diff options
author | Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> | 2017-12-25 18:30:16 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2017-12-30 12:32:41 -0800 |
commit | e170ac2818e6c031b09d21a7f459d6b1c1ade245 (patch) | |
tree | 4517be4b846a34c9d4481e3138c3a56b9514688c /meta-oe | |
parent | cae654adc6bfc5de7b8e70ce787664fc06ad7304 (diff) | |
download | meta-openembedded-contrib-e170ac2818e6c031b09d21a7f459d6b1c1ade245.tar.gz |
xrdp: CVE-2017-16927
Fix of CVE-2017-16927
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-oe')
-rw-r--r-- | meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch | 148 | ||||
-rw-r--r-- | meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb | 1 |
2 files changed, 149 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch new file mode 100644 index 0000000000..4c93647f67 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch @@ -0,0 +1,148 @@ +Subject: [PATCH] Fix CVE-2017-16927 + +sesman: scpv0, accept variable length data fields + +Upstream-Status: Backport + +--- + sesman/libscp/libscp_v0.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c +index 5a0c8bf..5693407 100644 +--- a/sesman/libscp/libscp_v0.c ++++ b/sesman/libscp/libscp_v0.c +@@ -161,7 +161,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + struct SCP_SESSION *session = 0; + tui16 sz; + tui32 code = 0; +- char buf[257]; ++ char *buf = 0; + + if (!skipVchk) + { +@@ -226,27 +226,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + /* reading username */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); +- ++ buf[sz] = '\0'; + if (0 != scp_session_set_username(session, buf)) + { + scp_session_destroy(session); + log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__); ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + + /* reading password */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); +- ++ buf[sz] = '\0'; + if (0 != scp_session_set_password(session, buf)) + { + scp_session_destroy(session); + log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + + /* width */ + in_uint16_be(c->in_s, sz); +@@ -272,9 +276,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_domain(session, buf); ++ g_free(buf); + } + } + +@@ -285,9 +291,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_program(session, buf); ++ g_free(buf); + } + } + +@@ -298,9 +306,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_directory(session, buf); ++ g_free(buf); + } + } + +@@ -311,9 +321,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_client_ip(session, buf); ++ g_free(buf); + } + } + } +@@ -332,29 +344,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk) + scp_session_set_type(session, SCP_GW_AUTHENTICATION); + /* reading username */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); ++ buf[sz] = '\0'; + + /* g_writeln("Received user name: %s",buf); */ + if (0 != scp_session_set_username(session, buf)) + { + scp_session_destroy(session); + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/ ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + + /* reading password */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); ++ buf[sz] = '\0'; + + /* g_writeln("Received password: %s",buf); */ + if (0 != scp_session_set_password(session, buf)) + { + scp_session_destroy(session); + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */ ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + } + else + { +-- +2.7.4 + diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb index e7a77e4493..ccc8e359a7 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/neutrinolabs/xrdp.git \ file://0001-Fix-sesman.ini-and-xrdp.ini.patch \ file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \ file://0001-Fix-the-compile-error.patch \ + file://0001-Fix-of-CVE-2017-16927.patch \ " SRCREV = "c295dd61b882e8b56677cf12791f43634f9190b5" |