDP) server
Closes: 858143
Changes:
xrdp (0.9.1-9) unstable; urgency=high
.
* Revisit incomplete fix for CVE-2017-6967. (Closes: #858143)
Checksums-Sha1:
13c09c7686d96bb82a27016b071812db846a0c7c 2639 xrdp_0.9.1-9.dsc
020b98f0da4e40a6a24956c92c47e664c5ad54f3 28236 xrdp_0.9.1-9.debian.tar.xz
a627f65dac780e31ce964045c9d850cb10ca6ca9 10079 xrdp_0.9.1-9_source.buildinfo
Checksums-Sha256:
d28cee58d217672d41f7a74a136d36fd78e14479a4a950fbad7113a33e969abf 2639 xrdp_0.9.1-9.dsc
e8680338c2f2eb3766200caac258c64f905c6384622cbab7755647f8fcf6c7a1 28236 xrdp_0.9.1-9.debian.tar.xz
ebe6ed513de1d60bceb981482a29ed93081117ec105c4efd8baab3366f363ae3 10079 xrdp_0.9.1-9_source.buildinfo
Files:
1618eb49f6beebcea301dcc696761587 2639 net optional xrdp_0.9.1-9.dsc
e88ffc91606bad2a4fe68556803c690a 28236 net optional xrdp_0.9.1-9.debian.tar.xz
28e52667561c0f6b6ee2ce429548d168 10079 net optional xrdp_0.9.1-9_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCABPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlkLX30xGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTyljpzD/9YRM/XowDaanhnqhkpH9+gOrqeIuOR2712kdP2/u1v0KIRPglkEIJ6
SZ3u8fQqYommZfGSm+f4Twlk+Jz3iH5LD9N4NYbo1/5QRHPWyzKiKhblckT6RB2k
gLgYnvJiTeE8GOObfsskzoCdDmg0Oq8niEvnazqX1aBfcAxoVh5EJg6n/K9eak1o
2mYA2PxJJGN6OI+HeCDb/9IOuE0lp6Zn4A5lnKEJaLbmdyM+ewgtCn5lvP/Rt1Tu
Uv8LYSwyWGUNKW7VpcWlJtQnmQyp6ejmFWXmfjbgxscUU/4HdKfIBbOkT1r/XOmU
1fZEkFjbe1PLD7egM72nEfLLtw8UiffRpTGgH8i7K2lfc63YUdkXug5Zq4rVou6a
derPS37pCfDFVA3IZRgAqKkslAA8/xNn2I6MJecJMSuyDMLbqEGndgzwbcHGdJCx
wIcPdoENJftKb2K0B2LJS5TberYt54bE/xTlrwbOfEXSmWZ+tuR5xJU8eMn0Ruza
TkuQ/Gfvt6ZaOuH9rVwiXSJXtii1mdlRPm7FHFA5tChxl6rCBfGlfTOW5ysDv/dp
WlSIPQ96PQ2zxP2+g66yhjbZBUKwTFQqO83mx7+uPL+Eg3Ce3H5r3wr8sasiWrY/
jJ74paSnRo90HE3DBvUnkS37zJ3TbKYez1a0sUose2xD65O0J0tSDQ==
=HP7g
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
:
Bug#858143
; Package src:xrdp
.
(Tue, 23 May 2017 15:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul van Tilburg <paulvt@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
.
(Tue, 23 May 2017 15:21:03 GMT) (full text, mbox, link).
Message #59 received at 858143@bugs.debian.org (full text, mbox, reply):
Version: 0.9.1-9
Dear all,
I would like to report a problem with the fix in 0.9.1-9 and
I hope you would consider reopening this bug report.
The first issue is that it seems that when a user logs in now, the
xrdp-sesman main process is moved to scope of the first session!
(This did not used to happen before.)
$ systemctl status xrdp-sesman.service
● xrdp-sesman.service - xrdp session manager
Loaded: loaded (/lib/systemd/system/xrdp-sesman.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2017-05-15 10:49:28 CEST; 1 weeks 1 days ago
Docs: man:xrdp-sesman(8)
man:sesman.ini(5)
Main PID: 3050 (xrdp-sesman)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/xrdp-sesman.service
‣ 3050 /usr/sbin/xrdp-sesman
$ loginctl
SESSION UID USER SEAT TTY
426 1001 paul
c4 1002 other.user
$ systemctl status session-c4.scope
● session-c4.scope - Session c4 of user corry.kosters
Loaded: loaded (/run/systemd/transient/session-c4.scope; transient; vendor preset: enabled)
Transient: yes
Active: active (running) since Mon 2017-05-15 10:49:43 CEST; 1 weeks 1 days ago
CGroup: /user.slice/user-10016.slice/session-c4.scope
├─ 3050 /usr/sbin/xrdp-sesman
…
We have a deployment where we have configured systemd-logind to
kill user process when there are no more sessions for said user (via
both Xrdp and ssh). So, now, not only his/her session is killed but also the
main xrdp-sessman process (!), after which Xrdp becomes unavailable.
A workaround is to login with a user that just disconnects, but that
is not exactly ideal.
A secondary effect of the fix that I see is that loginctl also
only reports a session for the first user that logged in.
For example, see the loginctl output above. The session of my
user (c5) is not visible at all.
Both issues indicate that there is still an issue with properly
registering the sessions. I have confirmed that going back to 0.9.1-7
fixes both issues.
Kind regards,
Paul
--
Using the Power of Debian GNU/Linux | E-mail: paulvt@debian.org
Jabber/XMPP: paul@luon.net | GnuPG key ID: 0x50064181
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 21 Jun 2017 07:26:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:44:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.