[oe-commits] [meta-openembedded] 06/59: xrdp: CVE-2017-16927
git at git.openembedded.org
git at git.openembedded.org
Sat Dec 30 20:39:10 UTC 2017
This is an automated email from the git hooks/post-receive script.
armin_kuster pushed a commit to branch master-next
in repository meta-openembedded.
commit e170ac2818e6c031b09d21a7f459d6b1c1ade245
Author: Zheng Ruoqin <zhengrq.fnst at cn.fujitsu.com>
AuthorDate: Mon Dec 25 18:30:16 2017 +0800
xrdp: CVE-2017-16927
Fix of CVE-2017-16927
Signed-off-by: Zheng Ruoqin <zhengrq.fnst at cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch | 148 +++++++++++++++++++++
meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb | 1 +
2 files changed, 149 insertions(+)
diff --git a/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch
new file mode 100644
index 0000000..4c93647
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch
@@ -0,0 +1,148 @@
+Subject: [PATCH] Fix CVE-2017-16927
+
+sesman: scpv0, accept variable length data fields
+
+Upstream-Status: Backport
+
+---
+ sesman/libscp/libscp_v0.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c
+index 5a0c8bf..5693407 100644
+--- a/sesman/libscp/libscp_v0.c
++++ b/sesman/libscp/libscp_v0.c
+@@ -161,7 +161,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ struct SCP_SESSION *session = 0;
+ tui16 sz;
+ tui32 code = 0;
+- char buf[257];
++ char *buf = 0;
+
+ if (!skipVchk)
+ {
+@@ -226,27 +226,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+
+ /* reading username */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+-
++ buf[sz] = '\0';
+ if (0 != scp_session_set_username(session, buf))
+ {
+ scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+
+ /* reading password */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+-
++ buf[sz] = '\0';
+ if (0 != scp_session_set_password(session, buf))
+ {
+ scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+
+ /* width */
+ in_uint16_be(c->in_s, sz);
+@@ -272,9 +276,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_domain(session, buf);
++ g_free(buf);
+ }
+ }
+
+@@ -285,9 +291,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_program(session, buf);
++ g_free(buf);
+ }
+ }
+
+@@ -298,9 +306,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_directory(session, buf);
++ g_free(buf);
+ }
+ }
+
+@@ -311,9 +321,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_client_ip(session, buf);
++ g_free(buf);
+ }
+ }
+ }
+@@ -332,29 +344,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ scp_session_set_type(session, SCP_GW_AUTHENTICATION);
+ /* reading username */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
++ buf[sz] = '\0';
+
+ /* g_writeln("Received user name: %s",buf); */
+ if (0 != scp_session_set_username(session, buf))
+ {
+ scp_session_destroy(session);
+ /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+
+ /* reading password */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
++ buf[sz] = '\0';
+
+ /* g_writeln("Received password: %s",buf); */
+ if (0 != scp_session_set_password(session, buf))
+ {
+ scp_session_destroy(session);
+ /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+ }
+ else
+ {
+--
+2.7.4
+
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb
index e7a77e4..ccc8e35 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/neutrinolabs/xrdp.git \
file://0001-Fix-sesman.ini-and-xrdp.ini.patch \
file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \
file://0001-Fix-the-compile-error.patch \
+ file://0001-Fix-of-CVE-2017-16927.patch \
"
SRCREV = "c295dd61b882e8b56677cf12791f43634f9190b5"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list