From patchwork Wed Dec 3 21:29:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75815 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26978D1BDE7 for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.27230.1764797392501412500 for ; Wed, 03 Dec 2025 13:29:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=UG4MsFvI; spf=pass (domain: gmail.com, ip: 209.85.128.46, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-477619f8ae5so1445965e9.3 for ; Wed, 03 Dec 2025 13:29:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797391; x=1765402191; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=ueVGmg/cG4d7H+CLAido9M6I1lbXFEZgLV1UvCWe3Ko=; b=UG4MsFvIIq+XiYFtjV2bUcRYyuc4q4dgbluy3hLwXGc4M98DvLOP6tj8gXDN6i2iLZ q9Gu3jHbG90tmxCfdzsaVQJLQx/6BZAdFYCTCJm4spurX9PIb0I5w7x+69geP8/yhv9G av8oZRoSYQrp2zMtuvVgC9Qwg77YHD0XNFqeCQ1gIPIM0jYSLeO8hHqz42E3AHJiLmBF 0AgITxWa7YaAEF6NHqnM58NQ/14OEFgvL1I/17ugqJQKRZcePmIN3oEJwJEUfqiHyElJ jDR6WRbY4u77yWz0QZAqN7GIgAP3ryWcmJjpU1O9lHrv2ieyhCXP/t4r/N9Zu5nh8NfQ 2XkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797391; x=1765402191; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ueVGmg/cG4d7H+CLAido9M6I1lbXFEZgLV1UvCWe3Ko=; b=ZojPugNV8nZTstb+Vz2Ki1m/I55yFS4ijBB3ZKTXhtuMLBIfFnXRwp4nrfTRWk/uoQ kYFT1MJHxET9Ci1VluF2fLl2kdhslH1FmXqWpNcjWcWPqOe22fOV+Vp1SmNE1nsGwaE9 z0ok9Dz36s4FWuj3EysKx6mm+SVPwlXofkoLHFQq6bizNgB98bqDVlj4vmcqWtDKkyC2 3b32qdwHmWMVgp45o7hHqxk1QJiQrdNCdIy5himbfqAQX23AV2CgmCUCnymXW/Mpb3Ih v7MEG09L1ONiGYQsK1ojFKlpT2SRaRwx3/d2/yWbKYDlSFRjLAuXARI+ROM1ex7z+4hw irrA== X-Gm-Message-State: AOJu0Yw+/RlAjDJ1glww+TRhI9jotyJ05jrRj0ObFguemnNiR+MoC/sM boL+Fn407+I0+YXObS+ZrS8CkdrwslbywdRORcVurcnVJpgSaov1zNuYgec+Dg== X-Gm-Gg: ASbGncujyBe6aqStO3bl7NiaELPDTQRlRX/fX/CjhyTqeMzn03u12AdVvcy6gCPGY+L aEbCtRYXg8yfQjT/a1x7NVKN8YRtniZ60rOibFb6tjBj/1151Hq5hdxxWmGLHoQqshkhNwOZi58 gKVd27ItNOdlz4985Al2kkrfcLovMmww2Qmv1MuQXwvmReCfGHpEORQpEJpfCWNDesMPVDGeR8X Rl8y4TBaH/78Hbmo2N9AgMG2KaJKaX0DlK/+vnAm6+E3uIOzGzZtfKyEyFLqTUhDw/K72oTO8fM +1UKWlzX7TIcwWZzJWIHTys/4QEysgBA6OYhf4+FKIfNP/i64gRV8M7YNvucGGAv6jMjy+rnYso 9CS4xyt4qzJCqnuAnHvAeZ8rI6DpyGJYLN8YYslYBms/M+Pd1koHE5/DnmKNuup6FjGotWQCH2p BmNaFMmvI6 X-Google-Smtp-Source: AGHT+IFSNUKfFRIqLgfNKwDzitEK6MMuuCCgvAEhE+tT/9Bg+zb2w1rxDn6V613UQAx7B4E54/c3jQ== X-Received: by 2002:a05:600c:1c15:b0:477:8ba7:fe0a with SMTP id 5b1f17b1804b1-4792af404fdmr50174905e9.24.1764797390542; Wed, 03 Dec 2025 13:29:50 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:50 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 01/12] xrdp: patch CVE-2022-23468 Date: Wed, 3 Dec 2025 22:29:38 +0100 Message-ID: <20251203212949.4046524-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122279 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23468.patch | 34 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch new file mode 100644 index 0000000000..e92908f938 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch @@ -0,0 +1,34 @@ +From 43cf272b1138462c1bdfc48ef7e9142208194382 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 09:16:44 +0000 +Subject: [PATCH] CVE-2022-23468 + +Login window - replace g_sprintf() withl g_snprintf() calls + +CVE: CVE-2022-23468 +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/43cf272b1138462c1bdfc48ef7e9142208194382] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp_login_wnd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c +index 7a3134fd3e..28748676a1 100644 +--- a/xrdp/xrdp_login_wnd.c ++++ b/xrdp/xrdp_login_wnd.c +@@ -722,13 +722,13 @@ xrdp_login_wnd_create(struct xrdp_wm *self) + if (globals->ls_title[0] == 0) + { + g_gethostname(buf1, 256); +- g_sprintf(buf, "Login to %s", buf1); ++ g_snprintf(buf, sizeof(buf), "Login to %s", buf1); + set_string(&self->login_window->caption1, buf); + } + else + { + /*self->login_window->caption1 = globals->ls_title[0];*/ +- g_sprintf(buf, "%s", globals->ls_title); ++ g_snprintf(buf, sizeof(buf), "%s", globals->ls_title); + set_string(&self->login_window->caption1, buf); + } + diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 363ab3ff8b..5eca9d3bf6 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -16,6 +16,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://0001-Fix-the-compile-error.patch \ file://0001-arch-Define-NO_NEED_ALIGN-on-ppc64.patch \ file://0001-mark-count-with-unused-attribute.patch \ + file://CVE-2022-23468.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75820 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50B5CD1BDF2 for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.27325.1764797393093855695 for ; Wed, 03 Dec 2025 13:29:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=EZmz5hhQ; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-47796a837c7so1666555e9.0 for ; Wed, 03 Dec 2025 13:29:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797391; x=1765402191; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=esyABswi0seMrWPMSomBcwNU4Jpi4Rw8Jt7IkBpZCog=; b=EZmz5hhQ4QkYUlWD7WrkReiq4kSitUivhGb7d3NOPNY5MDR9Y7TeKgm++Z0ZRADReF spb4YnMemeN5Owr7O3DIrb0lcJAay01CVG3+QBSRstB+VMeY4oiczqIOyEChYetHYf8K UvAMW1YlopOOBysBjXZNr5GAUn2i8ETmBoQgYU48BQLsNSozJviSW8OIvok6/FNceFpH Hx3xezY9hBQ2v9cpvCRn5D0sxmppJziJLH/naVbZ8StXPLkzfjGvq+eoAqyN0lovEWXV q/Nq60XBJDvfoM8o/3EZ5yIDg6ifKESJNLWZF2c6Pgo3CkCS+uRIiJ60lwsgl0KCSK70 rv1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797391; x=1765402191; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=esyABswi0seMrWPMSomBcwNU4Jpi4Rw8Jt7IkBpZCog=; b=lpiekvBU6s5R8X65jXZd2sU2+5Wys3AqWacYDFwhu/LEJeffDd0xm/lv14Wfg5PSZW Xd9qvZNMJzxVRlMy9M5/g2kiAKKH8SUiqBCcnjsN6nNdqFTD3QrgbjtFLKbPUwRQqdxT 0N3JEe398+PUzO9Z3JoosoYS4JTGUDnMHl22ouoDRHLeeUO/viNhNTG3TDN6aKai2eU6 /aF2OrE8jgE7nRAykXOTvCz0+lhYJszsqPVfZkDqpGc/UTg6eujkkmwlS+Zfn6oGIwSJ 7qC8G1fPwCeKyZ1tstkLlss3noHxFKSXYeM3JqHI3zA43rE4RmJwxOfleyNBAPZRNEvO QkWw== X-Gm-Message-State: AOJu0YylF+CRgdlIeQjVdMvFZoseBzOqz2eTp7A7LiYsKqg+nOXGCb9Z kTt7I564oc335him3MBtrDJAdEOUav9UDXOTVkUvWBLLLyC5j7AREqNLC0OXVg== X-Gm-Gg: ASbGnctauVX+ZFwhnRkUPPhPepgOpHDUIjVsaCRLnUVGGtdfM2HuBKlFeHhg0Z9Sxvm RFc5dyCFbvur95WoHEbCMeqUQSA6ovzyaV9gnRbvlaIr/3JePo2UMdn/Dv10n8ZYbL8XMWIJzcG 92CIq1+3s8GOHBC4SpxGYOww9dlHIbC1CO8Mtaq2g4DaF/lNolZSoAsGfO0NvvjZlxw7/DXBCqe D5thAp/2f7kB1QEA7ukLPow4o4Gw3r9mrIX1cRjApGvmISbviEApZnrSyfabZJWDEH7CPm6su5X EHhx7NpY1wsQkBMQp3g6nAFRnxrSkOdvdhIVFZuhym82ak/WtecPT14CVY/mjlXw9v+zEwhEPkv vnAvrOuveAry45Qw0/c6WABWE/l0AYMAjQoNDEQScmRdcf2FLhdIW5qDn8u37/qLFvVjhHFQM03 mxUqqL65P0 X-Google-Smtp-Source: AGHT+IGUJYxXuXxvXR9rlXnoYGcUU+Hi/dg0WArtxi7Q4xqPcWUhxaXeBzBACtxiJMVJd2sxojJr8A== X-Received: by 2002:a5d:5d05:0:b0:42b:43cc:9827 with SMTP id ffacd0b85a97d-42f731a4ca6mr3712016f8f.38.1764797391185; Wed, 03 Dec 2025 13:29:51 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:50 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 02/12] xrdp: patch CVE-2022-23477 Date: Wed, 3 Dec 2025 22:29:39 +0100 Message-ID: <20251203212949.4046524-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122280 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23477.patch | 38 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch new file mode 100644 index 0000000000..93aeff2925 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch @@ -0,0 +1,38 @@ +From d49f269af82be5f14b193d4edfcb63b547a16ff4 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Tue, 6 Dec 2022 11:31:31 +0000 +Subject: [PATCH] CVE-2022-23477 + +Prevent buffer overflow for oversized audio format from client + +CVE: CVE-2022-23477 +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/d49f269af82be5f14b193d4edfcb63b547a16ff4] +Signed-off-by: Gyorgy Sarvari +--- + sesman/chansrv/audin.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c +index cd802fa519..36a8027a57 100644 +--- a/sesman/chansrv/audin.c ++++ b/sesman/chansrv/audin.c +@@ -181,15 +181,16 @@ audin_send_open(int chan_id) + int error; + int bytes; + struct stream *s; +- struct xr_wave_format_ex *wf; ++ struct xr_wave_format_ex *wf = g_client_formats[g_current_format]; + + LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:"); + make_stream(s); +- init_stream(s, 8192); ++ /* wf->cbSize was checked when the format was received */ ++ init_stream(s, wf->cbSize + 64); ++ + out_uint8(s, MSG_SNDIN_OPEN); + out_uint32_le(s, 2048); /* FramesPerPacket */ + out_uint32_le(s, g_current_format); /* initialFormat */ +- wf = g_client_formats[g_current_format]; + out_uint16_le(s, wf->wFormatTag); + out_uint16_le(s, wf->nChannels); + out_uint32_le(s, wf->nSamplesPerSec); diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 5eca9d3bf6..91d4134789 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -17,6 +17,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://0001-arch-Define-NO_NEED_ALIGN-on-ppc64.patch \ file://0001-mark-count-with-unused-attribute.patch \ file://CVE-2022-23468.patch \ + file://CVE-2022-23477.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75822 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E4D8D1BDF5 for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.27326.1764797393580082757 for ; Wed, 03 Dec 2025 13:29:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dOMOWkb+; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-477b5e0323bso8475165e9.0 for ; Wed, 03 Dec 2025 13:29:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797392; x=1765402192; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=w4VR/8bfNzcGWp06NlP6lVIOwy6DDULCS8l06CsilrI=; b=dOMOWkb+0Vs3g/atb4qjVUfcmvQxZrWe6lX98gw68Vhe3fhwki/NGVh2zU7x2o0GKc uZnUG0x4KV4Nz8R1xDcdr967T8FD4r1EQTkJk2jebBkSFJ8Q85vPSwwgh1dTR50A+pmQ IyRALVcG65bxlWdP/yJ1shNARx4MFF8X9Id9X/AEri3ZfmwqqUM912s8K3cNpW6TcjhR Or1ZtGSIuBOCTjFq42jsEZWmvf30TUumEYzeIIZD9u2WDGNCvJT19c/2GbWGOMlUO+SD 0aX4uDmS0ijhkZE6TCyopAYpJpZeTI7VjfIfG6HX0NzLWqtDzId5jXQkOvGOx/jzlh8n CZ0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797392; x=1765402192; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=w4VR/8bfNzcGWp06NlP6lVIOwy6DDULCS8l06CsilrI=; b=L+jKqCHDLOLOA+b5EXwZVAEvYMnIwz7QtZ4X2HIbI6D1jZOIjfTf7V1XehUJ41gvf3 dYQRP92Tz1zg7NYootKBEO6jBMJidZQVOEd4+jKj3cWLK8JMnFdPBioE9DNV80eN5gNz krw7IG6Vc8//Dr/fywhYFouHrSrMKLvrjCXFjuXZxzMXI6pxyd/84nMCqfa97Hs8LxyS C2ThZ6kfHsZIQI8qxcEdHVKyDY6aciqgdUmM4G6X4dgkTp37b2WN7rxamzWvhMjTBxY8 qbSwmIS8zPIzlyAdCBqTqKCdRPu8TzVkmBlvlP7mhSkLquxo27J8OPxyDZi+AhqT1S5I B7tg== X-Gm-Message-State: AOJu0Yzm/H0X0scEvXsiN7+ygRMnASMQAywIH6ddm81TzZo1eQUPfkVu uPsUuM3ZrSlp66gEYYyjHzP9jxQ8h6sPBuRixmTwOgzBvTl6sH9R2iyk56pXnQ== X-Gm-Gg: ASbGncvEh5vwwdkilWSSGYlXRJQrdc3gAl4F6jupaTHhl3V3oCi21I5vJ+TjJSZpe/j D1ovxz24Wfu7LbbaMREMuwjEI+Ij7GrmMppRBAmyQ4T6iCHJg6ytPNTzRJUe5XSNsIq3G3lxUVR DpCzBawCIO/2lLsPtX+D1QYFNEYXW/q8sxK2F93SXoEkXzxoplNsA3ybstLeH744mer6fmismm4 uDEUTEbaZ6hyyFYa8lN0kBJTvz2zACsJLgr46E7e9X1BRzYBo7S7dw28UFVxsxOPnY2o78TkINR YPgJcrD0SiN4q1gei8RwLMLjs9RxnCvpmWBDLvXitd9/bq1T0lteKF0V5CD075CfuahTc/AZ0r4 t0P/oSrd8+wGO4RoBu21nVcfLv8+2D7LA6OiR+LYjzxzj9q1Nc4pqYlXu3bKukZj2UFLEmu8mYg DKkKFqTUvvgct11HFhqDM= X-Google-Smtp-Source: AGHT+IHnL3iggyamvRSFnhSgGUlhE+MgV/VLWqUrXfha6ksISpF3VOw+7VKvOJWqqk2gUVcfBfZVjA== X-Received: by 2002:a5d:51cc:0:b0:429:ca7f:8d6f with SMTP id ffacd0b85a97d-42f78772702mr721357f8f.15.1764797391892; Wed, 03 Dec 2025 13:29:51 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:51 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 03/12] xrdp: patch CVE-2022-23478 Date: Wed, 3 Dec 2025 22:29:40 +0100 Message-ID: <20251203212949.4046524-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122281 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23478.patch | 85 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 86 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch new file mode 100644 index 0000000000..9aaa7a4a7d --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch @@ -0,0 +1,85 @@ +From 6cb54a1c26b53617e1c79a0abc96d03c4add1eb8 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 11:12:42 +0000 +Subject: [PATCH] CVE-2022-23478 + +Fix potential OOB write if invalid chansrv channel opened + +Also removed an unnecessary dynamic memory allocation + +CVE: CVE-2022-23478 +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/6cb54a1c26b53617e1c79a0abc96d03c4add1eb8] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp_mm.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index 74b0516afa..c91e03ab56 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, + int error; + int chan_id; + int chansrv_chan_id; +- char *name; ++ char name[1024 + 1]; + struct xrdp_drdynvc_procs procs; + + if (!s_check_rem(s, 2)) +@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, + return 1; + } + in_uint32_le(s, name_bytes); +- if ((name_bytes < 1) || (name_bytes > 1024)) +- { +- return 1; +- } +- name = g_new(char, name_bytes + 1); +- if (name == NULL) ++ if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1))) + { + return 1; + } + if (!s_check_rem(s, name_bytes)) + { +- g_free(name); + return 1; + } + in_uint8a(s, name, name_bytes); + name[name_bytes] = 0; + if (!s_check_rem(s, 8)) + { +- g_free(name); + return 1; + } + in_uint32_le(s, flags); + in_uint32_le(s, chansrv_chan_id); ++ if (chansrv_chan_id < 0 || chansrv_chan_id > 255) ++ { ++ LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d", ++ chansrv_chan_id); ++ return 1; ++ } ++ + if (flags == 0) + { + /* open static channel, not supported */ +- g_free(name); + return 1; + } + else +@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, + &chan_id); + if (error != 0) + { +- g_free(name); + return 1; + } + self->xr2cr_cid_map[chan_id] = chansrv_chan_id; + self->cs2xr_cid_map[chansrv_chan_id] = chan_id; + } +- g_free(name); + return 0; + } + diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 91d4134789..e28f457e87 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -18,6 +18,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://0001-mark-count-with-unused-attribute.patch \ file://CVE-2022-23468.patch \ file://CVE-2022-23477.patch \ + file://CVE-2022-23478.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75821 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62D23D1BDF6 for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.27232.1764797394312510812 for ; Wed, 03 Dec 2025 13:29:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RFtyWwH2; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-477770019e4so2199035e9.3 for ; Wed, 03 Dec 2025 13:29:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797393; x=1765402193; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=q+ZctfLjGy0PWmY2yPVMlaMiSAPlAp17juBZRKeGlPk=; b=RFtyWwH2sa/UQ2ZJJ5IxGJxUv8cWX2CYTHvImy32YA21VsSvt4Au3EhlEHq+yrNq46 QoCsIMp1NDKN+Vb0spXXJT33uaTwHXZwKQ4mlkY7S/Yu8jvYAb9Q6CbdJiRsQahklgAt hmHkKoDrXKDjZkX0ynbAT9eR7roQRCCCufopSLXUuwnZgOoOWiRODdbP+4hpE9EGPL9x mMVCYsjlK9K3u2c7N071Rr2pQMDBvTLUxauuvacdiJcmeCx1hPdrTYf0mUI1iNYhSZTZ x23WiJJpfZ2gnKvah9blL5MYVLFGGohhxJ3X45NbhlUOejQuosDnjsRwvjertz4dwzw+ NU5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797393; x=1765402193; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=q+ZctfLjGy0PWmY2yPVMlaMiSAPlAp17juBZRKeGlPk=; b=IS3eVugOQ6zzvibBHtJSTrJmS8nbOrX0cG5F3IjZ/QArDzPIuepRj08hLRQBj1xvtD SE+M6pglT+Iuw6DT9hnsj+yMA8uIS9ROaH9ufZU8j5rbOAMW0A/ANlOyqSUm0bME8093 AZH/l20067Ap/XAYjhplKfC5YF/UckCAChwHXhnw/8ZUhFwK9IX3ECSy5qB23PvVCcgu E5dQ3UH1EjepxgEZydmmMFeOHEfzVb/ahuKTe/3sq1tFrlDb5V3iyWDKzsyxFe2cWGjq hcZcJWeZB2ybQUh4ndq0ezgzGQ8htcjH8XMFbePcRpZuffEsJpc9sm1hjVFkY9ekDWpw rbpw== X-Gm-Message-State: AOJu0YxvH6muDUk/SPHMP0FT7tJaBXCeSNYv4ad8Sls+Zdkc2wbMvNxg 71zkAsBa8/EkEdJTwaQDGLYSfL+LY8aIUljSlnox3bEeY77DSTOpRyxb0jyeJQ== X-Gm-Gg: ASbGnctXTk8ylZIk5gESTVf3LM9YArDnCPhTDOZV14Qmuktk6PIUhDW62hmI2wFIrBD t50clx9Q+G3d3MI4t9HBYlMRInBdCWxEhka00lapEaQJfh9XIqBJV2/lSRiowqzQHwen0Tjx9aP zOLBkdv+UBTg+OsVFPF6ZV6fJOTWEeP3jldXRrJ85M3BG34h5JCJAvYOisq7Gev/nvQYVK53LxS PvoQbNO49EySmQVFvToFZVAPbBMKdLxJzbt4OH2bjkDarcxqFckoH1EZzMjEw3HDZZCg82yl3QY k8vjIAY9tlsLf5FpSzdtk+OsUdX5HWfaeHobow86CVzoMXJEsXouQ4z/OIbb64jvam3vssfqWSC LrWrZX8yRKsvgmjSqC4Z529S90Wj0MhQYDhDc8AhxNZHEhex6uHA28Jz1jJR6kf6Nwddv+qxPZL +0/wkx7qSi X-Google-Smtp-Source: AGHT+IEYJbwqycqbsni+HZkzDhiupHuAbuhzW44RSp3b2+oxteGOzyJD0DN35jnZBqvxNTMk8ZwF0g== X-Received: by 2002:a05:600c:4504:b0:477:9cc3:7971 with SMTP id 5b1f17b1804b1-4792f380e9amr5217455e9.20.1764797392527; Wed, 03 Dec 2025 13:29:52 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:52 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 04/12] xrdp: patch CVE-2022-23479 Date: Wed, 3 Dec 2025 22:29:41 +0100 Message-ID: <20251203212949.4046524-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122282 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23479.patch | 83 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch new file mode 100644 index 0000000000..62fa83b83f --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch @@ -0,0 +1,83 @@ +From 60864014b733c10881c078048560858067fe5d0f Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 09:44:56 +0000 +Subject: [PATCH] CVE-2022-23479 + +Detect attempts to overflow input buffer + +If application code hasn't properly sanitised the header_size +for a transport, it is possible for read requests to be issued +which overflow the input buffer. This change detects this +at a low level and bounces the read request. + +CVE: CVE-2022-23479 +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/60864014b733c10881c078048560858067fe5d0f] +Signed-off-by: Gyorgy Sarvari +--- + common/trans.c | 19 +++++++++++++++---- + common/trans.h | 2 +- + 2 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/common/trans.c b/common/trans.c +index 55d2a63812..1d2d3e68ae 100644 +--- a/common/trans.c ++++ b/common/trans.c +@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self) + tbus in_sck = (tbus) 0; + struct trans *in_trans = (struct trans *) NULL; + int read_bytes = 0; +- int to_read = 0; +- int read_so_far = 0; ++ unsigned int to_read = 0; ++ unsigned int read_so_far = 0; + int rv = 0; + enum xrdp_source cur_source; + +@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self) + } + else if (self->trans_can_recv(self, self->sck, 0)) + { ++ /* CVE-2022-23479 - check a malicious caller hasn't managed ++ * to set the header_size to an unreasonable value */ ++ if (self->header_size > (unsigned int)self->in_s->size) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "trans_check_wait_objs: Reading %u bytes beyond buffer", ++ self->header_size - (unsigned int)self->in_s->size); ++ self->status = TRANS_STATUS_DOWN; ++ return 1; ++ } ++ + cur_source = XRDP_SOURCE_NONE; + if (self->si != 0) + { + cur_source = self->si->cur_source; + self->si->cur_source = self->my_source; + } +- read_so_far = (int) (self->in_s->end - self->in_s->data); ++ read_so_far = self->in_s->end - self->in_s->data; + to_read = self->header_size - read_so_far; + + if (to_read > 0) +@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self) + } + } + +- read_so_far = (int) (self->in_s->end - self->in_s->data); ++ read_so_far = self->in_s->end - self->in_s->data; + + if (read_so_far == self->header_size) + { +diff --git a/common/trans.h b/common/trans.h +index 1cd89fdac2..313c543b60 100644 +--- a/common/trans.h ++++ b/common/trans.h +@@ -98,7 +98,7 @@ struct trans + ttrans_data_in trans_data_in; + ttrans_conn_in trans_conn_in; + void *callback_data; +- int header_size; ++ unsigned int header_size; + struct stream *in_s; + struct stream *out_s; + char *listen_filename; diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index e28f457e87..1900b1e842 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -19,6 +19,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23468.patch \ file://CVE-2022-23477.patch \ file://CVE-2022-23478.patch \ + file://CVE-2022-23479.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75824 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FE6ED1BDFA for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.27234.1764797395140577448 for ; Wed, 03 Dec 2025 13:29:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=BJ1QnUMi; spf=pass (domain: gmail.com, ip: 209.85.221.42, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-42e2e47be25so166856f8f.2 for ; Wed, 03 Dec 2025 13:29:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797393; x=1765402193; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qXNGieyykwUpHpxx4mzp9zpfEJkyBtU1B5u/2a5hmVk=; b=BJ1QnUMia0SUdoP8cS3c0+p0y6iw4EWI3MI10I9h2fquC1SRgYtEYUiZcTUg5w7MmE l8Vt21Xg4fh1wLa5LBVnMGERfkxCq9kyRdo03sec3O1iZM9/VW6rufK3XXUR02PcRfu6 S9VZNJ5p/gEtqXqBltqdFZOAKAuZEybROhBAqsI0rL6vXhOKFx/jnmn2r7jS+UqxgT0m GnTkeWyC894uC9GkjvoDO6xQ4oohS9A4Sv1ukDD78u+HQy2o0b+egpF/JcD/SsD94gOF sayaPcIkmSgTQsJXZpv+4oaq/nqwg9EllSScKzY969U3tsTWHZU3K9+IU9uyNPxb7niB PmRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797393; x=1765402193; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qXNGieyykwUpHpxx4mzp9zpfEJkyBtU1B5u/2a5hmVk=; b=km8oanIfnOkheS4TCpDUs52zFts45AU7XcbsD5E9VdsKudFWJXEQ27ZFN1ChnjC6Va OLgtKZbV41DYi1koSyYHHXEoWMn8l8P3MilEc0UWpIvXZCU6Hu447O5W9nH1u6hDNKlb ievX2XEf1QGFCpgq6kXzbljr4QMBWa21xz25b0v0C0tV62ZGucXEICuq88AWLxLE1Sst CruqWhpn9uWtd2LtuGruSyEuo6+2DvX5jeUvD151gnkxf/fY6A+kzZKPcTpS4e4c2JgM 0bM3P8pXK7dvrHCG54DYdu3n/BxaU/xcyj9dN4pag8RojA21zTh8u6ZAm7PMrGgPTbbY nM8g== X-Gm-Message-State: AOJu0YyuBqdhMutYE86nXTSOUwIhgSLYB2U7aXpj/Ng5RUGPLCfMXeld BAjiphsB4S7GJ0yWnbSOWiFHeXFUSeBjrStFUBHmOQbf0vsJJDsXuunJSmitBw== X-Gm-Gg: ASbGncvLcxukVujCvXnCAbFMptIGUD9pDw7Uj9iBIoTQpHApV7Pol03w1WzUuQ+xzUp V68ec1UBOxWXDoGJhpEB6rWU0JVay/uXZtma6K4wZS0YirYHsYX5ptwr2gx6yv6bvTmT31jyAg6 D52OwdX7Ofya5rQA5TJUcTspLSGbLzrAAi3W4iJbBWRq/eonx0a2oAuXEvsKU67Pp7pXuTtmJPm efE23aoBglmlOH6tJni/g5pBf0f7zzD4hTJ2MEjhBdQIbsOA+VD4qPFS3+4hS2LlOeUrZS90JGX fvHtlkUchV0tZiB/PJ5ug7VwgwagTn0mO4HK2BTpnm4HDOAAcy/i5B6uWojxFI52xma6YrFZNXV EcZrmCMSrZ4ANa4bJ4SmfPH8hOnmjC9yE5+3sFbW8N1A7HUV2qd62Qp47knHN/Ums1CRZ6+oCgp NbDUg6UXIK X-Google-Smtp-Source: AGHT+IEsSZ1SElr/e+npAuUNlUPB9hBK3reOTTaMb9hZ1OUT2q4FrvH0Hvk0vHzAHuYrbJppvK1Osg== X-Received: by 2002:a05:6000:2310:b0:42b:41d3:daf9 with SMTP id ffacd0b85a97d-42f795147dfmr473208f8f.2.1764797393306; Wed, 03 Dec 2025 13:29:53 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:52 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 05/12] xrdp: patch CVE-2022-23480 Date: Wed, 3 Dec 2025 22:29:42 +0100 Message-ID: <20251203212949.4046524-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122283 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23480-1.patch | 356 ++++++++++++++++++ .../xrdp/xrdp/CVE-2022-23480-2.patch | 54 +++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 2 + 3 files changed, 412 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch new file mode 100644 index 0000000000..2f34117ea9 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch @@ -0,0 +1,356 @@ +From 7ad7b05261c698b867c7c4f1bfffb4f911036847 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Tue, 6 Dec 2022 12:48:57 +0000 +Subject: [PATCH] CVE-2022-23480 + +Added length checking to redirector response parsing + +CVE: CVE-2022-23480 +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/7ad7b05261c698b867c7c4f1bfffb4f911036847] +Signed-off-by: Gyorgy Sarvari +--- + sesman/chansrv/devredir.c | 151 +++++++++++++++++++++++++++++++------- + 1 file changed, 123 insertions(+), 28 deletions(-) + +diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c +index a44d47e635..7faa9bfc7a 100644 +--- a/sesman/chansrv/devredir.c ++++ b/sesman/chansrv/devredir.c +@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void); + static void devredir_send_server_clientID_confirm(void); + static void devredir_send_server_user_logged_on(void); + +-static void devredir_proc_client_core_cap_resp(struct stream *s); +-static void devredir_proc_client_devlist_announce_req(struct stream *s); +-static void devredir_proc_client_devlist_remove_req(struct stream *s); +-static void devredir_proc_device_iocompletion(struct stream *s); ++static int devredir_proc_client_core_cap_resp(struct stream *s); ++static int devredir_proc_client_devlist_announce_req(struct stream *s); ++static int devredir_proc_client_devlist_remove_req(struct stream *s); ++static int devredir_proc_device_iocompletion(struct stream *s); + static void devredir_proc_query_dir_response(IRP *irp, + struct stream *s_in, + tui32 DeviceId, +@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, + } + + /* read header from incoming data */ ++ if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER")) ++ { ++ rv = -1; ++ goto done; ++ } + xstream_rd_u16_le(ls, comp_type); + xstream_rd_u16_le(ls, pktID); + +@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, + switch (pktID) + { + case PAKID_CORE_CLIENTID_CONFIRM: +- xstream_seek(ls, 2); /* major version, we ignore it */ +- xstream_rd_u16_le(ls, minor_ver); +- xstream_rd_u32_le(ls, g_clientID); ++ if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS] DR_CORE_CLIENT_ANNOUNCE_RSP")) ++ { ++ rv = -1; ++ } ++ else ++ { ++ xstream_seek(ls, 2); /* major version, we ignore it */ ++ xstream_rd_u16_le(ls, minor_ver); ++ xstream_rd_u32_le(ls, g_clientID); + +- g_client_rdp_version = minor_ver; ++ g_client_rdp_version = minor_ver; + +- switch (minor_ver) +- { +- case RDP_CLIENT_50: +- break; ++ switch (minor_ver) ++ { ++ case RDP_CLIENT_50: ++ break; + +- case RDP_CLIENT_51: +- break; ++ case RDP_CLIENT_51: ++ break; + +- case RDP_CLIENT_52: +- break; ++ case RDP_CLIENT_52: ++ break; + +- case RDP_CLIENT_60_61: +- break; ++ case RDP_CLIENT_60_61: ++ break; ++ } ++ // LK_TODO devredir_send_server_clientID_confirm(); + } +- // LK_TODO devredir_send_server_clientID_confirm(); + break; + + case PAKID_CORE_CLIENT_NAME: +@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, + break; + + case PAKID_CORE_CLIENT_CAPABILITY: +- devredir_proc_client_core_cap_resp(ls); ++ rv = devredir_proc_client_core_cap_resp(ls); + break; + + case PAKID_CORE_DEVICELIST_ANNOUNCE: +- devredir_proc_client_devlist_announce_req(ls); ++ rv = devredir_proc_client_devlist_announce_req(ls); + break; + + case PAKID_CORE_DEVICELIST_REMOVE: +- devredir_proc_client_devlist_remove_req(ls); ++ rv = devredir_proc_client_devlist_remove_req(ls); + break; + + case PAKID_CORE_DEVICE_IOCOMPLETION: +- devredir_proc_device_iocompletion(ls); ++ rv = devredir_proc_device_iocompletion(ls); + break; + + default: +@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id, + * @brief process client's response to our core_capability_req() msg + * + * @param s stream containing client's response ++ * @return 0 for success, -1 otherwise + *****************************************************************************/ +-static void ++static int + devredir_proc_client_core_cap_resp(struct stream *s) + { + int i; +@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s) + tui32 cap_version; + char *holdp; + ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_CAPABLITY_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u16_le(s, num_caps); + xstream_seek(s, 2); /* padding */ + + for (i = 0; i < num_caps; i++) + { + holdp = s->p; ++ if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS] CAPABILITY_HEADER")) ++ { ++ return -1; ++ } + xstream_rd_u16_le(s, cap_type); + xstream_rd_u16_le(s, cap_len); + xstream_rd_u32_le(s, cap_version); ++ /* Convert the length to a remaining length. Underflow is possible, ++ * but this is an unsigned type so that's OK */ ++ cap_len -= (s->p - holdp); ++ if (cap_len > 0 && ++ !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS] CAPABILITY_HEADER length")) ++ { ++ return -1; ++ } + + switch (cap_type) + { +@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s) + scard_init(); + break; + } +- s->p = holdp + cap_len; ++ xstream_seek(s, cap_len); + } ++ return 0; + } + +-static void ++static int + devredir_proc_client_devlist_announce_req(struct stream *s) + { + unsigned int i; +@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + enum NTSTATUS response_status; + + /* get number of devices being announced */ ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_DEVICELIST_ANNOUNCE_REQ")) ++ { ++ return -1; ++ } ++ + xstream_rd_u32_le(s, device_count); + + LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count); + + for (i = 0; i < device_count; i++) + { ++ if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4, ++ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, device_type); + xstream_rd_u32_le(s, g_device_id); + /* get preferred DOS name +@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + + /* Read the device data length from the stream */ + xstream_rd_u32_le(s, device_data_len); ++ if (device_data_len > 0 && ! ++ !s_check_rem_and_log(s, device_data_len, ++ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE devdata")) ++ { ++ return -1; ++ } + + switch (device_type) + { +@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + devredir_send_server_device_announce_resp(g_device_id, + response_status); + } ++ ++ return 0; + } + +-static void ++static int + devredir_proc_client_devlist_remove_req(struct stream *s) + { + unsigned int i; +@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s) + tui32 device_id; + + /* get number of devices being announced */ ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, device_count); ++ if (!s_check_rem_and_log(s, 4 * device_count, ++ "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list")) ++ { ++ return -1; ++ } + + LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count); + { +@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s) + xfuse_delete_share(device_id); + } + } ++ return 0; + } + +-static void ++static int + devredir_proc_device_iocompletion(struct stream *s) + { + IRP *irp = NULL; +@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s) + tui32 Length; + enum COMPLETION_TYPE comp_type; + ++ if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS] DR_DEVICE_IOCOMPLETION")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, DeviceId); + xstream_rd_u32_le(s, CompletionId); + xstream_rd_u32_le(s, IoStatus32); +@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s) + } + else + { ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + devredir_send_drive_dir_request(irp, DeviceId, + 1, irp->pathname); +@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_CREATE_REQ: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + + xfuse_devredir_cb_create_file( +@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_OPEN_REQ: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + + xfuse_devredir_cb_open_file((struct state_open *) irp->fuse_info, +@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_READ: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_READ_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, Length); ++ if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS] DR_READ_RSP")) ++ { ++ return -1; ++ } + xfuse_devredir_cb_read_file((struct state_read *) irp->fuse_info, + IoStatus, + s->p, Length); +@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_WRITE: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_WRITE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, Length); + xfuse_devredir_cb_write_file((struct state_write *) irp->fuse_info, + IoStatus, +@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_RMDIR_OR_FILE: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + devredir_proc_cid_rmdir_or_file(irp, IoStatus); + break; +@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_RENAME_FILE: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + devredir_proc_cid_rename_file(irp, IoStatus); + break; +@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + } + } ++ return 0; + } + + static void diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch new file mode 100644 index 0000000000..c14e77e538 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch @@ -0,0 +1,54 @@ +From 191ed3e3fa892c7dc26e142c7af7af546fcce87d Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Thu, 8 Dec 2022 14:13:48 +0000 +Subject: [PATCH] Remove unused g_full_name_for_filesystem + +Not only was this unused, the way it was read could lead to a +buffer overflow (CVE-2022-23480) + +CVE: CVE-2022-23480 +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/191ed3e3fa892c7dc26e142c7af7af546fcce87d] +Signed-off-by: Gyorgy Sarvari +--- + sesman/chansrv/devredir.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c +index 7faa9bfc7a..6ce35e34de 100644 +--- a/sesman/chansrv/devredir.c ++++ b/sesman/chansrv/devredir.c +@@ -103,7 +103,6 @@ int g_is_port_redir_supported = 0; + int g_is_drive_redir_supported = 0; + int g_is_smartcard_redir_supported = 0; + int g_drive_redir_version = 1; +-char g_full_name_for_filesystem[1024]; + tui32 g_completion_id = 1; + + tui32 g_clientID; /* unique client ID - announced by client */ +@@ -866,21 +865,18 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + switch (device_type) + { + case RDPDR_DTYP_FILESYSTEM: +- /* get device data len */ +- if (device_data_len) +- { +- xstream_rd_string(g_full_name_for_filesystem, s, +- device_data_len); +- } ++ /* At present we don't use the full name - see ++ * [MS-RDPEFS] 2.2.3.1 for details of the contents */ ++ xstream_skip_u8(s, device_data_len); + + LOG(LOG_LEVEL_INFO, "Detected remote drive '%s'", + preferred_dos_name); + + LOG_DEVEL(LOG_LEVEL_DEBUG, + "device_type=FILE_SYSTEM device_id=0x%x dosname=%s " +- "device_data_len=%d full_name=%s", g_device_id, ++ "device_data_len=%d", g_device_id, + preferred_dos_name, +- device_data_len, g_full_name_for_filesystem); ++ device_data_len); + + response_status = STATUS_SUCCESS; + diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 1900b1e842..55dab2e867 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -20,6 +20,8 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23477.patch \ file://CVE-2022-23478.patch \ file://CVE-2022-23479.patch \ + file://CVE-2022-23480-1.patch \ + file://CVE-2022-23480-2.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75814 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 282C8D1BDE8 for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.27236.1764797395785953236 for ; Wed, 03 Dec 2025 13:29:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=i5hBgGNO; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4779ce2a624so2473515e9.2 for ; Wed, 03 Dec 2025 13:29:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797394; x=1765402194; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ssszST3OXZH8Pr9rYskEy2b4V4o2vYxrn4pUE43bTZY=; b=i5hBgGNO79nSzaW+cdSHUIUJKmDwguwmT8LbnN90Tafjd+45GxX2XtOWNWHCX1LLv3 C7tPl/2ZmHmTYP35SY01to4MVzrl6BLLa4jh7GqoVra1ecJHfFJWMlk5Sok2IM3lVPom 6z5AM0pZe6e7Zrup7cmz8LMchkwd+Luf21ofEiRbbMjfD80SYHyGcSXj/qVOU0ntDui0 3dHrqTg8hUrtohR8zCKYNHA2QzZmiVecSqP0G2usjx1yBsOMCPS3jyY+4MqQzdJtRA8W SWEF/DRvww1pztlW+Ltl5k60GDjcSp2dRupe8UhwD452DhWQurPljjBJOxPIDgWbHZCU hf6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797394; x=1765402194; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ssszST3OXZH8Pr9rYskEy2b4V4o2vYxrn4pUE43bTZY=; b=DKqNsQCGXHhZP71TFw3ttbQNwa2RVIPWKlvIMq4M3QD9yojH+yJ+wV6oUxW/0Uas2Q UjJYuKHrQf7huCdtT86EqHOAkiaicJ/GIswo3fKQ+itr1G8pstE/WWQd3lRteAXaBLg7 hJqc3GHYZyD1DMyzY81WQIQosVlxOWqemHWZS496x9LiOYPfgZN+Vf1LZCD+Gd8iRVUf jWWgWxVg9+/LsXxmTPhzMrZ55bnel0UWW9C4kOzY5Gvddm+Suoj5/FLEu3ul9PnvO/5z FsgU0XxGYoYjgeZpcGu/s3cHo/zx6JmI6+nZYh6aml9Z7Mi5A7JLryPGZMxAVWUON3ZU B4Nw== X-Gm-Message-State: AOJu0YwKhikJEwJyPThlYoAHyf9fmgCiidBAc/9mDOeAbgX6KlCJok/1 iquRgjWMOrhTKTLNAaEugy42ITxSu0RmHvNfOXDYjF64DQXppSGV/q2Fq7+baA== X-Gm-Gg: ASbGnctOfqjJHsbphZTQYYPxvz9j6QgVDf9D2H31U3GVNCSNec+p09RZWrLsX5A7NiS ak1FAEUEAc9QuKLrSn8ZcZQhYGJs3T9c1N2sYG3CQCbSAMefDnx5X3L874udYUuUjmXI0lZ5/fp l6pAUTmBKfGEFm9ehRO3gX0rdOe67vxSQiueyvQ40iSo6gZLD3O1jClNgZmWjeWNEb6s71iAYPv aA2ab39KAe+a16/yLWqUNQ0kWNfttNH/aoMrVvU0ob5f+l2YaTka9n+lpwCWzfcFso8yDI+A11d P3LCNrtaO/mNMByZ01FDzdZD5ATW1UwbiMD0F5B+0XomtjoCFNxXUeu7oRqh5fkxh0rhbiDp8ax tg+kJ1Z2UjcdSfAXZrbZNcSHPDVM1QTBXBCudGWHYRYA6att+bU0j5E/vHKj0Njmo6FjkdhREbo kaK2TaQXQv X-Google-Smtp-Source: AGHT+IHg0gLU+EQEOkmV1AoPTDFQHV5CAs5bmz1EJ7tNjR44gCh/Gz3Bba53XaLPUDtEyC7USUfcOg== X-Received: by 2002:a05:6000:18a6:b0:42b:4069:428a with SMTP id ffacd0b85a97d-42f79514c50mr461873f8f.12.1764797394026; Wed, 03 Dec 2025 13:29:54 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:53 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 06/12] xrdp: patch CVE-2022-23481 Date: Wed, 3 Dec 2025 22:29:43 +0100 Message-ID: <20251203212949.4046524-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122284 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23481.patch | 46 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch new file mode 100644 index 0000000000..b138b535e3 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch @@ -0,0 +1,46 @@ +From c77e974080da8267d902f99ca5ab7d22ea02d98c Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:40:25 +0000 +Subject: [PATCH] CVE-2022-23481 + +Add length checks to client confirm active PDU parsing + +CVE: CVE-2022-23481 +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/c77e974080da8267d902f99ca5ab7d22ea02d98c] +Signed-off-by: Gyorgy Sarvari +--- + libxrdp/xrdp_caps.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c +index 5c5e74a579..ac21cc0a18 100644 +--- a/libxrdp/xrdp_caps.c ++++ b/libxrdp/xrdp_caps.c +@@ -667,13 +667,27 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self, struct stream *s) + int len; + char *p; + ++ if (!s_check_rem_and_log(s, 10, ++ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU" ++ " - header")) ++ { ++ return 1; ++ } + in_uint8s(s, 4); /* rdp_shareid */ + in_uint8s(s, 2); /* userid */ + in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */ + in_uint16_le(s, cap_len); ++ ++ if (!s_check_rem_and_log(s, source_len + 2 + 2, ++ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU" ++ " - header2")) ++ { ++ return 1; ++ } + in_uint8s(s, source_len); + in_uint16_le(s, num_caps); + in_uint8s(s, 2); /* pad */ ++ + LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU " + "shareID (ignored), originatorID (ignored), lengthSourceDescriptor %d, " + "lengthCombinedCapabilities %d, sourceDescriptor (ignored), " diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 55dab2e867..ff14cf8397 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -22,6 +22,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23479.patch \ file://CVE-2022-23480-1.patch \ file://CVE-2022-23480-2.patch \ + file://CVE-2022-23481.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75817 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33170D1BDEC for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.27237.1764797396501442639 for ; Wed, 03 Dec 2025 13:29:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mr5SfkuH; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-47118259fd8so2240805e9.3 for ; Wed, 03 Dec 2025 13:29:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797395; x=1765402195; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=52oPpncL+OoD4XMO9xhNqZ2o9h4OJJwBJMoHaM59IrU=; b=mr5SfkuHoC3UGSUp5drqC0TyKcu/OX8eDr9g+DbVh0o0bgyqNIReQl7liwK0CB4Az+ ebrsD5X/a6brGjvmQvJCM5B5+muHh1Hd+JEOSe0sfNoSSAw+owiXZKsaryNaTaOsd52Y GoHip5OUz7JQeCCBnR+RxLE1OiUuaDwvRFTa/S557Ki103pyYPf7eL98ez1UyadEEFNt 6HLVejZIbcMK5bnD1ljEcJ/TKOHVolkEm1l9R/mWZY1cWt079Rq5U8X0fyeNPl048Z04 S+TiGeDgec3SzxhsyErjQUBmmJWyFxDgJV5rIwXaUlo4OYeaH4Z3FoUqb+abCpYTZ7pW Yh3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797395; x=1765402195; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=52oPpncL+OoD4XMO9xhNqZ2o9h4OJJwBJMoHaM59IrU=; b=SbNiM8H+nHQTVhiyQIcvL4FW2+bMF7i4lzqykSw4BN43ZOHWJE4xb2ClHxensxEO7T d6WuOf6zxidQXDF0QZ7ZOpQ5gZF+b74P6IWxNTwYh2T8Hir5Jj1AJOwaZq7KZPyZnb8K UFx8L0VJvHdxv/JlY/EsQtYWBFADa0YfxJ7J2HdayuJkpItPRteCPxEIeE2cG++/RiLt 2TPdGcXqYEwnb/UmsRRDl3OFOu2ZKOAdKwZGjg6HLGw90JepMEGc7L8E2WmVAnpiUwUO GCqhT+Wvz2ptqtupj/lhu2BqbVQuoapavCwGgbS5KMBskoJ+/h1ooZeHjeUGIAxSK35s 5SAw== X-Gm-Message-State: AOJu0YwU57GNGv3feI6eIaFb9b/9rdwX6t7mev0nRZsDr+xdR7puR62A eQYIl/TMHfhe14aJn14mKH48I9ur8zCc7rlsUcYbOUdPLBfRlh2boDsb0xFVMQ== X-Gm-Gg: ASbGncu6kUzu60YCbXeBauCwWr1hE6ZOCj35SNTMz9zRjcuGmqRtzdbzEano1V6tjhc LI3ApBG6/838qAj0Ziy2Y39gcuDQ7nn1wdcm+Q9rW+JkTd/ZH9o/5HVj8t34BI0kEJDp0wUs1H4 /7ulPs1xJYgx2BxdbqaNJCqvTAT2LN0UfuollzEPo8HQetV6BGcCiGtOzeNiSHfcaMr5JhSmVI4 tEYu/HJAD+p9QPrtzlwsahy4uUb/jTa4aLXycCG0pQH3oSv7gDUVyvC2vhIoErhpq27fQxBR35E B1V0z76y3KMeo/rZVwgb5tynk8IwWL0s8MkX37CuxxNW2CbUvkBISUtsHoiFnNwd4VHwT212SuM 9kwmO0nbReqM4HsCh/ivvfj3NYI+j2Y/6Qeqq/hqu+c9nnRgw12OdqBZQW8MTS2mH3/klvXOZL/ Zxzat9XkJv X-Google-Smtp-Source: AGHT+IEYjQ7ALMiw2C6uid41oxxJmx94gBiN9rxa7xmV8FJee/x32kZPIXvy39adjzJ65/mtm58Bqg== X-Received: by 2002:a05:600c:3505:b0:477:7ab8:aba with SMTP id 5b1f17b1804b1-4792f244197mr4681395e9.1.1764797394741; Wed, 03 Dec 2025 13:29:54 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:54 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 07/12] xrdp: patch CVE-2022-23482 Date: Wed, 3 Dec 2025 22:29:44 +0100 Message-ID: <20251203212949.4046524-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122285 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23482.patch | 69 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch new file mode 100644 index 0000000000..5c22701d35 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch @@ -0,0 +1,69 @@ +From bb9766c79f24a0238644e273bbcdcb2c9d2df1bf Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 11:05:46 +0000 +Subject: [PATCH] CVE-2022-23482 + +Check minimum length of TS_UD_CS_CORE message + +CVE: CVE-2022-23482 +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/bb9766c79f24a0238644e273bbcdcb2c9d2df1bf] +Signed-off-by: Gyorgy Sarvari +--- + libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c +index 691d4f04f3..084fca6b8d 100644 +--- a/libxrdp/xrdp_sec.c ++++ b/libxrdp/xrdp_sec.c +@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s) + static int + xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + { ++#define CS_CORE_MIN_LENGTH \ ++ (\ ++ 4 + /* Version */ \ ++ 2 + 2 + /* desktopWidth + desktopHeight */ \ ++ 2 + 2 + /* colorDepth + SASSequence */ \ ++ 4 + /* keyboardLayout */ \ ++ 4 + 32 + /* clientBuild + clientName */ \ ++ 4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */ \ ++ 64 + /* imeFileName */ \ ++ 0) ++ + int version; + int colorDepth; + int postBeta2ColorDepth; +@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + + UNUSED_VAR(version); + +- /* TS_UD_CS_CORE requiered fields */ ++ /* TS_UD_CS_CORE required fields */ ++ if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH, ++ "Parsing [MS-RDPBCGR] TS_UD_CS_CORE")) ++ { ++ return 1; ++ } + in_uint32_le(s, version); + in_uint16_le(s, self->rdp_layer->client_info.width); + in_uint16_le(s, self->rdp_layer->client_info.height); +@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + clientName); + + /* TS_UD_CS_CORE optional fields */ ++ if (!s_check_rem(s, 2)) ++ { ++ return 0; ++ } + in_uint16_le(s, postBeta2ColorDepth); + LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE " + " postBeta2ColorDepth %s", +@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + " desktopOrientation (ignored)"); + + return 0; ++#undef CS_CORE_MIN_LENGTH + } + + /*****************************************************************************/ diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index ff14cf8397..29245f3747 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -23,6 +23,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23480-1.patch \ file://CVE-2022-23480-2.patch \ file://CVE-2022-23481.patch \ + file://CVE-2022-23482.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75819 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 330AAD1BDEB for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.27327.1764797397212508797 for ; Wed, 03 Dec 2025 13:29:57 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fAxxHV1D; spf=pass (domain: gmail.com, ip: 209.85.221.46, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-42e2e6aa22fso114719f8f.2 for ; Wed, 03 Dec 2025 13:29:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797395; x=1765402195; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PJBxjZeRoN+q8vM4uOYUDEydyDLZyUo9RvA7McG4z34=; b=fAxxHV1D+7TZOhXQIwR8v2rc/CFnCUfEupa7BgPHbRNVtf+rjE217q4FUz2PNwTKDC S5ZQpRw7son7LuhydIoIoZXCKxdwqMMOCbnVekV8Y+RMX1SMKcim5W2ziijboo195fm0 B25pNdlmYfjCEJDyL5u4XDbhHPHhLSmwLz+YN0qDDN6+nrKvxh5eBwL4h+S600LudvRk rNSEUL0BSHKdx9B4jPUzN6nXzC58r+cqoTRkpCeJw5GeSSinBzh5Sdlq4uW7AAnWwU5L Qi0xGnzSZGyTxGcj6FeT3450fg7vPzu4VqkfnNOL51+SguFtDZ+mQ1xhVKv5fwgicqrK oWqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797395; x=1765402195; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PJBxjZeRoN+q8vM4uOYUDEydyDLZyUo9RvA7McG4z34=; b=jbmLrVbtiXX/jN18rfEgXSPKhVrDl1Hg7j5vfC+vsipepCq+929XRwMoPfkOlStxiV jISUfRpKbow6+6znGacB60KTopNNlYtarQhQUt3LeSh36qeRwtNFgnlm+YjPwRXfILk5 2iCIvWXNNDV4B7d1G3w4KO+oGroI63hLrslTFs539ngBbIjWV75f8Gh6E/fzoJMxJ4jS ofsRwIc1sJPC8ZQIy5SyVFLqYHa/Ae71/n1xsuS3P3t6ltOyVEcN5devhzfZbDeqtGyw aR4PKgrRQXjPG5OmxRJKqBku9ZCQ2x1qMMGndJFfnLhvt6aIr0a71puD6WyYZnltd+dd ASIQ== X-Gm-Message-State: AOJu0Yy/Xr0Vh0aFvdtSdaGDOZVhmTqj3T70s6H8+WdJyGEAjrcyBhk5 49d5OLpcPC7t3ELIrLQQEx6rXeZwmlaV6taV9c3uinta2tKW21evJYRd2S8IHw== X-Gm-Gg: ASbGnctnQUKopg866oKLWsH8dVZwXv4UBlvvoj2yzOjIivfg3k9jhcd6v3jdmc+7UiC uYK97GR8dGyunSiWGtna08T9eKZIYri5pMyDxs1KdcUJ0bWA+rWh6VH1iYex6eHo2o2FMBjtRp5 uc7ELf4BWBHNboZBo/5SRAwhWkR+v2lAw6+pds4qEttikkvT0sMA8D2iBqbcNSwN/pKFyWq92Sp jLtZhKAYnsx99B6joD/WO7SAfKxMOe4GVmC6tpZFUTF2THfCtKRb+Uaf8iqQjc0X37B064+waCK 53jRjsxB5VHaeS1HCeRYtznaKnwtbNymI8poE/nf8nyklwA78NStYO+ipo0sm1vEdAbWZwU9zbT M+AuFLhIOQTVmnLOYEdSy7MTY6OdvtSYUPmiUnC3s2g== X-Google-Smtp-Source: AGHT+IE68zNw1yz9ofyOkThMVUOPZ9PXb5mZzosuVuSHfLUphKAuQCfEZCsIx/8Jp6KWfh4slSqycQ== X-Received: by 2002:a05:6000:220b:b0:429:cbba:b246 with SMTP id ffacd0b85a97d-42f794b35a0mr542589f8f.0.1764797395513; Wed, 03 Dec 2025 13:29:55 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:55 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 08/12] xrdp: patch CVE-2022-23483 Date: Wed, 3 Dec 2025 22:29:45 +0100 Message-ID: <20251203212949.4046524-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122286 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23483.patch | 65 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch new file mode 100644 index 0000000000..6c488f7e3e --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch @@ -0,0 +1,65 @@ +From 35cca701c753db65d3c05b7ea4fff9bd09e76661 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:21:41 +0000 +Subject: [PATCH] CVE-2022-23483 + +Sanitise channel data being passed from application + +Avoids OOB read if the size field is incorrect. + +CVE: CVE-2022-23483 +Upstream-Status: Backport[https://github.com/neutrinolabs/xrdp/commit/35cca701c753db65d3c05b7ea4fff9bd09e76661] +Signed-off-by: Gyorgy Sarvari + +--- + xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index 74b0516afa..64ae229e01 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans) + static int + xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s) + { +- int size; +- int total_size; ++ unsigned int size; ++ unsigned int total_size; + int chan_id; + int chan_flags; +- int rv; +- +- in_uint16_le(s, chan_id); +- in_uint16_le(s, chan_flags); +- in_uint16_le(s, size); +- in_uint32_le(s, total_size); +- rv = 0; ++ int rv = 0; + +- if (rv == 0) ++ if (!s_check_rem_and_log(s, 10, "Reading channel data header")) ++ { ++ rv = 1; ++ } ++ else + { +- rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size, +- chan_flags); ++ in_uint16_le(s, chan_id); ++ in_uint16_le(s, chan_flags); ++ in_uint16_le(s, size); ++ in_uint32_le(s, total_size); ++ if (!s_check_rem_and_log(s, size, "Reading channel data data")) ++ { ++ rv = 1; ++ } ++ else ++ { ++ rv = libxrdp_send_to_channel(self->wm->session, chan_id, ++ s->p, size, total_size, chan_flags); ++ } + } + + return rv; diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 29245f3747..f9e2105500 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -24,6 +24,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23480-2.patch \ file://CVE-2022-23481.patch \ file://CVE-2022-23482.patch \ + file://CVE-2022-23483.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75816 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F7B4D1BDED for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.27239.1764797397990504462 for ; Wed, 03 Dec 2025 13:29:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=QXmcQTSE; spf=pass (domain: gmail.com, ip: 209.85.221.44, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-42b38693c4dso100926f8f.3 for ; Wed, 03 Dec 2025 13:29:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797396; x=1765402196; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=GX5qEgeg7cJspZoltOobNZSb9v0oM3+6WH6GW6bENtI=; b=QXmcQTSEUsm4B1d6+ue+ci/b2jMKQx/2jaQEr0upmRcQObwh38ix7O5yIcam6lZyqS sWuhZRGG9CnsSbkE2Nzpf8ztjb2e6AYjC12qnorqPSnH9FZ7XxbcKoDroBiCExD9Ja6h /5o6CWJeTftAVc6KWmu+pKHCKpYsasEJie+zdHhEoR777643CrIAWV8R2ACWRHEEwORa Pt3GXd6+mC3LYqhX4tQFgaSo1XUdq8R6KSa7+ECZa5QT0tiqNMuU9oOVAi9amjZiRklk gB9yHlGT1wkYchBd20IyXweYJe6Vz7maAPjO49A3GOhV38qCIOoHmTJq+eVDUGsYgU8B /4Zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797396; x=1765402196; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=GX5qEgeg7cJspZoltOobNZSb9v0oM3+6WH6GW6bENtI=; b=KRJElP4fpomYAfXdEN/B1vAg0xlM59/fV3DZGlydyLs2/S5xWW3giPRoe6xQ/Z0RLs aqansZdemcoTGfdYD9XdK2uSnw46Rf85ubSMXpS7It3H/gH1K3dhMPI83oNxlEVSkaOq Yk1Cxr7+N8Qxahm6CXGSBfYfNGwcPTmfYTka4eyMBPLXRHvYLO3oLQD3yd0DLWmPaY7B 7LZYUW7ERFBgZwKBQlagtARatFeMyrkliua234QP6vsR7aBQOKoI/emakMQtvqrXZhVj L2vFJloA5jBuO/4fSjft2lmsm6e7uACIdP/GrMI2KhEoaTV3qJnGzOX3OeipShvcgHAn IYlQ== X-Gm-Message-State: AOJu0YzadN7UCRrKMlNXP0hcWTK0t5y8U0ugRGM/YFtYvvJt8X5hjEnH f7i0sMxEppdQVNPaTigt5hXMY4iGM588qDL+sVtF7sh45VdcRfvbbdsquuXHNw== X-Gm-Gg: ASbGncuSWqYLOxNX5Cr0uDW/GEhf2i8cPUQbW4+KBKdXas1Bc5NDLK7NzbKPPRmzfPK I4Hw1YJKc5dwrl0oSz21XDuCTY0TxV2y58QOhM6L8UEjrcCS8IEkhGSOCrN6JkmagYUsldtz1vt zOUH5RZ7lhAuEIEH+Bq6Iw1CcZwdOLTe7Hq0dJppLUgLSYQWBep4GUDeId/VF8NtNVWNoAC7exB 9DrF6QhNzgKZ9rXoYPBYEARhsDLxY7zt//uT8kqX3xk7K/tDZCTUoXUv5BcZzvKZpqX63u1/378 RHkHry5zy6X64lbvSfUvIhB1OD2TTpw/DuZEGyVHMGhlKzwEj4RWcMX/mCf6hSbVxe495dDlS18 MhoF5gsLFCM6aAPCub0gqewWRM+gY+ldAqZoD0JuI1Q== X-Google-Smtp-Source: AGHT+IHsSLWCD5ocV+BUFeezhZACXyevzhNiBAA5MIkkotgIV2h/VsFKgHa8fXPB/UUtwbVjMym9Dw== X-Received: by 2002:a05:6000:2485:b0:42b:36f4:cd22 with SMTP id ffacd0b85a97d-42f79853cc7mr368639f8f.38.1764797396285; Wed, 03 Dec 2025 13:29:56 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:55 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 09/12] xrdp: patch CVE-2022-23484 Date: Wed, 3 Dec 2025 22:29:46 +0100 Message-ID: <20251203212949.4046524-9-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122287 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23484.patch | 31 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch new file mode 100644 index 0000000000..af27c50376 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch @@ -0,0 +1,31 @@ +From c2c6efb1d377be6baaa4acbc9d3700490fe92887 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:03:24 +0000 +Subject: [PATCH] CVE-2022-23484 + +Add check for RAIL window text size + +CVE: CVE-2022-23484 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/c2c6efb1d377be6baaa4acbc9d3700490fe92887] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp_mm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index 74b0516afa..4352625874 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -929,6 +929,12 @@ xrdp_mm_process_rail_update_window_text(struct xrdp_mm *self, struct stream *s) + + g_memset(&rwso, 0, sizeof(rwso)); + in_uint32_le(s, size); /* title size */ ++ if (size < 0 || !s_check_rem(s, size)) ++ { ++ LOG(LOG_LEVEL_ERROR, "%s : invalid window text size %d", ++ __func__, size); ++ return 1; ++ } + rwso.title_info = g_new(char, size + 1); + in_uint8a(s, rwso.title_info, size); + rwso.title_info[size] = 0; diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index f9e2105500..a9107a0e26 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23481.patch \ file://CVE-2022-23482.patch \ file://CVE-2022-23483.patch \ + file://CVE-2022-23484.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75818 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43EA1D1BDF0 for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.27241.1764797398638170772 for ; Wed, 03 Dec 2025 13:29:58 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KgsCZLHr; spf=pass (domain: gmail.com, ip: 209.85.221.51, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-42e2e2eccd2so193407f8f.1 for ; Wed, 03 Dec 2025 13:29:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797397; x=1765402197; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=K2nuIga+F26K9UDDl4BEbrHVmKCoDmjU9KlwWNukMKQ=; b=KgsCZLHrxw/sXNgLxTKwlVStQWpflKqs3EPGXtpDsbofzBcEgb7ZFoXaLWevdkFcOQ 1Uye0PW85bu9oveSKqA39DcYQ7Bq0UEhJctY0vL7iDTGOPULr0NV4gjC44hgHOr77AUJ LW0iRTy3cimlfHQsw97mSG5fcLhYk/Ckov32YqECjmXzrl8rxTcbUoarUiwTLl54ewzY x3YHjcO+Ju6b0lSKo8LHC9y/pmiJ6HCEe8RUx6DfvyMNLyD68dETNy9Kps2KL4o4+hae 9o3tSyYr2CEQnt4vupS+RBY7prsPWanQm+qpAFxM0jZz5futPf8thuQkx4WU8H7I6KHv tj2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797397; x=1765402197; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=K2nuIga+F26K9UDDl4BEbrHVmKCoDmjU9KlwWNukMKQ=; b=DOgiom2vCZ4a2Ts1PIr9t9qkGu9BEHEZ9eASetrzW2wljSAUPnvGBEJmuU6opNiOIj t17z2SzWRhCQeMxeslyjnKTdZWBbElqsLESPYrz/t/zUPnZTbSjsKNGcW51k3XRh4SXC ouNrVD5z2jTPhQva0CPZVYZZlLNM9xhTTHVUZR99cpLq8vuOU2x2ROeqKZtwBH/q581N yAeCnX6j0CHUlVd7IT9NCg9otjO2gBZEEHsmiL1wZjubsgLSBHOsB/sNR02aRrjyQ7hS dUYfBfi8bMnshZjY4Pprz3OPvwPWtCBzYWZAGeBBkfh9zoBav8Oi6FIbMVwX536CBcnE WlLw== X-Gm-Message-State: AOJu0YwV7gcZ2YbL0u/NGILQVXlswF+IUMCkvKyjH7W7OrCS7F2uKSx+ 7UiPGph+8rhs5qEFC1aasWVtUG9epfrDKFeigbVouc4JO3GaHxsRQGyhLxkg6w== X-Gm-Gg: ASbGncuAEnvAkEcnOrQ7+dBGRBTqHB8VhVIrVlFt2A+f6CtYLrE9rORX+vdoPURNG6Y W126AbzulnLKunEcgb8bDS0yMYXkckg1MWqbZqqTkm/JAF4JjfmplEgTkGEbTZdiazLCBdf3VLM SiMJZWdNVEfiVEhzbZVdnAsI7eDBduFJxp13CoRggfkpJl6OmO4x4IrBbT3umT90hCwrQ9y6BxR zB1Q4tIffNULwzoPunWOZxJytJReICk08T1J/bS1WTkzX4GLz+jVkHoI65r6JvXBYyYBWDqcunC JKCr421OYX/DBTOppH3hcWpK7Z9jiuvz4VRRXcAN1SDrbaSGpK/v1NZh4ADEsSHXq5W5HGLUoru lE3lZ1Ay625zKchpAxttDb3Rmutb7LyhQ8o38WHwiYOSY01ts6nCRoMaqwFF/b4Jq533yZjDheB FgNElDj4mo X-Google-Smtp-Source: AGHT+IGlA23M5jjIeWGeNpgX3lyd9Ndl1m06vB4Lv5iF00/GLj/iWTS9G6I4pG2gIg8ZDksecL72ww== X-Received: by 2002:a05:6000:2dca:b0:429:8bfe:d842 with SMTP id ffacd0b85a97d-42f731678d3mr3958507f8f.4.1764797396951; Wed, 03 Dec 2025 13:29:56 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:56 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 10/12] xrdp: patch CVE-2022-23493 Date: Wed, 3 Dec 2025 22:29:47 +0100 Message-ID: <20251203212949.4046524-10-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122288 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2022-23493.patch | 33 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch new file mode 100644 index 0000000000..de3f7a42f3 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch @@ -0,0 +1,33 @@ +From 030db5524be7616967ae9e7d26b3d4477cf6082d Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:49:06 +0000 +Subject: [PATCH] CVE-2022-23493 + +Check chansrv channel ID on a channel close + +Prevent OOB read if an invalid channel ID is sent. + +CVE: CVE-2022-23493 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/030db5524be7616967ae9e7d26b3d4477cf6082d] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp_mm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index 74b0516afa..068424885e 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -1435,6 +1435,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct xrdp_mm *self, + return 1; + } + in_uint32_le(s, chansrv_chan_id); ++ if (chansrv_chan_id < 0 || chansrv_chan_id > 255) ++ { ++ LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d", ++ chansrv_chan_id); ++ return 1; ++ } + chan_id = self->cs2xr_cid_map[chansrv_chan_id]; + /* close dynamic channel */ + error = libxrdp_drdynvc_close(self->wm->session, chan_id); diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index a9107a0e26..f3d11522ac 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -26,6 +26,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23482.patch \ file://CVE-2022-23483.patch \ file://CVE-2022-23484.patch \ + file://CVE-2022-23493.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:48 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75823 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FEE9D1BDF7 for ; Wed, 3 Dec 2025 21:30:00 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.27328.1764797399869451101 for ; Wed, 03 Dec 2025 13:30:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=i8mXiDea; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4779aa4f928so2342435e9.1 for ; Wed, 03 Dec 2025 13:29:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797398; x=1765402198; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=M5G7ehU4h39LVykCQW8OCkH5MZePjbSx6H9w7wMk0FI=; b=i8mXiDeazTBj5xhDAkH76HyukgqBV9IuNx3SabbVlUBRw2TxyZJSwBTrFA59lbg+AD wsTCVINaflp/7PXmVKxW+EFzxc7Wl3AAzLmZXW1jzInQ4ihoCNaT0rbBW2IG7d1isgxY NTM3WszadFnaIkg5usoRYBkjK+Ljt084dB3uuAvm7n2P9YbWcXfBJC/XSEtsv1qdf+PM tRCP1LHWAOaebTgoKIPdKqJ8JNDwMvYUF73v7RSapGYbswdjijVnvBg9rJeWPRCOvrOb ljNq150Pdr/x6nXEUbFf/OAI39qMi4H9Thc3/pEiQ4iFkp0bCv6grFDnsok80qgnMXS2 umTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797398; x=1765402198; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=M5G7ehU4h39LVykCQW8OCkH5MZePjbSx6H9w7wMk0FI=; b=jVglYEwC3WaRnsWVSzSCW06nbKIZa/KgNZGLM4kaDGM1bTPw1R1FJT3svRgkgeCH1n E57bVgyi3Ektt+ipv20UtHJ+ECCvv7/rtOH8O9pa9DwkE/1uy/DM8EpvCmZHNF2STny9 TZWmHIY4ItfYXmEYS1BydFFUFBDpI8WYE5YXwu3EWMRdfYCHh6zr5Wh7XVnt76JeT72O aLOJRFxMgzB+QmodwEtUIxG+0t64JwUVly2Tz876ukBV6C1vu6odCTSa1m3jsYo/YMXz 0lKEQQrDUpRXG2NigENCuRfZ5elNoNn6p4b9HdEkTYzDK7tjHYSS1hvl4Lh6OPitnzYJ ZOmg== X-Gm-Message-State: AOJu0YwI5ELHJAyKVAGfYD46+/FWqSdOHLf8Hnjmt/zY5bVmE6vm33+a vwA4EKxI7TDh5k92Jv0CJ0SJQCg0vSBGfF8MNwo7qEn+Iydr4Uli3luhI6d37Q== X-Gm-Gg: ASbGnct8UCWWoeVpvdkdAkgNy4445mrDUDeXjljrNeEP5XprYK99ffE4XAZo2sORvY4 TO5wHFh+GEv+lUCxhlwCtzlXd/Os525l61Ky71OgleLI0Hri+VSWZjDA3vtsLgk0rfG2/Cow1v3 INGyufYj6aSVDERR3LTFVEs5vEIAodB9kO1hosBEiw+T1G4RvohExnduTDyKNdgxTkeqkiVTWUo FlwHdjLQUWzE7BQJ7o2T5GHJTOQbjpBZQLlpxvKZAejj0q8/mXULukJnsuTKpoO5LCZrOxQucBC HfFWXynX4ZiEKmwjwD5dyhbjANirLoRIm1jXgw2DE2IRxuEU3SHLZHWZhnofltIcXH5ss/DtzBx XhW29I1UZtbb2DI9KTZh2AefUrG4GGsyC7yyK5OhhVHsT8xQtNV3ceGWP76W4s3/KzbhfQHK8OZ XJ5HZkp1uw X-Google-Smtp-Source: AGHT+IGT6SorX6rkgzXBhxnaNKcaxf8Weredv89iuGbBxQMRpre+VBnkxn/zQLgc5UIzmrHHuZnLjA== X-Received: by 2002:a05:600c:1d26:b0:45b:7d77:b592 with SMTP id 5b1f17b1804b1-4792f24d781mr6225555e9.12.1764797398110; Wed, 03 Dec 2025 13:29:58 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:57 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 11/12] xrdp: patch CVE-2023-40184 Date: Wed, 3 Dec 2025 22:29:48 +0100 Message-ID: <20251203212949.4046524-11-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122289 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40184 Pick the patch that is associated with the github advisory[1], which is a backported version of the patch that is referenced by the nvd report. [1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2023-40184.patch | 73 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch new file mode 100644 index 0000000000..c4a6a1b862 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch @@ -0,0 +1,73 @@ +From 322d11b431e4773f77aaeb764571a3a8d60f9fca Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Sat, 19 Aug 2023 13:26:44 +0100 +Subject: [PATCH] [v0.9] Check auth_start_session() result + +CVE: CVE-2023-40184 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/8c5b7cdff3929dc59c5f13e33cec839ed45d1c34] +Signed-off-by: Gyorgy Sarvari +--- + sesman/session.c | 7 ++++++- + sesman/verify_user_pam.c | 24 ++++++++++++++++++++++-- + 2 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/sesman/session.c b/sesman/session.c +index 441f8d3a60..d352f5e859 100644 +--- a/sesman/session.c ++++ b/sesman/session.c +@@ -526,7 +526,12 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s) + g_delete_wait_obj(g_sigchld_event); + g_delete_wait_obj(g_term_event); + +- auth_start_session(data, display); ++ if (auth_start_session(data, display) != 0) ++ { ++ // Errors are logged by the auth module, as they are ++ // specific to that module ++ g_exit(1); ++ } + sesman_close_all(); + g_sprintf(geometry, "%dx%d", s->width, s->height); + g_sprintf(depth, "%d", s->bpp); +diff --git a/sesman/verify_user_pam.c b/sesman/verify_user_pam.c +index a34d83cd7d..ed17397fc3 100644 +--- a/sesman/verify_user_pam.c ++++ b/sesman/verify_user_pam.c +@@ -316,8 +316,8 @@ auth_userpass(const char *user, const char *pass, int *errorcode) + + /******************************************************************************/ + /* returns error */ +-int +-auth_start_session(long in_val, int in_display) ++static int ++auth_start_session_private(long in_val, int in_display) + { + struct t_auth_info *auth_info; + int error; +@@ -357,6 +357,26 @@ auth_start_session(long in_val, int in_display) + return 0; + } + ++/******************************************************************************/ ++/** ++ * Main routine to start a session ++ * ++ * Calls the private routine and logs an additional error if the private ++ * routine fails ++ */ ++int ++auth_start_session(long in_val, int in_display) ++{ ++ int result = auth_start_session_private(in_val, in_display); ++ if (result != 0) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "Can't start PAM session. See PAM logging for more info"); ++ } ++ ++ return result; ++} ++ + /******************************************************************************/ + /* returns error */ + int diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index f3d11522ac..5a1d904a15 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -27,6 +27,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23483.patch \ file://CVE-2022-23484.patch \ file://CVE-2022-23493.patch \ + file://CVE-2023-40184.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Wed Dec 3 21:29:49 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75825 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72361D1BDE8 for ; Wed, 3 Dec 2025 21:30:10 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.27244.1764797400667078450 for ; Wed, 03 Dec 2025 13:30:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MnLuzIdF; spf=pass (domain: gmail.com, ip: 209.85.128.45, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-4779ce2a624so2474185e9.2 for ; Wed, 03 Dec 2025 13:30:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764797399; x=1765402199; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=nM5SiO+Vq6w9oLpjZ70aFh9RBMYLniAlO5FjlnmfeXg=; b=MnLuzIdFTNi2Xle2eYtVi+aJWP1dhm+Pk+UvI+SE4C7nQoCxNP0LT6iwl/0+/YSKZi FmYrWNv0zSYuBiurlG5xGfnd4bJv4+RPdhpaE/qIRULAkP6f2A9+6pLp/SJ6bXQIr24W qDIRI4nao//rvCnxtC1mJWYaxW49Raw2hOgrl/V7P/BWSQg3yF0PwWugOq1vKaunTU/F GMcSmZAdpL1jqMxSypfGZTJ7hLuvaXRqJn7jKuNhHzU5Ibl6DZI8mktFQUbAoshhww6w MxcEsfApXgVu2dxM1GiiDFT3uFf3OUQRgtkcXU4rvXQad86WCW+7QPSZrW93nxWzufou feuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764797399; x=1765402199; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=nM5SiO+Vq6w9oLpjZ70aFh9RBMYLniAlO5FjlnmfeXg=; b=AgHaqwLoQcwvwn5R63PLNx0/2vRbARtQl2K5oHZ7OeNXcWUI8MHGpT7uL/aHn2PH06 9GcPrBu79vhbi1TCX34xgxAXnqSBQjyEEb/htUdmbj/SFsWCRzof36jTKULuEL0XhvV4 0sNGFB3f14L2IoiaQlinzKKTIY2FxOWdevRR4NMV2alFBhQpxnybheZjibAtOViecbwJ W98PFH6Fphc5n1ZTpT+YzjxG2pqN39JIh4hLCcMEqVL8r4KxGQSCrDH/h2vlC6mJfbuG i9vpiEo16EnkX9IX4aHCnDCn/nGZXMwQagIHyqJOryv2WEHq2EYWzZTuDOKNnsfbDbT7 2RuA== X-Gm-Message-State: AOJu0YzpqMQwUIgJh2P3wtGHJZhq5eIP/3sgEC6YcaQNcIx0gK2DK9rv V5HrJ3uNip3942onHPoHeUqWpOctHdn4O9mtScrIISMZtKOEQ/EyG2td6qFvAQ== X-Gm-Gg: ASbGnctMn/XdYOup+q/4TVcQ21hizDkWDciA+ZnwYdAzNfWMIPKSf1BAFqYPLFIganr PgVnFLHOqvES49ZQCttOvRqNuRorM5giSsTiHhLU7tJ6JHjaM6HvX9CgXSPhOqMdORLjh9uP1Cu LETGO0Tp4SWylweEccsmOKgo0xAJsxbcNcdNQ6/2P1tDWlJTBN8H4T2RjngJOv9IjJdwPVqp4cn ySFLx7VSKmYzNzTrO1NpUlwKjp4Dtf0+iwJvTHowPtCyGC0UAIcmqxg8qWtcXCEwkz/3D//L+6D nkM05YV/jIQRr2P2JNjGQLuw6bG4f9Rpy02M5+QXhEjf4DnlJzmQ4Nkc+oUnfVZf3rfqwyIeSbu Po+F0qZMqRPZANfgysmFxo2eiSA19l3MMV6HCSEDw5wh/hUvVRlIZ02cQLtcJMmKp+UY7bPd48e UAi1KTMyTK X-Google-Smtp-Source: AGHT+IFX8oygzl0+iiezR+fYPMjybfJOXm2ojBATpWazuYLv51YcgcC+eiCJglMiML7ygdPo2yW5Xg== X-Received: by 2002:a05:6000:1a8d:b0:429:c709:7b58 with SMTP id ffacd0b85a97d-42f7985c6afmr348933f8f.50.1764797398892; Wed, 03 Dec 2025 13:29:58 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f6ffa18ffsm10722885f8f.5.2025.12.03.13.29.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 13:29:58 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH 12/12] xrdp: patch CVE-2023-42822 Date: Wed, 3 Dec 2025 22:29:49 +0100 Message-ID: <20251203212949.4046524-12-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251203212949.4046524-1-skandigraun@gmail.com> References: <20251203212949.4046524-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Dec 2025 21:30:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122290 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822 Pick the patch the references the github advisory[1] and the cve ID also from the nvd report. The patch is a backported version of the patch referenced by the nvd report. [1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw Signed-off-by: Gyorgy Sarvari --- .../xrdp/xrdp/CVE-2023-42822.patch | 304 ++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 305 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch new file mode 100644 index 0000000000..2cf7968f3c --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch @@ -0,0 +1,304 @@ +From 58c9c1f06aeb5c91386bca20fa1609d68bf37ae0 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Mon, 25 Sep 2023 11:25:04 +0100 +Subject: [PATCH] CVE-2023-42822 + +- font_items in struct xrdp_font renamed to chars to catch all + accesses to it. This name is consistent with the type of + the array elements (struct xrdp_font_char). +- Additional fields added to struct xrdp_font to allow for range + checking and for a default character to be provided +- Additional checks and logic added to xrdp_font_create() +- New macro XRDP_FONT_GET_CHAR() added to perform checked access + to chars field in struct xrdp_font + +CVE: CVE-2023-42822 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/fd25fc546a68a94163413ff2cf3989c1e239e762] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp.h | 9 ++++ + xrdp/xrdp_font.c | 113 +++++++++++++++++++++++++++++++++++++------- + xrdp/xrdp_painter.c | 10 ++-- + xrdp/xrdp_types.h | 8 +++- + 4 files changed, 115 insertions(+), 25 deletions(-) + +diff --git a/xrdp/xrdp.h b/xrdp/xrdp.h +index 36d8f87a9a..be008aa227 100644 +--- a/xrdp/xrdp.h ++++ b/xrdp/xrdp.h +@@ -345,6 +345,15 @@ xrdp_font_delete(struct xrdp_font *self); + int + xrdp_font_item_compare(struct xrdp_font_char *font1, + struct xrdp_font_char *font2); ++/** ++ * Gets a checked xrdp_font_char from a font ++ * @param f Font ++ * @param c32 Unicode codepoint ++ */ ++#define XRDP_FONT_GET_CHAR(f, c32) \ ++ (((unsigned int)(c32) >= ' ') && ((unsigned int)(c32) < (f)->char_count) \ ++ ? ((f)->chars + (unsigned int)(c32)) \ ++ : (f)->default_char) + + /* funcs.c */ + int +diff --git a/xrdp/xrdp_font.c b/xrdp/xrdp_font.c +index c089db0075..2b34f36ca6 100644 +--- a/xrdp/xrdp_font.c ++++ b/xrdp/xrdp_font.c +@@ -65,6 +65,12 @@ static char w_char[] = + }; + #endif + ++// Unicode definitions ++#define UNICODE_WHITE_SQUARE 0x25a1 ++ ++// First character allocated in the 'struct xrdp_font.chars' array ++#define FIRST_CHAR ' ' ++ + /*****************************************************************************/ + struct xrdp_font * + xrdp_font_create(struct xrdp_wm *wm) +@@ -74,7 +80,7 @@ xrdp_font_create(struct xrdp_wm *wm) + int fd; + int b; + int i; +- int index; ++ unsigned int char_count; + int datasize; + int file_size; + struct xrdp_font_char *f; +@@ -100,17 +106,39 @@ xrdp_font_create(struct xrdp_wm *wm) + } + + self = (struct xrdp_font *)g_malloc(sizeof(struct xrdp_font), 1); ++ if (self == NULL) ++ { ++ LOG(LOG_LEVEL_ERROR, "xrdp_font_create: " ++ "Can't allocate memory for font"); ++ return self; ++ } + self->wm = wm; + make_stream(s); + init_stream(s, file_size + 1024); + fd = g_file_open(file_path); + +- if (fd != -1) ++ if (fd < 0) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: Can't open %s - %s", file_path, ++ g_get_strerror()); ++ g_free(self); ++ self = NULL; ++ } ++ else + { + b = g_file_read(fd, s->data, file_size + 1024); + g_file_close(fd); + +- if (b > 0) ++ // Got at least a header? ++ if (b < (4 + 32 + 2 + 2 + 8)) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: Font %s is truncated", file_path); ++ g_free(self); ++ self = NULL; ++ } ++ else + { + s->end = s->data + b; + in_uint8s(s, 4); +@@ -118,11 +146,27 @@ xrdp_font_create(struct xrdp_wm *wm) + in_uint16_le(s, self->size); + in_uint16_le(s, self->style); + in_uint8s(s, 8); +- index = 32; ++ char_count = FIRST_CHAR; + +- while (s_check_rem(s, 16)) ++ while (!s_check_end(s)) + { +- f = self->font_items + index; ++ if (!s_check_rem(s, 16)) ++ { ++ LOG(LOG_LEVEL_WARNING, ++ "xrdp_font_create: " ++ "Can't parse header for character U+%X", char_count); ++ break; ++ } ++ ++ if (char_count >= MAX_FONT_CHARS) ++ { ++ LOG(LOG_LEVEL_WARNING, ++ "xrdp_font_create: " ++ "Ignoring characters >= U+%x", MAX_FONT_CHARS); ++ break; ++ } ++ ++ f = self->chars + char_count; + in_sint16_le(s, i); + f->width = i; + in_sint16_le(s, i); +@@ -139,23 +183,56 @@ xrdp_font_create(struct xrdp_wm *wm) + if (datasize < 0 || datasize > 512) + { + /* shouldn't happen */ +- LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create, datasize wrong " +- "width %d, height %d, datasize %d, index %d", +- f->width, f->height, datasize, index); ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: " ++ "datasize for U+%x wrong " ++ "width %d, height %d, datasize %d", ++ char_count, f->width, f->height, datasize); + break; + } + +- if (s_check_rem(s, datasize)) ++ if (!s_check_rem(s, datasize)) + { +- f->data = (char *)g_malloc(datasize, 0); +- in_uint8a(s, f->data, datasize); ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: " ++ "Not enough data for character U+%X", char_count); ++ break; + } +- else ++ ++ if ((f->data = (char *)g_malloc(datasize, 0)) == NULL) + { +- LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create"); ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: " ++ "Allocation error for character U+%X", char_count); ++ break; + } ++ in_uint8a(s, f->data, datasize); ++ ++ ++char_count; ++ } + +- index++; ++ self->char_count = char_count; ++ if (char_count <= FIRST_CHAR) ++ { ++ /* We read no characters from the font */ ++ xrdp_font_delete(self); ++ self = NULL; ++ } ++ else ++ { ++ // Find a default glyph ++ if (char_count > UNICODE_WHITE_SQUARE) ++ { ++ self->default_char = &self->chars[UNICODE_WHITE_SQUARE]; ++ } ++ else if (char_count > '?') ++ { ++ self->default_char = &self->chars['?']; ++ } ++ else ++ { ++ self->default_char = &self->chars[FIRST_CHAR]; ++ } + } + } + } +@@ -178,16 +255,16 @@ xrdp_font_create(struct xrdp_wm *wm) + void + xrdp_font_delete(struct xrdp_font *self) + { +- int i; ++ unsigned int i; + + if (self == 0) + { + return; + } + +- for (i = 0; i < NUM_FONTS; i++) ++ for (i = FIRST_CHAR; i < self->char_count; i++) + { +- g_free(self->font_items[i].data); ++ g_free(self->chars[i].data); + } + + g_free(self); +diff --git a/xrdp/xrdp_painter.c b/xrdp/xrdp_painter.c +index b02c9072b6..832186ff22 100644 +--- a/xrdp/xrdp_painter.c ++++ b/xrdp/xrdp_painter.c +@@ -455,7 +455,7 @@ xrdp_painter_text_width(struct xrdp_painter *self, const char *text) + + for (index = 0; index < len; index++) + { +- font_item = self->font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]); + rv = rv + font_item->incby; + } + +@@ -493,7 +493,7 @@ xrdp_painter_text_height(struct xrdp_painter *self, const char *text) + + for (index = 0; index < len; index++) + { +- font_item = self->font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]); + rv = MAX(rv, font_item->height); + } + +@@ -870,7 +870,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self, + total_height = 0; + for (index = 0; index < len; index++) + { +- font_item = font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(font, wstr[index]); + k = font_item->incby; + total_width += k; + total_height = MAX(total_height, font_item->height); +@@ -904,7 +904,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self, + draw_rect.bottom - draw_rect.top); + for (index = 0; index < len; index++) + { +- font_item = font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(font, wstr[index]); + g_memset(&pat, 0, sizeof(pat)); + pat.format = PT_FORMAT_c1; + pat.width = font_item->width; +@@ -946,7 +946,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self, + + for (index = 0; index < len; index++) + { +- font_item = font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(font, wstr[index]); + i = xrdp_cache_add_char(self->wm->cache, font_item); + f = HIWORD(i); + c = LOWORD(i); +diff --git a/xrdp/xrdp_types.h b/xrdp/xrdp_types.h +index 41b65702f0..b794890b08 100644 +--- a/xrdp/xrdp_types.h ++++ b/xrdp/xrdp_types.h +@@ -574,7 +574,7 @@ struct xrdp_bitmap + int crc16; + }; + +-#define NUM_FONTS 0x4e00 ++#define MAX_FONT_CHARS 0x4e00 + #define DEFAULT_FONT_NAME "sans-10.fv1" + + #define DEFAULT_ELEMENT_TOP 35 +@@ -594,7 +594,11 @@ struct xrdp_bitmap + struct xrdp_font + { + struct xrdp_wm *wm; +- struct xrdp_font_char font_items[NUM_FONTS]; ++ // Font characters, accessed by Unicode codepoint. The first 32 ++ // entries are unused. ++ struct xrdp_font_char chars[MAX_FONT_CHARS]; ++ unsigned int char_count; // # elements in above array ++ struct xrdp_font_char *default_char; // Pointer into above array + char name[32]; + int size; + int style; diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 5a1d904a15..d2ace79c55 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -28,6 +28,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23484.patch \ file://CVE-2022-23493.patch \ file://CVE-2023-40184.patch \ + file://CVE-2023-42822.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"