diff mbox series

[meta-oe,scarthgap,07/12] xrdp: patch CVE-2022-23482

Message ID 20251203212949.4046524-7-skandigraun@gmail.com
State Superseded, archived
Delegated to: Anuj Mittal
Headers show
Series [meta-oe,scarthgap,01/12] xrdp: patch CVE-2022-23468 | expand

Commit Message

Gyorgy Sarvari Dec. 3, 2025, 9:29 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23482.patch            | 69 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch

Comments

Anuj Mittal Dec. 4, 2025, 4:02 a.m. UTC | #1 
On Thu, Dec 4, 2025 at 3:00 AM Gyorgy Sarvari via
lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org>
wrote:
>
> Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482
>
> Pick the patch that mentions this vulnerability explicitly.
>
> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> ---
>  .../xrdp/xrdp/CVE-2022-23482.patch            | 69 +++++++++++++++++++
>  meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
>  2 files changed, 70 insertions(+)
>  create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
>
> diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
> new file mode 100644
> index 0000000000..5c22701d35
> --- /dev/null
> +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
> @@ -0,0 +1,69 @@
> +From bb9766c79f24a0238644e273bbcdcb2c9d2df1bf Mon Sep 17 00:00:00 2001
> +From: matt335672 <30179339+matt335672@users.noreply.github.com>
> +Date: Wed, 7 Dec 2022 11:05:46 +0000
> +Subject: [PATCH] CVE-2022-23482
> +
> +Check minimum length of TS_UD_CS_CORE message
> +
> +CVE: CVE-2022-23482
> +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/bb9766c79f24a0238644e273bbcdcb2c9d2df1bf]

This causes yocto-check-layer to fail for this and other patches in
this series with same issue:

AssertionError: 9 != 0 : Found following patches with malformed or
missing upstream status:
/srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch
/srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch
/srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch
/srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch
/srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch
/srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch
/srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch
/srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch
/srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch



> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++-
> + 1 file changed, 22 insertions(+), 1 deletion(-)
> +
> +diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
> +index 691d4f04f3..084fca6b8d 100644
> +--- a/libxrdp/xrdp_sec.c
> ++++ b/libxrdp/xrdp_sec.c
> +@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
> + static int
> + xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
> + {
> ++#define CS_CORE_MIN_LENGTH \
> ++    (\
> ++     4 +            /* Version */ \
> ++     2 + 2 +        /* desktopWidth + desktopHeight */ \
> ++     2 + 2 +        /* colorDepth + SASSequence */ \
> ++     4 +            /* keyboardLayout */ \
> ++     4 + 32 +       /* clientBuild + clientName */ \
> ++     4 + 4 + 4 +    /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
> ++     64 +           /* imeFileName */ \
> ++     0)
> ++
> +     int version;
> +     int colorDepth;
> +     int postBeta2ColorDepth;
> +@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
> +
> +     UNUSED_VAR(version);
> +
> +-    /* TS_UD_CS_CORE requiered fields */
> ++    /* TS_UD_CS_CORE required fields */
> ++    if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
> ++                             "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
> ++    {
> ++        return 1;
> ++    }
> +     in_uint32_le(s, version);
> +     in_uint16_le(s, self->rdp_layer->client_info.width);
> +     in_uint16_le(s, self->rdp_layer->client_info.height);
> +@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
> +               clientName);
> +
> +     /* TS_UD_CS_CORE optional fields */
> ++    if (!s_check_rem(s, 2))
> ++    {
> ++        return 0;
> ++    }
> +     in_uint16_le(s, postBeta2ColorDepth);
> +     LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
> +               "<Optional Field> postBeta2ColorDepth %s",
> +@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
> +               "<Optional Field> desktopOrientation (ignored)");
> +
> +     return 0;
> ++#undef CS_CORE_MIN_LENGTH
> + }
> +
> + /*****************************************************************************/
> diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
> index ff14cf8397..29245f3747 100644
> --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
> +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
> @@ -23,6 +23,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
>             file://CVE-2022-23480-1.patch \
>             file://CVE-2022-23480-2.patch \
>             file://CVE-2022-23481.patch \
> +           file://CVE-2022-23482.patch \
>             "
>
>  SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#122285): https://lists.openembedded.org/g/openembedded-devel/message/122285
> Mute This Topic: https://lists.openembedded.org/mt/116602085/3616702
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [anuj.mittal@oss.qualcomm.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Gyorgy Sarvari Dec. 4, 2025, 7:44 a.m. UTC | #2 
On 12/4/25 05:02, Anuj Mittal wrote:
> On Thu, Dec 4, 2025 at 3:00 AM Gyorgy Sarvari via
> lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org>
> wrote:
>> Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482
>>
>> Pick the patch that mentions this vulnerability explicitly.
>>
>> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
>> ---
>>  .../xrdp/xrdp/CVE-2022-23482.patch            | 69 +++++++++++++++++++
>>  meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
>>  2 files changed, 70 insertions(+)
>>  create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
>>
>> diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
>> new file mode 100644
>> index 0000000000..5c22701d35
>> --- /dev/null
>> +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
>> @@ -0,0 +1,69 @@
>> +From bb9766c79f24a0238644e273bbcdcb2c9d2df1bf Mon Sep 17 00:00:00 2001
>> +From: matt335672 <30179339+matt335672@users.noreply.github.com>
>> +Date: Wed, 7 Dec 2022 11:05:46 +0000
>> +Subject: [PATCH] CVE-2022-23482
>> +
>> +Check minimum length of TS_UD_CS_CORE message
>> +
>> +CVE: CVE-2022-23482
>> +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/bb9766c79f24a0238644e273bbcdcb2c9d2df1bf]
> This causes yocto-check-layer to fail for this and other patches in
> this series with same issue:

D'oh, thanks, will send a v2. I wonder why did this not warn during
regular QA checks on Scarthgap.

>
> AssertionError: 9 != 0 : Found following patches with malformed or
> missing upstream status:
> /srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch
> /srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch
> /srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch
> /srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch
> /srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch
> /srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch
> /srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch
> /srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch
> /srv/pokybuild/yocto-worker/meta-oe/build/meta-openembedded/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
>
>
>
>> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
>> +---
>> + libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++-
>> + 1 file changed, 22 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
>> +index 691d4f04f3..084fca6b8d 100644
>> +--- a/libxrdp/xrdp_sec.c
>> ++++ b/libxrdp/xrdp_sec.c
>> +@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
>> + static int
>> + xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
>> + {
>> ++#define CS_CORE_MIN_LENGTH \
>> ++    (\
>> ++     4 +            /* Version */ \
>> ++     2 + 2 +        /* desktopWidth + desktopHeight */ \
>> ++     2 + 2 +        /* colorDepth + SASSequence */ \
>> ++     4 +            /* keyboardLayout */ \
>> ++     4 + 32 +       /* clientBuild + clientName */ \
>> ++     4 + 4 + 4 +    /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
>> ++     64 +           /* imeFileName */ \
>> ++     0)
>> ++
>> +     int version;
>> +     int colorDepth;
>> +     int postBeta2ColorDepth;
>> +@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
>> +
>> +     UNUSED_VAR(version);
>> +
>> +-    /* TS_UD_CS_CORE requiered fields */
>> ++    /* TS_UD_CS_CORE required fields */
>> ++    if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
>> ++                             "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
>> ++    {
>> ++        return 1;
>> ++    }
>> +     in_uint32_le(s, version);
>> +     in_uint16_le(s, self->rdp_layer->client_info.width);
>> +     in_uint16_le(s, self->rdp_layer->client_info.height);
>> +@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
>> +               clientName);
>> +
>> +     /* TS_UD_CS_CORE optional fields */
>> ++    if (!s_check_rem(s, 2))
>> ++    {
>> ++        return 0;
>> ++    }
>> +     in_uint16_le(s, postBeta2ColorDepth);
>> +     LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
>> +               "<Optional Field> postBeta2ColorDepth %s",
>> +@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
>> +               "<Optional Field> desktopOrientation (ignored)");
>> +
>> +     return 0;
>> ++#undef CS_CORE_MIN_LENGTH
>> + }
>> +
>> + /*****************************************************************************/
>> diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
>> index ff14cf8397..29245f3747 100644
>> --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
>> +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
>> @@ -23,6 +23,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
>>             file://CVE-2022-23480-1.patch \
>>             file://CVE-2022-23480-2.patch \
>>             file://CVE-2022-23481.patch \
>> +           file://CVE-2022-23482.patch \
>>             "
>>
>>  SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#122285): https://lists.openembedded.org/g/openembedded-devel/message/122285
>> Mute This Topic: https://lists.openembedded.org/mt/116602085/3616702
>> Group Owner: openembedded-devel+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [anuj.mittal@oss.qualcomm.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
new file mode 100644
index 0000000000..5c22701d35
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
@@ -0,0 +1,69 @@ 
+From bb9766c79f24a0238644e273bbcdcb2c9d2df1bf Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 11:05:46 +0000
+Subject: [PATCH] CVE-2022-23482
+
+Check minimum length of TS_UD_CS_CORE message
+
+CVE: CVE-2022-23482
+Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/bb9766c79f24a0238644e273bbcdcb2c9d2df1bf]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
+index 691d4f04f3..084fca6b8d 100644
+--- a/libxrdp/xrdp_sec.c
++++ b/libxrdp/xrdp_sec.c
+@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
+ static int
+ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
+ {
++#define CS_CORE_MIN_LENGTH \
++    (\
++     4 +            /* Version */ \
++     2 + 2 +        /* desktopWidth + desktopHeight */ \
++     2 + 2 +        /* colorDepth + SASSequence */ \
++     4 +            /* keyboardLayout */ \
++     4 + 32 +       /* clientBuild + clientName */ \
++     4 + 4 + 4 +    /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
++     64 +           /* imeFileName */ \
++     0)
++
+     int version;
+     int colorDepth;
+     int postBeta2ColorDepth;
+@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
+ 
+     UNUSED_VAR(version);
+ 
+-    /* TS_UD_CS_CORE requiered fields */
++    /* TS_UD_CS_CORE required fields */
++    if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
++                             "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
++    {
++        return 1;
++    }
+     in_uint32_le(s, version);
+     in_uint16_le(s, self->rdp_layer->client_info.width);
+     in_uint16_le(s, self->rdp_layer->client_info.height);
+@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
+               clientName);
+ 
+     /* TS_UD_CS_CORE optional fields */
++    if (!s_check_rem(s, 2))
++    {
++        return 0;
++    }
+     in_uint16_le(s, postBeta2ColorDepth);
+     LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
+               "<Optional Field> postBeta2ColorDepth %s",
+@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
+               "<Optional Field> desktopOrientation (ignored)");
+ 
+     return 0;
++#undef CS_CORE_MIN_LENGTH
+ }
+ 
+ /*****************************************************************************/
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index ff14cf8397..29245f3747 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -23,6 +23,7 @@  SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23480-1.patch \
            file://CVE-2022-23480-2.patch \
            file://CVE-2022-23481.patch \
+           file://CVE-2022-23482.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"