xrdp: CVE-2017-6967: incorrect placement of auth_start_session()

Debian Bug report logs - #858143
xrdp: CVE-2017-6967: incorrect placement of auth_start_session()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: xrdp: CVE-2017-6967: incorrect placement of auth_start_session()

Date: Sat, 18 Mar 2017 21:48:52 +0100

Source: xrdp
Version: 0.9.1-7
Severity: important
Tags: security upstream patch
Forwarded: https://github.com/neutrinolabs/xrdp/issues/350

Hi,

the following vulnerability was published for xrdp.

CVE-2017-6967[0]:
| xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect
| location, leading to PAM session modules not being properly
| initialized, with a potential consequence of incorrect configurations
| or elevation of privileges, aka a pam_limits.so bypass.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-6967
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6967
[1] http://www.openwall.com/lists/oss-security/2017/03/18/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #16 received at 858143-submitter@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 858143-submitter@bugs.debian.org

Subject: Bug#858143 marked as pending

Date: Mon, 24 Apr 2017 18:43:12 +0000

tag 858143 pending
thanks

Hello,

Bug #858143 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/pkg-remote/xrdp.git/commit/?id=69bdd1a

---
commit 69bdd1a6b7b278e2343fce0d988a7590177b901c
Author: Dominik George <nik@naturalnet.de>
Date:   Mon Apr 24 20:15:26 2017 +0200

    Fix CVE-2017-6967.

diff --git a/debian/changelog b/debian/changelog
index 8dd5b11..d1af752 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xrdp (0.9.1-8) unstable; urgency=medium
+
+  * Fix CVE-2017-6967. (Closes: #858143)
+
+ -- Dominik George <nik@naturalnet.de>  Mon, 24 Apr 2017 20:14:36 +0200
+
 xrdp (0.9.1-7) unstable; urgency=medium
 
   * Fix RFX with large tile sets, e.g. full HD displays. (Closes: #855387)

Message #21 received at 858143-close@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 858143-close@bugs.debian.org

Subject: Bug#858143: fixed in xrdp 0.9.1-8

Date: Mon, 24 Apr 2017 19:04:50 +0000

Source: xrdp
Source-Version: 0.9.1-8

We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858143@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominik George <nik@naturalnet.de> (supplier of updated xrdp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 24 Apr 2017 20:14:36 +0200
Source: xrdp
Binary: xrdp xorgxrdp
Architecture: source
Version: 0.9.1-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
Changed-By: Dominik George <nik@naturalnet.de>
Description:
 xorgxrdp   - Remote Desktop Protocol (RDP) modules for X.org
 xrdp       - Remote Desktop Protocol (RDP) server
Closes: 855536 858143
Changes:
 xrdp (0.9.1-8) unstable; urgency=medium
 .
   * Fix CVE-2017-6967. (Closes: #858143, #855536)
Checksums-Sha1:
 95ec24ee5676d0d787ea84adc9a2a3f46a6f6c65 2635 xrdp_0.9.1-8.dsc
 6530007cfe2c9af4a83a9817d7031995c903d66c 27848 xrdp_0.9.1-8.debian.tar.xz
 69e2e435fa647bc663b5574fd01eab44899e0856 10053 xrdp_0.9.1-8_source.buildinfo
Checksums-Sha256:
 5863b3ca472b62525670dab94813f558cb0395c7320d454e790ad5053d3b66fe 2635 xrdp_0.9.1-8.dsc
 8264bbb4c3e4fbcb855cd528c1c0a2a099c969aed5948097a4228e5e7aa789e6 27848 xrdp_0.9.1-8.debian.tar.xz
 882da959a5507201d29ed89c5bd2a7433ad0435789c9b2f9a11347a00a72efc4 10053 xrdp_0.9.1-8_source.buildinfo
Files:
 f6f38927d74a013fe4b5e6d03a7921d5 2635 net optional xrdp_0.9.1-8.dsc
 021837e442c8220d7b9a97a7e8d570ae 27848 net optional xrdp_0.9.1-8.debian.tar.xz
 5668a9d356050cffbf1bf7da39f50770 10053 net optional xrdp_0.9.1-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJlBAEBCABPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlj+RjsxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylgUxD/9yqfUApAzzbsWP0yVvql9h4dRuv5b+YWGLSmpRXlEl3g8ovNzvMUlf
Q1MGfxF/LDirgl3EBrXTQ+GGDuVteJLgQGLqdsU0rHigDhpec//1Z9lea3JG26f+
8lhy3v0AYJE5zJSspmqWetxgYmuPb25CMGAEuW/de3FXSTMeznFFT1CLCJUlT11+
DFBkzbTXeS3rue08coE80jVpGaMMubWKf3lhBWL+7L5tHwlxvcrui1nc04BeI3i+
sJmKCfdwx6t4U91J/AjMjnj7MUxTGapEbJJLtBRIyUYkgJNX6uV+LZRaG5rVpS5W
aLxdTBvbZWYEYM6dKSsKqxvB7sp33QrqdHzP50iFCDjoIE2zEP3UFMQOlWedklfU
aeD7Ap3Adx3lgjE6rRYxQWiCqGLeFyIyGKtwkJHVOkbzi4QAfPvFQInZlu15xQ9b
Y7c/y+9u+mfKQYlkBH6dWwwN5c2OtgjoQ1VujyRiQSCkeZbTMttC0HB/7Z9BMzUT
mLDRwyZqd2wvW29zo/KG4N7kE2PJ+D8XLJ+og4LcqVgj5ZUx3SvyVi/MLMc/6Gpb
JoRCQQzmfyitZ82IL6J42OjCTdt3yVSUhSJTNb1xU2PnQwFHBSbo85Py3KN34+Xd
fqb21zKSaPoKOdYE5vEhm1gs9eycyRYiUqzDVAWs9ywas9GekX5x0A==
=h4r5
-----END PGP SIGNATURE-----

Message #26 received at 858143@bugs.debian.org (full text, mbox, reply):

From: rolnas@gmail.com

To: 858143@bugs.debian.org

Subject: fix is not complete

Date: Wed, 26 Apr 2017 07:38:32 +0300

Version: 0.9.1-8

Dear all,

I'm investigated content of debian/patches/cve-2017-6967.diff from 
version 0.9.1-8 in unstable and by comparison with 
https://github.com/neutrinolabs/xrdp/commit/4b8a33e087ee9cf5556b40b717cd7e8ff243b3c3 
it is missing important sesman/session.c part of patch.

The version 0.9.2 would be much better solution, because it solves many 
more problems.

Regards,
Rolandas

Message #31 received at 858143@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: rolnas@gmail.com, 858143@bugs.debian.org

Subject: Re: Bug#858143: fix is not complete

Date: Thu, 27 Apr 2017 12:37:22 +0200

[Message part 1 (text/plain, inline)]

Control: reopen -1

Hi,

> I'm investigated content of debian/patches/cve-2017-6967.diff from version
> 0.9.1-8 in unstable and by comparison with https://github.com/neutrinolabs/xrdp/commit/4b8a33e087ee9cf5556b40b717cd7e8ff243b3c3
> it is missing important sesman/session.c part of patch.

You are right, a part went missing when rebasing.

Please have a look at the new patch now: https://anonscm.debian.org/cgit/pkg-remote/xrdp.git/tree/debian/patches/cve-2017-6967.diff

> The version 0.9.2 would be much better solution, because it solves many more
> problems.

I know, but 0.9.2 won't get a freeze exception.

Thanks,
Nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Phone: +49 228 92934581 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 858143-submitter@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 858143-submitter@bugs.debian.org

Subject: Bug#858143 marked as pending

Date: Thu, 27 Apr 2017 10:34:57 +0000

tag 858143 pending
thanks

Hello,

Bug #858143 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/pkg-remote/xrdp.git/commit/?id=4c1ca9d

---
commit 4c1ca9db53aa048348da866f40be3024ac61a515
Author: Dominik George <nik@naturalnet.de>
Date:   Thu Apr 27 12:34:23 2017 +0200

    Revisit fix for CVE-2017-6967.

diff --git a/debian/changelog b/debian/changelog
index 8aa2d92..cb7c144 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xrdp (0.9.1-9) unstable; urgency=medium
+
+  * Revisit incomplete fix for CVE-2017-6967. (Closes: #858143)
+
+ -- Dominik George <nik@naturalnet.de>  Thu, 27 Apr 2017 12:33:21 +0200
+
 xrdp (0.9.1-8) unstable; urgency=medium
 
   * Fix CVE-2017-6967. (Closes: #858143, #855536)

Message #47 received at 858143@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 858143@bugs.debian.org

Subject: Re: Bug#858143: xrdp: CVE-2017-6967: incorrect placement of auth_start_session()

Date: Sat, 29 Apr 2017 10:23:54 +0200

Control: severity -1 serious

Rationale: fix should make it to stretch before the release.

Regards,
Salvatore

Message #54 received at 858143-close@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>

To: 858143-close@bugs.debian.org

Subject: Bug#858143: fixed in xrdp 0.9.1-9

Date: Thu, 04 May 2017 17:18:35 +0000

Source: xrdp
Source-Version: 0.9.1-9

We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 858143@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominik George <nik@naturalnet.de> (supplier of updated xrdp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 04 May 2017 18:59:10 +0200
Source: xrdp
Binary: xrdp xorgxrdp
Architecture: source
Version: 0.9.1-9
Distribution: unstable
Urgency: high
Maintainer: Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
Changed-By: Dominik George <nik@naturalnet.de>
Description:
 xorgxrdp   - Remote Desktop Protocol (RDP) modules for X.org
 xrdp       - Remote Desktop Protocol (RDP) server
Closes: 858143
Changes:
 xrdp (0.9.1-9) unstable; urgency=high
 .
   * Revisit incomplete fix for CVE-2017-6967. (Closes: #858143)
Checksums-Sha1:
 13c09c7686d96bb82a27016b071812db846a0c7c 2639 xrdp_0.9.1-9.dsc
 020b98f0da4e40a6a24956c92c47e664c5ad54f3 28236 xrdp_0.9.1-9.debian.tar.xz
 a627f65dac780e31ce964045c9d850cb10ca6ca9 10079 xrdp_0.9.1-9_source.buildinfo
Checksums-Sha256:
 d28cee58d217672d41f7a74a136d36fd78e14479a4a950fbad7113a33e969abf 2639 xrdp_0.9.1-9.dsc
 e8680338c2f2eb3766200caac258c64f905c6384622cbab7755647f8fcf6c7a1 28236 xrdp_0.9.1-9.debian.tar.xz
 ebe6ed513de1d60bceb981482a29ed93081117ec105c4efd8baab3366f363ae3 10079 xrdp_0.9.1-9_source.buildinfo
Files:
 1618eb49f6beebcea301dcc696761587 2639 net optional xrdp_0.9.1-9.dsc
 e88ffc91606bad2a4fe68556803c690a 28236 net optional xrdp_0.9.1-9.debian.tar.xz
 28e52667561c0f6b6ee2ce429548d168 10079 net optional xrdp_0.9.1-9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJlBAEBCABPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlkLX30xGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTyljpzD/9YRM/XowDaanhnqhkpH9+gOrqeIuOR2712kdP2/u1v0KIRPglkEIJ6
SZ3u8fQqYommZfGSm+f4Twlk+Jz3iH5LD9N4NYbo1/5QRHPWyzKiKhblckT6RB2k
gLgYnvJiTeE8GOObfsskzoCdDmg0Oq8niEvnazqX1aBfcAxoVh5EJg6n/K9eak1o
2mYA2PxJJGN6OI+HeCDb/9IOuE0lp6Zn4A5lnKEJaLbmdyM+ewgtCn5lvP/Rt1Tu
Uv8LYSwyWGUNKW7VpcWlJtQnmQyp6ejmFWXmfjbgxscUU/4HdKfIBbOkT1r/XOmU
1fZEkFjbe1PLD7egM72nEfLLtw8UiffRpTGgH8i7K2lfc63YUdkXug5Zq4rVou6a
derPS37pCfDFVA3IZRgAqKkslAA8/xNn2I6MJecJMSuyDMLbqEGndgzwbcHGdJCx
wIcPdoENJftKb2K0B2LJS5TberYt54bE/xTlrwbOfEXSmWZ+tuR5xJU8eMn0Ruza
TkuQ/Gfvt6ZaOuH9rVwiXSJXtii1mdlRPm7FHFA5tChxl6rCBfGlfTOW5ysDv/dp
WlSIPQ96PQ2zxP2+g66yhjbZBUKwTFQqO83mx7+uPL+Eg3Ce3H5r3wr8sasiWrY/
jJ74paSnRo90HE3DBvUnkS37zJ3TbKYez1a0sUose2xD65O0J0tSDQ==
=HP7g
-----END PGP SIGNATURE-----

Message #59 received at 858143@bugs.debian.org (full text, mbox, reply):

From: Paul van Tilburg <paulvt@debian.org>

To: 858143@bugs.debian.org

Subject: Gets killed by logind kills user processes

Date: Tue, 23 May 2017 16:57:46 +0200

Version: 0.9.1-9

Dear all,

I would like to report a problem with the fix in 0.9.1-9 and
I hope you would consider reopening this bug report.

The first issue is that it seems that when a user logs in now, the
xrdp-sesman main process is moved to scope of the first session! 
(This did not used to happen before.)

  $ systemctl status xrdp-sesman.service
    ● xrdp-sesman.service - xrdp session manager
       Loaded: loaded (/lib/systemd/system/xrdp-sesman.service; enabled; vendor preset: enabled)
       Active: active (running) since Mon 2017-05-15 10:49:28 CEST; 1 weeks 1 days ago
         Docs: man:xrdp-sesman(8)
               man:sesman.ini(5)
     Main PID: 3050 (xrdp-sesman)
        Tasks: 0 (limit: 4915)
       CGroup: /system.slice/xrdp-sesman.service
               ‣ 3050 /usr/sbin/xrdp-sesman

  $ loginctl
     SESSION        UID USER             SEAT             TTY             
         426       1001 paul                                              
          c4       1002 other.user

  $ systemctl status session-c4.scope
    ● session-c4.scope - Session c4 of user corry.kosters
       Loaded: loaded (/run/systemd/transient/session-c4.scope; transient; vendor preset: enabled)
    Transient: yes
       Active: active (running) since Mon 2017-05-15 10:49:43 CEST; 1 weeks 1 days ago
       CGroup: /user.slice/user-10016.slice/session-c4.scope
               ├─ 3050 /usr/sbin/xrdp-sesman
               …

We have a deployment where we have configured systemd-logind to
kill user process when there are no more sessions for said user (via
both Xrdp and ssh).  So, now, not only his/her session is killed but also the
main xrdp-sessman process (!), after which Xrdp becomes unavailable.

A workaround is to login with a user that just disconnects, but that
is not exactly ideal.

A secondary effect of the fix that I see is that loginctl also
only reports a session for the first user that logged in.
For example, see the loginctl output above.  The session of my
user (c5) is not visible at all.

Both issues indicate that there is still an issue with properly
registering the sessions.  I have confirmed that going back to 0.9.1-7
fixes both issues.

Kind regards,
Paul

-- 
Using the Power of Debian GNU/Linux  | E-mail: paulvt@debian.org
Jabber/XMPP: paul@luon.net           | GnuPG key ID: 0x50064181

Send a report that this bug log contains spam.