From patchwork Thu Dec 4 07:56:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75857 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4C9BD1D88B for ; Thu, 4 Dec 2025 07:56:43 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38408.1764834998166466871 for ; Wed, 03 Dec 2025 23:56:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KCcWOf2Q; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-42b32ff5d10so1117058f8f.1 for ; Wed, 03 Dec 2025 23:56:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764834996; x=1765439796; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=lBUf9vnUVKOza78EaXi/Lcy9nwQCEYI0/ggL5jwgL5o=; b=KCcWOf2Qzyl9LW7mSBQIZc5aWFvqd1qsVib4IEPTYM+x7bR8MV4nsCalq0NSasMPQh GEUq9tIDHPqh31zxvzFqIKxbuVO0u3eW0uhMwUV3i4nNNsXINsx1nW9iMb0WObSe1iQ9 1d/7/BZjKBZy/eC3r2pY7gno1hUrtl9lm1oqayRCeg8XMc1KBW05jndBr91HFJHlnsqu g+7HSlp4XBw4GnPuhm0lkjOGDZl5hnD5Jf6EQANoAXTs7E3oYYAKfshSplcm4odureXR Mrq5qeLx0cxFm+K/Uj07Txf+gdcjf/7M4WpT0zFCuXU9PzY3mLTV4y54naLrjOSn3GFR hZ9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764834996; x=1765439796; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lBUf9vnUVKOza78EaXi/Lcy9nwQCEYI0/ggL5jwgL5o=; b=RO7UU853RjOqwxNzawwaRNI12FgqCnxQR+y3MFDnwM2DnPwqb0mJKFERsPVZaiCrO3 h8MsQiFEtJQuXCYEcG2lklx4SltrmLmtuxvDwjzql6fiqGF7LTYFfCMzq4VxnBfQ1b00 uBpggCs2FOj2vjSIGNeVfauKlyazbCfjw4oSSDSCt3FZq+/l5kSCwkCKsHCDyUAFun98 3ZcIpivEXHtAWYdqk6jZxpo5G1dsYBkaXlan6sEgqBAnThZ2sqBWPNSfjnUMfpFD3Ojh 4hNqmB7ZJKZAFdQUfWCZ4GT4gvRr24QIReJ2M3AaLKjLi6cKkgYjYMmBlZDM8NWQ+3nl tLOA== X-Gm-Message-State: AOJu0YxHk6WiO8zk/BTdUFuYl+zrFRwgF+hNkYzI8ZPyKergtZmhEwUA PKTOz34ax83otj6v4lTw9OYN3/vBpcY1MUkBkn16Vo2Y+LcvltlruaPBYFYgVQ== X-Gm-Gg: ASbGnctK1TI82wzb1xem/JJXcD2OOhQrAiYj5y3emeXbhL3mXSQ57rD6rfVXn3nuumV cg2YIwb1l7BBZX5vumaV8Xf3XLkQV1nsuWnyUvWHuPpu9I1MNXoQhhMMl8JZsxrX3N4NEytwvG2 HwHTN2DukvDRX32mq0KTEXktC4b5ojSY/GX4iCadzzAzcOgiRLPcCUDoI1z/90x54LpYSaljmA3 jP/ueZBJmPHKqZ4j8bOjA4SsuIHBymwjpCbIC141d6tLqT2fEjrA6HpqQhXv9KB84nGFdhN/BtL V2wWCdN9OQHNVgvJjAEuQKz+tmzGGWga3LXeF/aZBmD88eXo7bCg3aMKDnxaCOt0xMSmO0NETvn dogYAughzq8Txz3C7ZJ/XwcbXkkL0oD2OrPo2fBTTX5pIXDDUrhNF067Ie32Zhq0IP4Hs/ijIeX eiCX3NFlHd X-Google-Smtp-Source: AGHT+IGdx1jZF3PMa1OSMCQcr2WlyMpMSO1iwM6jVywGX8h4ngKd8SSHH+cvfw7Q8xDzkeEbHBGK4Q== X-Received: by 2002:a5d:5f92:0:b0:426:fb27:974a with SMTP id ffacd0b85a97d-42f78895c1dmr2369105f8f.27.1764834996257; Wed, 03 Dec 2025 23:56:36 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:35 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 01/12] xrdp: patch CVE-2022-23468 Date: Thu, 4 Dec 2025 08:56:24 +0100 Message-ID: <20251204075635.1088007-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122303 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23468.patch | 34 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch new file mode 100644 index 0000000000..6f8b3a0fb1 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch @@ -0,0 +1,34 @@ +From 43cf272b1138462c1bdfc48ef7e9142208194382 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 09:16:44 +0000 +Subject: [PATCH] CVE-2022-23468 + +Login window - replace g_sprintf() withl g_snprintf() calls + +CVE: CVE-2022-23468 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/43cf272b1138462c1bdfc48ef7e9142208194382] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp_login_wnd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c +index 7a3134fd3e..28748676a1 100644 +--- a/xrdp/xrdp_login_wnd.c ++++ b/xrdp/xrdp_login_wnd.c +@@ -722,13 +722,13 @@ xrdp_login_wnd_create(struct xrdp_wm *self) + if (globals->ls_title[0] == 0) + { + g_gethostname(buf1, 256); +- g_sprintf(buf, "Login to %s", buf1); ++ g_snprintf(buf, sizeof(buf), "Login to %s", buf1); + set_string(&self->login_window->caption1, buf); + } + else + { + /*self->login_window->caption1 = globals->ls_title[0];*/ +- g_sprintf(buf, "%s", globals->ls_title); ++ g_snprintf(buf, sizeof(buf), "%s", globals->ls_title); + set_string(&self->login_window->caption1, buf); + } + diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 363ab3ff8b..5eca9d3bf6 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -16,6 +16,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://0001-Fix-the-compile-error.patch \ file://0001-arch-Define-NO_NEED_ALIGN-on-ppc64.patch \ file://0001-mark-count-with-unused-attribute.patch \ + file://CVE-2022-23468.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75861 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C27EBD1D88E for ; Thu, 4 Dec 2025 07:56:43 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38410.1764834998640272341 for ; Wed, 03 Dec 2025 23:56:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=C9/Ki8W3; spf=pass (domain: gmail.com, ip: 209.85.221.50, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-42b3d7c1321so355159f8f.3 for ; Wed, 03 Dec 2025 23:56:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764834997; x=1765439797; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JZN5faVpznitiM3FwqJEgbYopESjzr/1vGq9j7cJTSU=; b=C9/Ki8W3uuhEHmEsly8s7lQBEzPlLjs4Kdn6gxYmMbvUSnaGPcTcN8pJp8kjh8IB8u U7fV9r+rHUw1MGr/1Sq7rpR2B64p5jD9NY4ra3G6j0UEEYpWHStRQaHiE5j9QI+5Xbh8 Py4xYeG+zkEOlzDbbamWYVtciBCmM0Ne/sHmhRcstTz1tOqy+HLTmtPkZzQlfZr6C8Lp GtEke0JFLf4jdH0XnIMu6Jmi6iTGRoO6I/u+E60ZXrtU2czWaJ1fzHJ4ppjb6ihWCtKf LXl/YPSvwKxntCxYkHYaEgLAFhRofQyGj6PIUAtnvf4XCq064kOANsX0Kc/NZCXGfyh7 +GnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764834997; x=1765439797; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=JZN5faVpznitiM3FwqJEgbYopESjzr/1vGq9j7cJTSU=; b=R0DxGOXbvEy9h6g/E3p8UIObFssyv3UZtt7w28DgO5WXW9T4vL/zZasH3ExU/UUaBc M7zFAf5eaSEY3LKwvBGtZrSdweExnJrhN4t5kcYJ1vhqFhQFgwhdZNj/y1cmsCqx+D7O KRxE7a4lgWEPsaD01Th9Fcis7XtrABqTwPD70JmEJN08rKCGF7hPO+rqWS/AadnmRSaN K203c2o9blPuDvnJFxXPpsIAbOYeMBb7TBA3REvhXVnWkS5938FtkPU3krPsN8tkYYiZ Gp+q141y+X1n7EuQAZgGtGi1qJ42Uq0g0weX+QMFVvPKuPUOuXFuM7govnUvCakLTZ+m Rlzg== X-Gm-Message-State: AOJu0YykpzmabjPxOYw6b7VVqd2FX/ZlWE0+dPDCSPfrpxP60JsSzzff rJjZV+vhMDq7t5H6WCrmL3FILQuLQye5mhowNKBeg4rqRPx+ednQItJb0Yusaw== X-Gm-Gg: ASbGncvFRzUl59Kk22U6Mn/kvi0/G9/BSAH3vQRT0UqfATM6/jfJ/gnhqLGJ+P1cPgO 5gCGgi53Kkh8s4ZQm7woqB2+d9JUfJ7wwjw6qEfDVpPALZdBWRzOQM1kvx6IIGu4pOn0kWVda/S uLhnrl1lTxSDsNplc/abu3gqJVPdbyMZ8oARIpPwapUIUOV4CM07OW3I2EGq5Nh+jt73ob1+N8i ppRwht+yg/Jw3IQxTWoNRST5o9lYJgzIT3DsrHKT3V0zJMn1Y6/4S9IKPDzM5p24dzHe8n8C1Ye HCq6mAdA6EymaFf9cst4N9VjMxDdDgGd3aElT2DzlSKF1Zz4iXenHQgtSJBboXe8LC2oF0FEU6n JjrrHTQGqtnUfNhnSgfRjHbhFAEFvUHUvH6H0nVo7REYl5rulDlTw3nS+cwOQ7T3zAnsMY4/izw lh++gSlYeU X-Google-Smtp-Source: AGHT+IFiDyMVIKFHrNa0gQAwLArAdSHVp23kU6fa+MMfNgXimMJzcNV3iT6xhdlRR6VWBWvmLTlOVw== X-Received: by 2002:a5d:5d02:0:b0:42b:3ab7:b8b9 with SMTP id ffacd0b85a97d-42f79800f76mr1758200f8f.20.1764834996887; Wed, 03 Dec 2025 23:56:36 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:36 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 02/12] xrdp: patch CVE-2022-23477 Date: Thu, 4 Dec 2025 08:56:25 +0100 Message-ID: <20251204075635.1088007-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122304 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23477.patch | 38 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch new file mode 100644 index 0000000000..5c2b48a507 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch @@ -0,0 +1,38 @@ +From d49f269af82be5f14b193d4edfcb63b547a16ff4 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Tue, 6 Dec 2022 11:31:31 +0000 +Subject: [PATCH] CVE-2022-23477 + +Prevent buffer overflow for oversized audio format from client + +CVE: CVE-2022-23477 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/d49f269af82be5f14b193d4edfcb63b547a16ff4] +Signed-off-by: Gyorgy Sarvari +--- + sesman/chansrv/audin.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c +index cd802fa519..36a8027a57 100644 +--- a/sesman/chansrv/audin.c ++++ b/sesman/chansrv/audin.c +@@ -181,15 +181,16 @@ audin_send_open(int chan_id) + int error; + int bytes; + struct stream *s; +- struct xr_wave_format_ex *wf; ++ struct xr_wave_format_ex *wf = g_client_formats[g_current_format]; + + LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:"); + make_stream(s); +- init_stream(s, 8192); ++ /* wf->cbSize was checked when the format was received */ ++ init_stream(s, wf->cbSize + 64); ++ + out_uint8(s, MSG_SNDIN_OPEN); + out_uint32_le(s, 2048); /* FramesPerPacket */ + out_uint32_le(s, g_current_format); /* initialFormat */ +- wf = g_client_formats[g_current_format]; + out_uint16_le(s, wf->wFormatTag); + out_uint16_le(s, wf->nChannels); + out_uint32_le(s, wf->nSamplesPerSec); diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 5eca9d3bf6..91d4134789 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -17,6 +17,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://0001-arch-Define-NO_NEED_ALIGN-on-ppc64.patch \ file://0001-mark-count-with-unused-attribute.patch \ file://CVE-2022-23468.patch \ + file://CVE-2022-23477.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75860 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3447D1D892 for ; Thu, 4 Dec 2025 07:56:43 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38411.1764834999330772997 for ; Wed, 03 Dec 2025 23:56:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MOxxRTcp; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-477563e28a3so4572585e9.1 for ; Wed, 03 Dec 2025 23:56:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764834998; x=1765439798; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sDogIqOuwpIMy+QciMpEoV0InpE/y9Ake6vJ9VGiYgg=; b=MOxxRTcphkC10uD2BAs6TzON4xEQnfgtOWaFADSC9wAO20a7K4FcJACnGXtQgsc5dK aUi2TIZVvo39dJ8PhDY7vzHyG+apF8m/O/hk1lDxdysYKW9oDYGuJ2N7U0GcWEBqLlDa 9POzicUXxl7J3HU5bjlcBS1nQfCrY1oF6aj/QrDB1f6TGbDNuBHshY6ol547RivNFDPQ wcscWkqHpuV1wG8lbyzNoHOylInd5G6KYDSGpZceeQ3I4oC6YrChCv4UygQ/QSzkZy6R +7Lei9A6BzZHXrIXrdXvuZ9b/rrSxrPE+cWGEkMZFSmM9tl1QZOnTFRfKbZN/XReNSRk GWFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764834998; x=1765439798; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sDogIqOuwpIMy+QciMpEoV0InpE/y9Ake6vJ9VGiYgg=; b=bFoRjcbISZAxH68CCxBDyqthscn2xxkg+oSVkxfSdjg+HyztYkvhqaav2kGXHSxUVV Tj6FHRLjc7utuusjsdFCyP0GZoHnMrZT238B4UrbXvpIBkf+gJl9NkTYZavVgNzXpXkx 8jdwqAI1HqEv8aQVJfa9U+QDwKathNbZP/8kkpjgUpR/KiSp5N/C2cuDHYUGs1QjW/hG VRR1ryk0GN1jTqy7Hes4a6c7dE9e5boN6IxciC9QEK1JJhEHveWTf10wqTnSwHsbK2kb J47yiO+XTjGkwfhNFlv4ZYijvIoHcG9h5yU9ZKu87VmSUjOePPOQkGLhMHAxTzmjDuNW 3MQQ== X-Gm-Message-State: AOJu0YzWY0sFJ5ejnSYI5XSeoDm+my40H9UkP6h6hyRZthsMwLzGEc9g KNa6Xv+GVbBcDsh+8mFSJ13Yni7IewR5dClnaNX/m4LQ8ZYoFkJQroFTuB6ARQ== X-Gm-Gg: ASbGnctZF3TZRIp6r0r1OIc/AZ4NOq/bLxXGlJn991rJfDMmRtwMGHP0XIMUwikxOZh WYUxq3a98s41DMy9s+zvArFRe7yCxDeEB6+h1nVxCkqvHIg3PHM0wI6eKx0DqK7H0BbYjl7LBiA RjE8lCIEcqP/tGNP2iWa9r5aZRJ60W90iRDYyNvy8t5/tpsOxbcpc3Zze6R7fJWEEx3/FpPUVzh TBjZy3NwZSDH/yZYfp4RT8hG5XXmpUg964ILjvw+vpFgbGco3WgvVkv9Hy5/1Mk3TYvAtaGXDIM 9Xk5AdvyM8Z7yDSocjhSd7iLrXhuXm0Ae0vLSTKYdYJql2nrU35xfk3EpfCbRtsc5+RsSUWhX0a 0sdCwsfp3d2CVmP7Th/ThLq7kzAHH2jFFk9K4tdbIVwPH79VGrIO6FL0VyBgt7xdlV2D6lGdjsT jEZOToCkQB X-Google-Smtp-Source: AGHT+IFjUmcDD680eqE0Jk7r7tOQ3YcTUqT96tmUmkXeSrNN5OdT2x/nlQ6I6SYRmqXiKCotebdBeg== X-Received: by 2002:a05:600c:1986:b0:475:d9de:952e with SMTP id 5b1f17b1804b1-4792eb1238bmr20644025e9.1.1764834997540; Wed, 03 Dec 2025 23:56:37 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:37 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 03/12] xrdp: patch CVE-2022-23478 Date: Thu, 4 Dec 2025 08:56:26 +0100 Message-ID: <20251204075635.1088007-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122305 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23478.patch | 85 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 86 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch new file mode 100644 index 0000000000..de4f773332 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch @@ -0,0 +1,85 @@ +From 6cb54a1c26b53617e1c79a0abc96d03c4add1eb8 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 11:12:42 +0000 +Subject: [PATCH] CVE-2022-23478 + +Fix potential OOB write if invalid chansrv channel opened + +Also removed an unnecessary dynamic memory allocation + +CVE: CVE-2022-23478 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/6cb54a1c26b53617e1c79a0abc96d03c4add1eb8] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp_mm.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index 74b0516afa..c91e03ab56 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, + int error; + int chan_id; + int chansrv_chan_id; +- char *name; ++ char name[1024 + 1]; + struct xrdp_drdynvc_procs procs; + + if (!s_check_rem(s, 2)) +@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, + return 1; + } + in_uint32_le(s, name_bytes); +- if ((name_bytes < 1) || (name_bytes > 1024)) +- { +- return 1; +- } +- name = g_new(char, name_bytes + 1); +- if (name == NULL) ++ if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1))) + { + return 1; + } + if (!s_check_rem(s, name_bytes)) + { +- g_free(name); + return 1; + } + in_uint8a(s, name, name_bytes); + name[name_bytes] = 0; + if (!s_check_rem(s, 8)) + { +- g_free(name); + return 1; + } + in_uint32_le(s, flags); + in_uint32_le(s, chansrv_chan_id); ++ if (chansrv_chan_id < 0 || chansrv_chan_id > 255) ++ { ++ LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d", ++ chansrv_chan_id); ++ return 1; ++ } ++ + if (flags == 0) + { + /* open static channel, not supported */ +- g_free(name); + return 1; + } + else +@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self, + &chan_id); + if (error != 0) + { +- g_free(name); + return 1; + } + self->xr2cr_cid_map[chan_id] = chansrv_chan_id; + self->cs2xr_cid_map[chansrv_chan_id] = chan_id; + } +- g_free(name); + return 0; + } + diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 91d4134789..e28f457e87 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -18,6 +18,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://0001-mark-count-with-unused-attribute.patch \ file://CVE-2022-23468.patch \ file://CVE-2022-23477.patch \ + file://CVE-2022-23478.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:27 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75865 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBA84D1D897 for ; Thu, 4 Dec 2025 07:56:43 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38232.1764835000012503771 for ; Wed, 03 Dec 2025 23:56:40 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SvpPuT15; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4775e891b5eso2701305e9.2 for ; Wed, 03 Dec 2025 23:56:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764834998; x=1765439798; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DK3TgY9prtERIlp+j/qFMzSTVWh4M5Ff+/yhWIT1eCQ=; b=SvpPuT15J3pgfys/S762Bnt/v4xS+FQtm0PNMeNHHZBSUbXd1U0l7qMOmje/xwoIEN 2DzFkbTuoiyJOfFoA5Xb8vxa3O8GJFDLetml+u3WeEvarGyx1+QN3V+TkofOQlZatIqe xJOZHO3yadWi36shHkmiOaJX4dZ29wCJJaq6GT6IrT+YY41Rt2ZYV8DXtfXeIvuC8qyc 3EpnxGmkRm+iZznh0y/Fxcri9Ub0XmRjkg5//3Qmo3ep6LP+yuHRT8JywRVITCdWLwaO 3UsMS+prV+bj3O9jJT6Fa9cIMQrPJaP1UcOV4j1C/9zQQEfQ6gDPXxCo/9aVmZTYLitE a4iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764834998; x=1765439798; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=DK3TgY9prtERIlp+j/qFMzSTVWh4M5Ff+/yhWIT1eCQ=; b=HJdwYSEf5Stu6YmmU4Vs2RYcY4sXIQARqtgWIAk96SN8/szr+1vtD8YqKpbjcB+e08 IpMWPDq6voSnTzBfdKwjHZBRbHqNWDgtW0XGubi9vQP2mHT5x3dzXOtCYuQDv+KENToT m7hgw5EXWA6Lck9NvJQhJPUbkvT7iVN8ADXsqNPnof49nvJPktFctzCXuXW6RMQigsTl kYBnC4Pk41FWwU24Zg+/iMwliOu1BG1NglhHdtkDPN4MBzb4nkPs52gaENEtcDOA34qf g6cX0aMIvdSVfsNgFn0oYBLZ9tTYKAZ/Ya4DvDpGCh3Grv4cUJuug9yFADRRN2V59z4f oKTg== X-Gm-Message-State: AOJu0YwysHYRKjU0xNQHPrF1Sz9AFWmgSnLaDSj7xsjHHMZBgecAdn+r oo8IHVggzBRR4sa7i4GepEj8EvINKKX8xbt8hHcb1G0j0sQo9e5E/Js5/RwBTg== X-Gm-Gg: ASbGncsN9J8SdmGXwIwk28aIBYmCWSdc4r9olKqQW7dchAOEXnIMnwTLqRiPKFqTEJt KV+eu0ru6+do4DGu5fEUKdsCZV+rLX/DTHBEcexnI8Bzy0oY9VTXVFAak8SnUuk7R7Zdu+T0WYn k9+OAD2JBNPjls4Xx9mFitxEW7CMFzJXQm4yqCOSp9c+obEudMuazDxudPCKHqDyeAUfz4zrzKg bFaA7xqQq/sc8wfhXh39I26N04zXN185S7fAaU6Rm4NsPMc+KeB88kYFdAkH/Y4U8nqmVriGFhU a5g1xHzQL4NiowXu2jPJSK9y4jDf1PxIjhOurZIoheMMJ4aZ6JMWorwZ+d+4fW4qMLCFnSvn4WN MNpcHXxnsg4SiEiIgvWBqDgtmkaIek5E2Giu5QPEHsnLCR++uEmpiBiEHtuHcHASCgvJzSNB0c4 1J3m+Mnd28 X-Google-Smtp-Source: AGHT+IHy8fRg9PdYOaVzHRCqPggXX+FgqFL1NRtp0118eq1jfAPLXo4GFWbWu+6umh5cWaNgTDQg5A== X-Received: by 2002:a05:600c:198a:b0:477:9fa0:74ed with SMTP id 5b1f17b1804b1-4792af3def9mr50417805e9.26.1764834998233; Wed, 03 Dec 2025 23:56:38 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:37 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 04/12] xrdp: patch CVE-2022-23479 Date: Thu, 4 Dec 2025 08:56:27 +0100 Message-ID: <20251204075635.1088007-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122306 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23479.patch | 83 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch new file mode 100644 index 0000000000..6940ce8f17 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch @@ -0,0 +1,83 @@ +From 60864014b733c10881c078048560858067fe5d0f Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 09:44:56 +0000 +Subject: [PATCH] CVE-2022-23479 + +Detect attempts to overflow input buffer + +If application code hasn't properly sanitised the header_size +for a transport, it is possible for read requests to be issued +which overflow the input buffer. This change detects this +at a low level and bounces the read request. + +CVE: CVE-2022-23479 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/60864014b733c10881c078048560858067fe5d0f] +Signed-off-by: Gyorgy Sarvari +--- + common/trans.c | 19 +++++++++++++++---- + common/trans.h | 2 +- + 2 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/common/trans.c b/common/trans.c +index 55d2a63812..1d2d3e68ae 100644 +--- a/common/trans.c ++++ b/common/trans.c +@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self) + tbus in_sck = (tbus) 0; + struct trans *in_trans = (struct trans *) NULL; + int read_bytes = 0; +- int to_read = 0; +- int read_so_far = 0; ++ unsigned int to_read = 0; ++ unsigned int read_so_far = 0; + int rv = 0; + enum xrdp_source cur_source; + +@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self) + } + else if (self->trans_can_recv(self, self->sck, 0)) + { ++ /* CVE-2022-23479 - check a malicious caller hasn't managed ++ * to set the header_size to an unreasonable value */ ++ if (self->header_size > (unsigned int)self->in_s->size) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "trans_check_wait_objs: Reading %u bytes beyond buffer", ++ self->header_size - (unsigned int)self->in_s->size); ++ self->status = TRANS_STATUS_DOWN; ++ return 1; ++ } ++ + cur_source = XRDP_SOURCE_NONE; + if (self->si != 0) + { + cur_source = self->si->cur_source; + self->si->cur_source = self->my_source; + } +- read_so_far = (int) (self->in_s->end - self->in_s->data); ++ read_so_far = self->in_s->end - self->in_s->data; + to_read = self->header_size - read_so_far; + + if (to_read > 0) +@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self) + } + } + +- read_so_far = (int) (self->in_s->end - self->in_s->data); ++ read_so_far = self->in_s->end - self->in_s->data; + + if (read_so_far == self->header_size) + { +diff --git a/common/trans.h b/common/trans.h +index 1cd89fdac2..313c543b60 100644 +--- a/common/trans.h ++++ b/common/trans.h +@@ -98,7 +98,7 @@ struct trans + ttrans_data_in trans_data_in; + ttrans_conn_in trans_conn_in; + void *callback_data; +- int header_size; ++ unsigned int header_size; + struct stream *in_s; + struct stream *out_s; + char *listen_filename; diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index e28f457e87..1900b1e842 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -19,6 +19,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23468.patch \ file://CVE-2022-23477.patch \ file://CVE-2022-23478.patch \ + file://CVE-2022-23479.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75863 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D84BFD1D893 for ; Thu, 4 Dec 2025 07:56:43 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38413.1764835000720946885 for ; Wed, 03 Dec 2025 23:56:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jNl+zB0v; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-42e29739ff1so247801f8f.1 for ; Wed, 03 Dec 2025 23:56:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764834999; x=1765439799; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6d9b6BV6xgHJ5hlTWk7qqnzVKoNRksdQ3oWh1lKLm/Y=; b=jNl+zB0vkur7cVNHZKKOPzYxEyJXnncc5fPOuVwSnkRgF59w9E8gEL68ujTkJ+RCaG UHRHx+JQ06Xsii89KeacocDvVq9KOKF4SXrZKiCRCj1qTwTz5dcY9hdt7r7YluOGOEMS SmqY2e+VSIs6YcbOCMEsqrQwx7Uvz+WGvEkEQXr6EA+RY2vReKrBn0pMy5k/ZndWWx7d U4GkfnDH99L2ypew3zF4+PKJh3fYBV3FgX2NXYPKbEW0ENGJh7J3QYBTVkJY4KeEeKJf JPX0Adyx8PQySj95yWOvowfiZ23h71YDvWFyFU8dwDIIUxHiWF/qTXx/67FQyhojrmhe 3exA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764834999; x=1765439799; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=6d9b6BV6xgHJ5hlTWk7qqnzVKoNRksdQ3oWh1lKLm/Y=; b=ceHYbosHw18l9AyAEe3OAVHLlGCemFINtKXXPtQecapwtGMzk6u76ovuuc7+pxpmbz aLuPCfaQYkcCrrJKOTof+SRuaOY7JT1aGF3Udohdaq2O/3+NYIULTgxA1kjM1SBQ9yUB vibbHfJH3bG+FggG2tcb+vbv5ed48mTj/KV5n5aCmZENKf+1u+zWhEyLOfRJqjxTcTxk n0XJZkXo9O5DcjhYW5WXfiTVW4QjqJPsRxj5z1VMu61ntvwuoxGNus4AJ92zDHIn7YrI gVPMf8dTVTRu8GZ5FvGxbhSEa4rxolSqMV19NwnfTWUNYI3wQf6kY+3TyhgtQeJB8T8U VuAA== X-Gm-Message-State: AOJu0Yx7rapbooA5DB44GFk+ThakqaHq2/R4OlDQmN8RogBE+fiDDW75 tuVbOlHqNtKWytwOmcm/DLj4IZlIf4vUAskKYwX32yf9SbztCv6ZRdeKkEspTw== X-Gm-Gg: ASbGncvBcz+HrkwZEY9T/oWdjrXCghPIBUCDsrq/yHFtnB5JcZEdjMfky8qkWStnzvS HgVWkJMxwExv8ZmJ8TM7oFZlkACY6SIW3XNJ4zsajrJOszmJu8QVHLGYr9ttwOjxEEvdYKYDJHw 7H1kFF7ZAa4VHqw2GKTM1+Gfx41brq16PlJGHCKEjITJcL2dK683iAcmNVVfxe0COyP2mVJ7NBN 0FG6a1XWYl61/m7JjlnkwYvUjz0cSOgRYe4ShqcZDvCYm5JJc7VGQgx+IBzhXhN+uCjDy6P849I 45jUj1Ouyiac/VvhyCT81cs/ORRls6Nyc3HJeMtaic9B1AG7dBPOY82/5GEIeIyd6uLfW7V/Rb1 V5tBPx5FGn74z70KI85hlIbMiE2XnuYRJ0zPKwjZws8w7LDseC2mXJDYM5ttULIttGntctIsZnf jZazs6yOwT X-Google-Smtp-Source: AGHT+IEKEB80aXMrBPgfu8D0PWuqwAB4YmhIcpQ9/b0f2aVFQZSmVvgZ3ea29gzq7fTfO+bmU1pytg== X-Received: by 2002:a5d:67ce:0:b0:42b:2eb3:c92a with SMTP id ffacd0b85a97d-42f78772726mr1770822f8f.12.1764834998991; Wed, 03 Dec 2025 23:56:38 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:38 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 05/12] xrdp: patch CVE-2022-23480 Date: Thu, 4 Dec 2025 08:56:28 +0100 Message-ID: <20251204075635.1088007-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122307 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23480-1.patch | 356 ++++++++++++++++++ .../xrdp/xrdp/CVE-2022-23480-2.patch | 54 +++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 2 + 3 files changed, 412 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch new file mode 100644 index 0000000000..259044eb00 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch @@ -0,0 +1,356 @@ +From 7ad7b05261c698b867c7c4f1bfffb4f911036847 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Tue, 6 Dec 2022 12:48:57 +0000 +Subject: [PATCH] CVE-2022-23480 + +Added length checking to redirector response parsing + +CVE: CVE-2022-23480 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/7ad7b05261c698b867c7c4f1bfffb4f911036847] +Signed-off-by: Gyorgy Sarvari +--- + sesman/chansrv/devredir.c | 151 +++++++++++++++++++++++++++++++------- + 1 file changed, 123 insertions(+), 28 deletions(-) + +diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c +index a44d47e635..7faa9bfc7a 100644 +--- a/sesman/chansrv/devredir.c ++++ b/sesman/chansrv/devredir.c +@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void); + static void devredir_send_server_clientID_confirm(void); + static void devredir_send_server_user_logged_on(void); + +-static void devredir_proc_client_core_cap_resp(struct stream *s); +-static void devredir_proc_client_devlist_announce_req(struct stream *s); +-static void devredir_proc_client_devlist_remove_req(struct stream *s); +-static void devredir_proc_device_iocompletion(struct stream *s); ++static int devredir_proc_client_core_cap_resp(struct stream *s); ++static int devredir_proc_client_devlist_announce_req(struct stream *s); ++static int devredir_proc_client_devlist_remove_req(struct stream *s); ++static int devredir_proc_device_iocompletion(struct stream *s); + static void devredir_proc_query_dir_response(IRP *irp, + struct stream *s_in, + tui32 DeviceId, +@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, + } + + /* read header from incoming data */ ++ if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER")) ++ { ++ rv = -1; ++ goto done; ++ } + xstream_rd_u16_le(ls, comp_type); + xstream_rd_u16_le(ls, pktID); + +@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, + switch (pktID) + { + case PAKID_CORE_CLIENTID_CONFIRM: +- xstream_seek(ls, 2); /* major version, we ignore it */ +- xstream_rd_u16_le(ls, minor_ver); +- xstream_rd_u32_le(ls, g_clientID); ++ if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS] DR_CORE_CLIENT_ANNOUNCE_RSP")) ++ { ++ rv = -1; ++ } ++ else ++ { ++ xstream_seek(ls, 2); /* major version, we ignore it */ ++ xstream_rd_u16_le(ls, minor_ver); ++ xstream_rd_u32_le(ls, g_clientID); + +- g_client_rdp_version = minor_ver; ++ g_client_rdp_version = minor_ver; + +- switch (minor_ver) +- { +- case RDP_CLIENT_50: +- break; ++ switch (minor_ver) ++ { ++ case RDP_CLIENT_50: ++ break; + +- case RDP_CLIENT_51: +- break; ++ case RDP_CLIENT_51: ++ break; + +- case RDP_CLIENT_52: +- break; ++ case RDP_CLIENT_52: ++ break; + +- case RDP_CLIENT_60_61: +- break; ++ case RDP_CLIENT_60_61: ++ break; ++ } ++ // LK_TODO devredir_send_server_clientID_confirm(); + } +- // LK_TODO devredir_send_server_clientID_confirm(); + break; + + case PAKID_CORE_CLIENT_NAME: +@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length, + break; + + case PAKID_CORE_CLIENT_CAPABILITY: +- devredir_proc_client_core_cap_resp(ls); ++ rv = devredir_proc_client_core_cap_resp(ls); + break; + + case PAKID_CORE_DEVICELIST_ANNOUNCE: +- devredir_proc_client_devlist_announce_req(ls); ++ rv = devredir_proc_client_devlist_announce_req(ls); + break; + + case PAKID_CORE_DEVICELIST_REMOVE: +- devredir_proc_client_devlist_remove_req(ls); ++ rv = devredir_proc_client_devlist_remove_req(ls); + break; + + case PAKID_CORE_DEVICE_IOCOMPLETION: +- devredir_proc_device_iocompletion(ls); ++ rv = devredir_proc_device_iocompletion(ls); + break; + + default: +@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id, + * @brief process client's response to our core_capability_req() msg + * + * @param s stream containing client's response ++ * @return 0 for success, -1 otherwise + *****************************************************************************/ +-static void ++static int + devredir_proc_client_core_cap_resp(struct stream *s) + { + int i; +@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s) + tui32 cap_version; + char *holdp; + ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_CAPABLITY_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u16_le(s, num_caps); + xstream_seek(s, 2); /* padding */ + + for (i = 0; i < num_caps; i++) + { + holdp = s->p; ++ if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS] CAPABILITY_HEADER")) ++ { ++ return -1; ++ } + xstream_rd_u16_le(s, cap_type); + xstream_rd_u16_le(s, cap_len); + xstream_rd_u32_le(s, cap_version); ++ /* Convert the length to a remaining length. Underflow is possible, ++ * but this is an unsigned type so that's OK */ ++ cap_len -= (s->p - holdp); ++ if (cap_len > 0 && ++ !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS] CAPABILITY_HEADER length")) ++ { ++ return -1; ++ } + + switch (cap_type) + { +@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s) + scard_init(); + break; + } +- s->p = holdp + cap_len; ++ xstream_seek(s, cap_len); + } ++ return 0; + } + +-static void ++static int + devredir_proc_client_devlist_announce_req(struct stream *s) + { + unsigned int i; +@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + enum NTSTATUS response_status; + + /* get number of devices being announced */ ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_DEVICELIST_ANNOUNCE_REQ")) ++ { ++ return -1; ++ } ++ + xstream_rd_u32_le(s, device_count); + + LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count); + + for (i = 0; i < device_count; i++) + { ++ if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4, ++ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, device_type); + xstream_rd_u32_le(s, g_device_id); + /* get preferred DOS name +@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + + /* Read the device data length from the stream */ + xstream_rd_u32_le(s, device_data_len); ++ if (device_data_len > 0 && ! ++ !s_check_rem_and_log(s, device_data_len, ++ "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE devdata")) ++ { ++ return -1; ++ } + + switch (device_type) + { +@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + devredir_send_server_device_announce_resp(g_device_id, + response_status); + } ++ ++ return 0; + } + +-static void ++static int + devredir_proc_client_devlist_remove_req(struct stream *s) + { + unsigned int i; +@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s) + tui32 device_id; + + /* get number of devices being announced */ ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, device_count); ++ if (!s_check_rem_and_log(s, 4 * device_count, ++ "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list")) ++ { ++ return -1; ++ } + + LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count); + { +@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s) + xfuse_delete_share(device_id); + } + } ++ return 0; + } + +-static void ++static int + devredir_proc_device_iocompletion(struct stream *s) + { + IRP *irp = NULL; +@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s) + tui32 Length; + enum COMPLETION_TYPE comp_type; + ++ if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS] DR_DEVICE_IOCOMPLETION")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, DeviceId); + xstream_rd_u32_le(s, CompletionId); + xstream_rd_u32_le(s, IoStatus32); +@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s) + } + else + { ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + devredir_send_drive_dir_request(irp, DeviceId, + 1, irp->pathname); +@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_CREATE_REQ: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + + xfuse_devredir_cb_create_file( +@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_OPEN_REQ: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + + xfuse_devredir_cb_open_file((struct state_open *) irp->fuse_info, +@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_READ: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_READ_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, Length); ++ if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS] DR_READ_RSP")) ++ { ++ return -1; ++ } + xfuse_devredir_cb_read_file((struct state_read *) irp->fuse_info, + IoStatus, + s->p, Length); +@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_WRITE: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_WRITE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, Length); + xfuse_devredir_cb_write_file((struct state_write *) irp->fuse_info, + IoStatus, +@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_RMDIR_OR_FILE: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + devredir_proc_cid_rmdir_or_file(irp, IoStatus); + break; +@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + + case CID_RENAME_FILE: ++ if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP")) ++ { ++ return -1; ++ } + xstream_rd_u32_le(s, irp->FileId); + devredir_proc_cid_rename_file(irp, IoStatus); + break; +@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s) + break; + } + } ++ return 0; + } + + static void diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch new file mode 100644 index 0000000000..38c444efcf --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch @@ -0,0 +1,54 @@ +From 191ed3e3fa892c7dc26e142c7af7af546fcce87d Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Thu, 8 Dec 2022 14:13:48 +0000 +Subject: [PATCH] Remove unused g_full_name_for_filesystem + +Not only was this unused, the way it was read could lead to a +buffer overflow (CVE-2022-23480) + +CVE: CVE-2022-23480 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/191ed3e3fa892c7dc26e142c7af7af546fcce87d] +Signed-off-by: Gyorgy Sarvari +--- + sesman/chansrv/devredir.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c +index 7faa9bfc7a..6ce35e34de 100644 +--- a/sesman/chansrv/devredir.c ++++ b/sesman/chansrv/devredir.c +@@ -103,7 +103,6 @@ int g_is_port_redir_supported = 0; + int g_is_drive_redir_supported = 0; + int g_is_smartcard_redir_supported = 0; + int g_drive_redir_version = 1; +-char g_full_name_for_filesystem[1024]; + tui32 g_completion_id = 1; + + tui32 g_clientID; /* unique client ID - announced by client */ +@@ -866,21 +865,18 @@ devredir_proc_client_devlist_announce_req(struct stream *s) + switch (device_type) + { + case RDPDR_DTYP_FILESYSTEM: +- /* get device data len */ +- if (device_data_len) +- { +- xstream_rd_string(g_full_name_for_filesystem, s, +- device_data_len); +- } ++ /* At present we don't use the full name - see ++ * [MS-RDPEFS] 2.2.3.1 for details of the contents */ ++ xstream_skip_u8(s, device_data_len); + + LOG(LOG_LEVEL_INFO, "Detected remote drive '%s'", + preferred_dos_name); + + LOG_DEVEL(LOG_LEVEL_DEBUG, + "device_type=FILE_SYSTEM device_id=0x%x dosname=%s " +- "device_data_len=%d full_name=%s", g_device_id, ++ "device_data_len=%d", g_device_id, + preferred_dos_name, +- device_data_len, g_full_name_for_filesystem); ++ device_data_len); + + response_status = STATUS_SUCCESS; + diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 1900b1e842..55dab2e867 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -20,6 +20,8 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23477.patch \ file://CVE-2022-23478.patch \ file://CVE-2022-23479.patch \ + file://CVE-2022-23480-1.patch \ + file://CVE-2022-23480-2.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75862 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3B94D1D88C for ; Thu, 4 Dec 2025 07:56:43 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38414.1764835001423804578 for ; Wed, 03 Dec 2025 23:56:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IdxvmNX5; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-47778b23f64so3481715e9.0 for ; Wed, 03 Dec 2025 23:56:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764835000; x=1765439800; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=c1VkTKNw31ybakSeTtBY97Eo9gVu+PH2V1p2tR7kDsQ=; b=IdxvmNX5hOL8mtRRmXvZnhHaKKqWDF80WtOaf2ClktWYfBA2Jvpad8AVzygSPfWUY8 hwesPlNj3V1sRytsk2TTLtBmBRHbB2VwxxIU8bJ109bXRwsSsgNv/VhXX3x9CggdyOam 7H7XktWwhh2FzgfSXIF6Gl79yyGQkeIirgIzN0t3hKSvb9od9gU4E9dCwVnU38OqLqEj bXEiuM3e0GaACL8EDxbbl8BHl1wD4w9bCCAkmB9YTiJLped12Z/axXmqAQe+jL7/WNjY A+dQexltCqHwePy5jbk3h3XVdCy8u4CGUpJdd6yrNxf0mABthxXQIIAu69d/Dw5pn9Mp nctg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764835000; x=1765439800; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=c1VkTKNw31ybakSeTtBY97Eo9gVu+PH2V1p2tR7kDsQ=; b=RyQOeKrYQZwnkIgm60XFuTNQ5KYIygwYO91CrPptT7+Y18ijWhr7E4jET4pa/uhlRU oOYQgt+tap+5828QD6/RzTWU+ofo5rs72gUpcBRH2KF6IuY6A5GhoBoxvQMY0+dtQeU8 wSs7Y0w1AI0fujj0bc97jfT2mKwBHDiFyZwtKkdGlzJ4yMAsXclfy27B3UhZlnXdBNXB 8/R7bk7ifZGr2b15xr4g5bEPt6TiVrM+TUlHyCmDPMBgvShGR484jMwMDctOGcL4rTe/ pxWvSxd/lEXBB3RYsfD90rYZUZkTirH+S6bireJF8s8KFa8eW92534wy4kTo3zUwRq8Y 1Sfw== X-Gm-Message-State: AOJu0YxuuVJHCr7sNyJW/Pzt4PLr3N2glm9LSSayzQdwlxzFqD8cdLsC 8nz6HaVuurd1a+aKlow+UaK6jJWEx36I9sQYflpgz4srTBQx3Y+GCksGP0g0/A== X-Gm-Gg: ASbGncu5Qj9xa8cZZJujRGpxcQtaRhPjL2XAI+A1bhuM7CskHYFMUDnk4Q6kYI9gfEg PLvp+zi+PZneAtJ0WHpnXiPMMq/TKizXKtDn13B33cp9QiM0o0nJuxPQKQCHSfeyN6Vezk9aDj7 egkvgrOw7WMJvcSiBs1bu0/6Zhd9CfsIm+whJovAzQarw4MAjRUHd2NpoO/JpQ9gJNjF8wNhHzW eqfX4roIPVooMCw3XlFiTBCRk301DV5bIZ6mu4uMVw8oqdFxmfEyorz6UZ1SiGQRFzfTD1hiPd0 GboAbCtF0eBhd/HLJ9z1AtpUcU5oh2Gyy80tjT8zZXUuWAiV8kxy//iD+5hqajl5/U+a65U4J4K yOwlbkDwZItACeet1YUKSnXUlFkFU2XjWpLHLCRfRhu2QbA/V+PzUtgo3jdUOb5JKe3pH0MGv3f N2Fl4e/hTq X-Google-Smtp-Source: AGHT+IFY95ygEOCNQv2Z/vmNYM+aoZ5tu5sOS8sHODlxQyT1l2jwZ16LMuQSWPh08y1oJBKh0Kqc6w== X-Received: by 2002:a05:600c:1f8c:b0:477:aed0:f403 with SMTP id 5b1f17b1804b1-4792aee3561mr46033635e9.8.1764834999591; Wed, 03 Dec 2025 23:56:39 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:39 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 06/12] xrdp: patch CVE-2022-23481 Date: Thu, 4 Dec 2025 08:56:29 +0100 Message-ID: <20251204075635.1088007-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122308 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23481.patch | 46 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch new file mode 100644 index 0000000000..bb2d3c8cfa --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch @@ -0,0 +1,46 @@ +From c77e974080da8267d902f99ca5ab7d22ea02d98c Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:40:25 +0000 +Subject: [PATCH] CVE-2022-23481 + +Add length checks to client confirm active PDU parsing + +CVE: CVE-2022-23481 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/c77e974080da8267d902f99ca5ab7d22ea02d98c] +Signed-off-by: Gyorgy Sarvari +--- + libxrdp/xrdp_caps.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c +index 5c5e74a579..ac21cc0a18 100644 +--- a/libxrdp/xrdp_caps.c ++++ b/libxrdp/xrdp_caps.c +@@ -667,13 +667,27 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self, struct stream *s) + int len; + char *p; + ++ if (!s_check_rem_and_log(s, 10, ++ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU" ++ " - header")) ++ { ++ return 1; ++ } + in_uint8s(s, 4); /* rdp_shareid */ + in_uint8s(s, 2); /* userid */ + in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */ + in_uint16_le(s, cap_len); ++ ++ if (!s_check_rem_and_log(s, source_len + 2 + 2, ++ "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU" ++ " - header2")) ++ { ++ return 1; ++ } + in_uint8s(s, source_len); + in_uint16_le(s, num_caps); + in_uint8s(s, 2); /* pad */ ++ + LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU " + "shareID (ignored), originatorID (ignored), lengthSourceDescriptor %d, " + "lengthCombinedCapabilities %d, sourceDescriptor (ignored), " diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 55dab2e867..ff14cf8397 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -22,6 +22,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23479.patch \ file://CVE-2022-23480-1.patch \ file://CVE-2022-23480-2.patch \ + file://CVE-2022-23481.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75858 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3E1DD1D88A for ; Thu, 4 Dec 2025 07:56:43 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38416.1764835001964821257 for ; Wed, 03 Dec 2025 23:56:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XsOGCfoV; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-47774d3536dso5827675e9.0 for ; Wed, 03 Dec 2025 23:56:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764835000; x=1765439800; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LCJ3jEbfEkYMjxyOgPGINNeFdo0g0y2SksI96euDRxw=; b=XsOGCfoVuGmif2+amtg1V6kFezNDXaVA6tHKEC7f2dNBJ583OFIiPlDiqQIgxiw5bW M9HciGNJFUK/QTj0N/vqiZdoPthoZucPPG22uquzRfRwlAq3vEsZy9Y5olMOkbPxfnjy DrOF7O0MgzaNm1S1xv8pgpfPG4NeWspZNFwacW6lLHPlk8RXRfxeSo3aakL/gAEPrEbH njdHPqNAhQP/Rq8bb61BVxmm+suXz5bof2YbSBu+REKLfwPY3N6JZq+3Qq0BdkMDO1v8 qa9LAJZQdUe72dY+lBJLc9ZVRhpcWnG0+IONKHGn+JEkrFMv4cfxAFlXa356e81ayjxo 5y2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764835000; x=1765439800; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=LCJ3jEbfEkYMjxyOgPGINNeFdo0g0y2SksI96euDRxw=; b=hkqLPrjUQqEwAxkyOILiSyh1HFYuoHLLTvni5yfToYDITXgIQFEnZ6FpxPgm0t0Shc 2ygVNY+y7XJgmLn/qBZ7/BmsWE16oKm1WpsqtSOKA0TeqwwqJPpf05lM4aZShFN5Kktq 33t0Mj+LOVV+4vmCxnThlNA3EgoKKP3u7m4egjcejmBU66wtphbwvC9NghcKe55RB38m NeTejl0EY2XVoxvNcjdgU5yO7/QckefdPCGC3O2hNbyfM4gp61RGt0G46PX0RlT+/LSx ICKMWgL+CVijT0MxiqPjsfkiJk4d98lNHSODSA2js+RKb2wQcmF3TlSS12pKL0gXs9z6 ZU9A== X-Gm-Message-State: AOJu0Yyl0eHfwwsI0re0WMRhZFci4mFt26LmVOewBqVS2pCSh+OeNKUA XBWYb5wCTP/XSLRtsZ/juCSYQZ9zFZYKVrwcNaCDna7tiG7QLNSpqbsmi7SK/w== X-Gm-Gg: ASbGncvISy3QFNtVRNttWW2A9qCXnARqKRSDRvdnOZgOYrtdRWcIjZojZmV6u9123PZ YDakLVwtPcYI5qIkMdywkNjQDVixdedMBZGOSAuSBH8reYHIeYUYIL1BfoGuDXQplYNZUgfyOYG dU+6CViLTHp64zLsokHb4iY7eTrD+wXK2M3vXqfIrEPR1xW10DbN/8VabpuJFOfZH7pT41aYZLL jTFyk1SolZHsb4jh273e4P21STqWeMej53sPjPkZvmHRmA8MIS7W0bx7BNUqOz+i36U9or1B2p6 b2sTRH5tciWwFim/8ol3neP/auaMeC1/H7GUnBg9qUGPx1bg64orbKVtaS/+2NAH5QTG/3BrdEt Kb9gI0PEfhKdvgktWpaw5GM41OXH5C1wlq6trNsgY8C+/GePSmTt3WuR3CRcOJjAUIZYWkzRJpN 8uuA2LOnNR X-Google-Smtp-Source: AGHT+IHNNa8SuNXPXG4yQjix+gjvXa8HIRs8hNFeEfZ7oH7BpyONyLbaaCsjeNmoYrZf060QE/1/lw== X-Received: by 2002:a05:600c:2f97:b0:477:9a61:fd06 with SMTP id 5b1f17b1804b1-4792eb1a02emr15057155e9.8.1764835000256; Wed, 03 Dec 2025 23:56:40 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:39 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 07/12] xrdp: patch CVE-2022-23482 Date: Thu, 4 Dec 2025 08:56:30 +0100 Message-ID: <20251204075635.1088007-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122309 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23482.patch | 69 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch new file mode 100644 index 0000000000..ef99baa8cf --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch @@ -0,0 +1,69 @@ +From bb9766c79f24a0238644e273bbcdcb2c9d2df1bf Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 11:05:46 +0000 +Subject: [PATCH] CVE-2022-23482 + +Check minimum length of TS_UD_CS_CORE message + +CVE: CVE-2022-23482 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/bb9766c79f24a0238644e273bbcdcb2c9d2df1bf] +Signed-off-by: Gyorgy Sarvari +--- + libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c +index 691d4f04f3..084fca6b8d 100644 +--- a/libxrdp/xrdp_sec.c ++++ b/libxrdp/xrdp_sec.c +@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s) + static int + xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + { ++#define CS_CORE_MIN_LENGTH \ ++ (\ ++ 4 + /* Version */ \ ++ 2 + 2 + /* desktopWidth + desktopHeight */ \ ++ 2 + 2 + /* colorDepth + SASSequence */ \ ++ 4 + /* keyboardLayout */ \ ++ 4 + 32 + /* clientBuild + clientName */ \ ++ 4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */ \ ++ 64 + /* imeFileName */ \ ++ 0) ++ + int version; + int colorDepth; + int postBeta2ColorDepth; +@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + + UNUSED_VAR(version); + +- /* TS_UD_CS_CORE requiered fields */ ++ /* TS_UD_CS_CORE required fields */ ++ if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH, ++ "Parsing [MS-RDPBCGR] TS_UD_CS_CORE")) ++ { ++ return 1; ++ } + in_uint32_le(s, version); + in_uint16_le(s, self->rdp_layer->client_info.width); + in_uint16_le(s, self->rdp_layer->client_info.height); +@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + clientName); + + /* TS_UD_CS_CORE optional fields */ ++ if (!s_check_rem(s, 2)) ++ { ++ return 0; ++ } + in_uint16_le(s, postBeta2ColorDepth); + LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE " + " postBeta2ColorDepth %s", +@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + " desktopOrientation (ignored)"); + + return 0; ++#undef CS_CORE_MIN_LENGTH + } + + /*****************************************************************************/ diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index ff14cf8397..29245f3747 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -23,6 +23,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23480-1.patch \ file://CVE-2022-23480-2.patch \ file://CVE-2022-23481.patch \ + file://CVE-2022-23482.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75859 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2845D1D88F for ; Thu, 4 Dec 2025 07:56:43 +0000 (UTC) Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38234.1764835002620484059 for ; Wed, 03 Dec 2025 23:56:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=f/g3JM5R; spf=pass (domain: gmail.com, ip: 209.85.221.45, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-42e2b90ad22so264231f8f.2 for ; Wed, 03 Dec 2025 23:56:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764835001; x=1765439801; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KA8XjBRto44Zu9VVyVFytZ8S7rQDQBX6T8Rf6p7yCeY=; b=f/g3JM5RBUtyTNW3j4pFjmxfgrPY1Ti+duUJP09h3dUhNAcZugBliBI3VTU2f41KOF DDQ5NW11MOc5njYcckA6dGX8dkyowtzZYPp8hqj7WpXpl+RSvkS0zCl+lh23PP+/tRgN So5ZYKgDVoDW6Ng65pIcUI9ty2r4bybt/UqwSzlsdokwExsQDWJIYXAZYO0v3jXRXeMH iiGEB2j4O4/qHBcb5He1+SOWNwQL+lVHtkD17tQUJ3A/04o8YGrJadPDYbRHiUWg0W19 xoWnUzxO+15QfIrtkl94SDAG+32DhJFCL22Ke81KfjDuSFky0HtdBdwhYFPHrzoHolJJ IFdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764835001; x=1765439801; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=KA8XjBRto44Zu9VVyVFytZ8S7rQDQBX6T8Rf6p7yCeY=; b=gaBjIK8634vay7I/RM4e83bB/3tfQn4SWM3DwtZ5bQt4ATwvQEOChvoWVpDlNkLwKI WEUNHFQfx1xq+zrLXSy2G4SUURehF1706YLmJkm+gAdELa47rLGB7iSr+6EU3w6ZvyLb kF0XZKNHrr1NrdkevornYOLYYnPDBx3IAvr6Qc3s+VEuFb5lDLDsq4qw0aBViF1Swy8d 9NLJNwxEIXr/KCIbbdCi7Ikj5S0RBf56y6FriyAu+kzPf3Bo8KSubnLIJqiZfSqaECPG NVCrNkptdKJOv5p0a5jXO41XRopV+lBmFurIW8pCHFOAHh42kLUtIapSH2jrWCwV6LP9 3iLg== X-Gm-Message-State: AOJu0YyBgrKaiy0plxx8+lkUg0QtZPp4Y4PpcigKAN0k4qXSg+aPulDL I/44nvFp8QWXYA7HniuVIxePzgEn0TzLZY+mZooHUutqxXgaeLJBeIbiN4Vuxg== X-Gm-Gg: ASbGncviSi2LIhtNkuyXh36IlN129UTJ+7rfIDPKAe9t57T8HpaQrdO1SUzMU/0DUth T95VopXaO6ZG8k1qthxFynJp0r+9TyIUGJt6uS4d6xcOvbAX7V4LqHQhjgI87U2IlKFWyv5njQf dZY8LC5oymqLQN38X5Mc+jZtFNEWZJ+XNukrBJhwH2cxrHE+jUG53V5H5TgxBOZWRE28VQ0Rnrd IwhtCm9hu9DNmy2AojDdFn+L+vxN7e3Jzrb+UO86C3qPww3yWQRMZS4rbXtlfjiz9If917knh5h Jf03oAzUZsk/02rD6SvhyUK2Wihjw9hYQQeFqa15hQ5crH8/OkY0MHN7wNamRUCsbBpv2XCq+it 2ozeRZqQA53RDMtFAIYlTWgQWwppkZhDIiC+A1EI5VPkxFYC1fTA/XcpnpQijK/mRiX08Mvlw2+ cHQAf2OCVFWKIsOnC16l8= X-Google-Smtp-Source: AGHT+IETESwCg/KV5Uk+awwaGsMPXDJqbFAvXDjAsytMCw+s/1v/UVkUsOF7HirM3a4MTE2ECKQksg== X-Received: by 2002:a05:6000:1887:b0:42b:2f90:bd05 with SMTP id ffacd0b85a97d-42f731c3290mr4812598f8f.45.1764835000871; Wed, 03 Dec 2025 23:56:40 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:40 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 08/12] xrdp: patch CVE-2022-23483 Date: Thu, 4 Dec 2025 08:56:31 +0100 Message-ID: <20251204075635.1088007-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122310 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23483.patch | 65 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch new file mode 100644 index 0000000000..7172a8264c --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch @@ -0,0 +1,65 @@ +From 35cca701c753db65d3c05b7ea4fff9bd09e76661 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:21:41 +0000 +Subject: [PATCH] CVE-2022-23483 + +Sanitise channel data being passed from application + +Avoids OOB read if the size field is incorrect. + +CVE: CVE-2022-23483 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/35cca701c753db65d3c05b7ea4fff9bd09e76661] +Signed-off-by: Gyorgy Sarvari + +--- + xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index 74b0516afa..64ae229e01 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans) + static int + xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s) + { +- int size; +- int total_size; ++ unsigned int size; ++ unsigned int total_size; + int chan_id; + int chan_flags; +- int rv; +- +- in_uint16_le(s, chan_id); +- in_uint16_le(s, chan_flags); +- in_uint16_le(s, size); +- in_uint32_le(s, total_size); +- rv = 0; ++ int rv = 0; + +- if (rv == 0) ++ if (!s_check_rem_and_log(s, 10, "Reading channel data header")) ++ { ++ rv = 1; ++ } ++ else + { +- rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size, +- chan_flags); ++ in_uint16_le(s, chan_id); ++ in_uint16_le(s, chan_flags); ++ in_uint16_le(s, size); ++ in_uint32_le(s, total_size); ++ if (!s_check_rem_and_log(s, size, "Reading channel data data")) ++ { ++ rv = 1; ++ } ++ else ++ { ++ rv = libxrdp_send_to_channel(self->wm->session, chan_id, ++ s->p, size, total_size, chan_flags); ++ } + } + + return rv; diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 29245f3747..f9e2105500 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -24,6 +24,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23480-2.patch \ file://CVE-2022-23481.patch \ file://CVE-2022-23482.patch \ + file://CVE-2022-23483.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75864 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04DD4D1D899 for ; Thu, 4 Dec 2025 07:56:44 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38235.1764835003378415823 for ; Wed, 03 Dec 2025 23:56:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=P/xMi0Ek; spf=pass (domain: gmail.com, ip: 209.85.221.43, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-42e2e50c233so243740f8f.3 for ; Wed, 03 Dec 2025 23:56:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764835002; x=1765439802; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=W5ahqTLCIMHRTL8XM93qAszSpvOcOiEPB44Te1a3TTw=; b=P/xMi0EkTlPOiJ4yVEQLUTXMBxH1w439SBSqpE8hI2jz7tC6kHOE2LHrKb4Bpb3qXH y3cuMZC6p+19Q6DOx2uk6k4cpLatPrt8nVtYoR7Jidb9vu/ObkN6mhAKFCqPkMghyFQo FUbKfzBjQIZ9gOSEyCJlGbXOwM4oFpf2wVZw4KfTo5JznZGSb8oLQcepTVlum5OtcW/O xfgZRGuMuIr4xWIuCidHllB6yjz+IVZ2z4V3bUq8UbUse13gXwz94lzgl45avfhhXcBj j+hjTIIiPE2xyEe3ffohO7q+BRe3Hsr2pMh4hpPxrfsbkz4orLeIu+zL7YEL8gB4bBrB pY8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764835002; x=1765439802; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=W5ahqTLCIMHRTL8XM93qAszSpvOcOiEPB44Te1a3TTw=; b=rGLhIscDaMTPHTePimaDxb2t1LA2WDJN/fRUR8+KTXAoezkHftP2UlIHANm+LKlCOW wj4CoXuqaCrq5Y3Atet4k5N8bmK2oLaT1UcV7w8e3jj0AlKl6ET5Tifx44E5aekkVqxb c0IU6aG8Vi4UdiuBOhvROgzBet9fycTkpnYc9FARg8D5I1I+A5oF2SWB4beaXLlR/+nj sbP4YQEtzB3MFoUKCWjnwQZQQPHE5fIz1lgMKoRnVt15/0eErkojHsBK/AxTo13HfvTG PxmTgb1hOjpexYEUTe1V6BL3XlrERKhzmc3/YnRWPrGT/pB+DeFcXIV0a7mdkJlbd0p2 FYhA== X-Gm-Message-State: AOJu0YyevPcYeA24AdbZn3Uu6/0qirsy692yzUv7at5zkAqzONa7TfK2 I9f8sIEx8y+fI6rEvh/Gb4CnJnLRmyui0u5JF3jhPfjVyEv0PYSr5fxlUygYZA== X-Gm-Gg: ASbGnctxdyJuYgUcthmQ9C7X57rCCSRZlo3fOXZ/9XoPbrIeylB6kykuqdBUwyfA9GM NwVngwxORdBUstRQgzL2TutaAiM/tJUkq5/+rUGmKHjlCxLunW2eDtBAyRQHutOzFd2AgUqqNkS bWN2i78cWcb81007/XHXdPyYhzCNWyHTpnkPbuBEHDzA2YDJ7/XR2vSjXWaaoJwr53FUQmbw6Nf qd9+kK3qr2EJHSrZW7oCq2kPBNDivakFpgVFTaQPmNiu6/gaAz5JPBJhWES1Qx97xw9LbkQLbp/ 8TE4souVn44Bn4gdx/j0eqjirGWyg6aUfGB6/zq6nFW05Niizt1qw9pRHAdJcouccI2ibefvwUc zwcZtJs48ShttLg+hGqqSUqv4ESxGOsb3NJgiBgh9jkRoqCRDzUCwlxs9c1k19MAn6Qp574007L hfZqWC8AJo X-Google-Smtp-Source: AGHT+IH//0aVW5xd33eH0pC//nTWkqIkknMSrJoZb044t89QQ1tN4sEstGZLMbJvS8lgx3MD3MoqsQ== X-Received: by 2002:a05:6000:4011:b0:42f:760a:764e with SMTP id ffacd0b85a97d-42f760a79b7mr4685539f8f.32.1764835001636; Wed, 03 Dec 2025 23:56:41 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:41 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 09/12] xrdp: patch CVE-2022-23484 Date: Thu, 4 Dec 2025 08:56:32 +0100 Message-ID: <20251204075635.1088007-9-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122311 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: no change .../xrdp/xrdp/CVE-2022-23484.patch | 31 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch new file mode 100644 index 0000000000..af27c50376 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch @@ -0,0 +1,31 @@ +From c2c6efb1d377be6baaa4acbc9d3700490fe92887 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:03:24 +0000 +Subject: [PATCH] CVE-2022-23484 + +Add check for RAIL window text size + +CVE: CVE-2022-23484 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/c2c6efb1d377be6baaa4acbc9d3700490fe92887] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp_mm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index 74b0516afa..4352625874 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -929,6 +929,12 @@ xrdp_mm_process_rail_update_window_text(struct xrdp_mm *self, struct stream *s) + + g_memset(&rwso, 0, sizeof(rwso)); + in_uint32_le(s, size); /* title size */ ++ if (size < 0 || !s_check_rem(s, size)) ++ { ++ LOG(LOG_LEVEL_ERROR, "%s : invalid window text size %d", ++ __func__, size); ++ return 1; ++ } + rwso.title_info = g_new(char, size + 1); + in_uint8a(s, rwso.title_info, size); + rwso.title_info[size] = 0; diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index f9e2105500..a9107a0e26 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23481.patch \ file://CVE-2022-23482.patch \ file://CVE-2022-23483.patch \ + file://CVE-2022-23484.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75866 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E98A2D1D88F for ; Thu, 4 Dec 2025 07:56:53 +0000 (UTC) Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.38236.1764835004012527616 for ; Wed, 03 Dec 2025 23:56:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=MDh4coP2; spf=pass (domain: gmail.com, ip: 209.85.221.50, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-42e2ba54a6fso246909f8f.3 for ; Wed, 03 Dec 2025 23:56:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764835002; x=1765439802; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=R23h95RdGrZru0NMwEqQXkaE2T6Md0tVX1np6hBs6Mk=; b=MDh4coP2VPiVoMM1XMbEBViEXv8jIto/YX5i0zi9u73UstcEuAAYkZ4raq2qYoUEsM WG72I9mrAxDax/k7yMipCnOqzf+29Wh9GnlsjHCfroik5GMcFOwstejJik+yHwXnNhwD ZlRtYw0rufdt0NsG9odFcRHS2cXCgz74R0SwCbptimVUWpPXxcJA64e06ov9uovaVgxQ eWaCtFKRy6Qzbk+vy8IXrBPYxVHsKsH07VeS7PS4S18BYzrKpf9EPbVlMUz/uBWsEuhs nDcbHDCWKk/DMz/mTL9sAELPjQBaLGPzh2VRyOIZFg2j0SmjmHIls5bmnxuraRtjZpXY fkBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764835002; x=1765439802; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=R23h95RdGrZru0NMwEqQXkaE2T6Md0tVX1np6hBs6Mk=; b=Cz7dzJ0djDUwRgX3YB0eO5JBJ1BaEWF4pJlK3p0LH+S3iY06pN7UW46dm0KVvpUwv2 G02hvozxRiJrzKZzQnpYv4creI2QF4CJmG2GHcCsCSu54gMFC97cyCbAyXv3AH5HUFZS N5u7IQfBGjxaBPmSfxLU+agvOIzXadQrnMAT8aMfINeTE7SaRUICvyn5M6Gq7/pOsRNq TIpM7t0NkS1sRW0hBZyZDa7JCZvUKEa1qNPcrWsfV9rCTNSFkSzx+g6YCI8fe0FWmiUO VqrA5XTRWDw+izLEZM5sMskz9zzR3suWR9lDaJVxx4rwE6rgdpHeUE0Et7UDkWkDdn3A h/oA== X-Gm-Message-State: AOJu0YwqT8nf7sGaxQ5jLv2FtoA8bBad/Lq8qpOZAjZyL8pI4Bwz3w5s fLA8BXrzYnGEtynvYGIAUrMwvY+TfJpUeWG88DU7RDKJbcYJQkBdkoVB5/0N/g== X-Gm-Gg: ASbGnct80NXBwYv7UMSgKGcWf2XGBPG6TkL4ITgUfhspcIX27Ynl7QcIeAkvSA4NUnG Sx5IBd77SuTTwUAe5mochUv9GOx4WvVLAQXXKFIaBr6a2PTHk7dqkJzEkX7stW2b8Zm5Wr9UMyb WppjxTa2tz4LRjEUotAampqp9QrVvjaZ33RS8NJbrCADNjVg4cgh92JeBTroYpxvs0q/hRaE+uP E4d7Kc6FazVSUEO4FWSyBei+igWObWAYig0ybgx2wAW8cgk4utvxmuHPucJxvPIkVyJwNxx9HXI +1Ejd6hiPvcMnhztqVU4SSJoA12o8alrt1R4TikdGxkQq9sfk2bbKgtlOuNeOmo0zrzieKNhfp/ IYhOHu+cNaeDoFm10x+KgSIxZf7AK/Lpjd8bMY49/GM1PwDDwfFHDOqIuLvVkS1gHiB8LMyQGR2 7ueS6srsn4 X-Google-Smtp-Source: AGHT+IE7k/wjgsSDRRKleSJgyGzQ4D3XjDiyKLJFcoBTkVc6aNjhDJychuqLzEtKjAtaK9jFKR1VJQ== X-Received: by 2002:a05:6000:2384:b0:42b:36f4:cd23 with SMTP id ffacd0b85a97d-42f7317d52amr5723815f8f.19.1764835002329; Wed, 03 Dec 2025 23:56:42 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:41 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 10/12] xrdp: patch CVE-2022-23493 Date: Thu, 4 Dec 2025 08:56:33 +0100 Message-ID: <20251204075635.1088007-10-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122312 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493 Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari --- v2: no change .../xrdp/xrdp/CVE-2022-23493.patch | 33 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch new file mode 100644 index 0000000000..de3f7a42f3 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch @@ -0,0 +1,33 @@ +From 030db5524be7616967ae9e7d26b3d4477cf6082d Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Wed, 7 Dec 2022 10:49:06 +0000 +Subject: [PATCH] CVE-2022-23493 + +Check chansrv channel ID on a channel close + +Prevent OOB read if an invalid channel ID is sent. + +CVE: CVE-2022-23493 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/030db5524be7616967ae9e7d26b3d4477cf6082d] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp_mm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c +index 74b0516afa..068424885e 100644 +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -1435,6 +1435,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct xrdp_mm *self, + return 1; + } + in_uint32_le(s, chansrv_chan_id); ++ if (chansrv_chan_id < 0 || chansrv_chan_id > 255) ++ { ++ LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d", ++ chansrv_chan_id); ++ return 1; ++ } + chan_id = self->cs2xr_cid_map[chansrv_chan_id]; + /* close dynamic channel */ + error = libxrdp_drdynvc_close(self->wm->session, chan_id); diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index a9107a0e26..f3d11522ac 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -26,6 +26,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23482.patch \ file://CVE-2022-23483.patch \ file://CVE-2022-23484.patch \ + file://CVE-2022-23493.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75867 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E98E1D1D892 for ; Thu, 4 Dec 2025 07:56:53 +0000 (UTC) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38417.1764835004700356616 for ; Wed, 03 Dec 2025 23:56:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=no0quxBF; spf=pass (domain: gmail.com, ip: 209.85.221.44, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-42e2d44c727so312921f8f.0 for ; Wed, 03 Dec 2025 23:56:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764835003; x=1765439803; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZT3V+uuY65xeg+FijCHI2mGyXj4bKcWiqPh6E7vF1yY=; b=no0quxBFo10ceXIJw/RhFrLh8bf6Wc9cc46IJxN6ERG79iRyW2aiI6XEVkB/GOx4w7 rU/oU00mSaLg4VAl3guiVtl6rBH/F6mySF+p9Pk3McOSVDnat+QVdi/XisSTh6KseEgd 4InP83/mmid6hGT1lcQ9CJz2Y7CEuCmJA7fU3YncxOpIqaEAKhFGWf7BfEn55isATtvD E7BUUx0AKsXsy5KbShcg2QFqA8K/BFvXTFzvpE8fgxbMv3/+A2seLTfGp0qgL6wzn/X4 2gDaaMl8fWKLdKFXld1WGU+vrmRcbC3qXGzkAjL6sW6saWUglBZyLyoUfshN1POD5eb5 wdAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764835003; x=1765439803; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZT3V+uuY65xeg+FijCHI2mGyXj4bKcWiqPh6E7vF1yY=; b=tKegtd7rN8pps12JMsbHib9jVwqT0wIh2xR+Tf/tXspX9AEHDKH863O2APkTAp5WWA DpBY2LR2ayUJIi+F6Rb1qYHFlTbbjzF+JHSzxRLoD3E8dHmz2oKsTpJ6zCvr8MVv81Bz qsRvANmNtbHYUYOsEwdtO3gLT+3AtbGi4Pf7EsVJ09R8ltEKY4vtszfrIUHY+mO6k/Y9 C9WCtK6xWNBo0mtHRSf5C4r68thyBVAHo0GeTUFB9bTOp2AE8TFq56cCNDkz43af/XL4 ZFCdi3tumaYsgIB2X2Tk8zjVX1DnyZElv5EmmeFEsqIvpo1Y8hmH0+k0MetldfwvY2LA lhQw== X-Gm-Message-State: AOJu0YxONYAn/eJxoRyc/pwOLsjoki2huV7En7U4lV76+rPH3Aty2eEg NZ1a0f4+2obG10DPNn9uE8wJewmm9z9WBUoW9FxkZxX9owLduIU78wZCJjqJbA== X-Gm-Gg: ASbGncvj2JWFY8ZhgjROhRN1oN1wllFJRZQGRf/dW/dbT8DySF4G0A8CZrbJWjo+Nco CRncvat3y5EZPLivjOa065Y/9tLE/+NDdfGDhUb7Fp/8BK/ScqeyNqoqV2bd3RUGWBog/HrnFtF Y0v11VRqqzxahwYrqnzCKNXqezzPkxABsf4Yz7p98hwpFv3Am19PcWk5Y7fSomwezcFjh9ZI3Dg a42PoWMkkQkCJ3h9vkTq+45+9XILEbBwl+44M+/A+EdOkb17eYndQhi82ftHuf/dLEgCBOAUwTW IFxeEhI9hAasdcaZiia/5TmfpyKCZwCwrZcJQ3XMZUENd5T3UhOZImIuAUCNoYToRSaNy0X4m87 ixUSERdqkhqVmhAo19Nsk0KaYVfH3GcGH/QiamJ+1QtsGTLTyNCBFHbrpIEpSxoCuayTMzpW3Za TVI4HqjhbT X-Google-Smtp-Source: AGHT+IFxPRkHMVGAcv+n2H4uZwHLIt5YIltHG6Gnbaw12ZxycLzAoUYaCtywnHpeU8Wju3yXy0UvCg== X-Received: by 2002:a05:6000:1846:b0:42b:496e:517c with SMTP id ffacd0b85a97d-42f7319655emr5247141f8f.13.1764835002984; Wed, 03 Dec 2025 23:56:42 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:42 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 11/12] xrdp: patch CVE-2023-40184 Date: Thu, 4 Dec 2025 08:56:34 +0100 Message-ID: <20251204075635.1088007-11-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122313 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40184 Pick the patch that is associated with the github advisory[1], which is a backported version of the patch that is referenced by the nvd report. [1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq Signed-off-by: Gyorgy Sarvari --- v2: no change .../xrdp/xrdp/CVE-2023-40184.patch | 73 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 74 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch new file mode 100644 index 0000000000..c4a6a1b862 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch @@ -0,0 +1,73 @@ +From 322d11b431e4773f77aaeb764571a3a8d60f9fca Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Sat, 19 Aug 2023 13:26:44 +0100 +Subject: [PATCH] [v0.9] Check auth_start_session() result + +CVE: CVE-2023-40184 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/8c5b7cdff3929dc59c5f13e33cec839ed45d1c34] +Signed-off-by: Gyorgy Sarvari +--- + sesman/session.c | 7 ++++++- + sesman/verify_user_pam.c | 24 ++++++++++++++++++++++-- + 2 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/sesman/session.c b/sesman/session.c +index 441f8d3a60..d352f5e859 100644 +--- a/sesman/session.c ++++ b/sesman/session.c +@@ -526,7 +526,12 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s) + g_delete_wait_obj(g_sigchld_event); + g_delete_wait_obj(g_term_event); + +- auth_start_session(data, display); ++ if (auth_start_session(data, display) != 0) ++ { ++ // Errors are logged by the auth module, as they are ++ // specific to that module ++ g_exit(1); ++ } + sesman_close_all(); + g_sprintf(geometry, "%dx%d", s->width, s->height); + g_sprintf(depth, "%d", s->bpp); +diff --git a/sesman/verify_user_pam.c b/sesman/verify_user_pam.c +index a34d83cd7d..ed17397fc3 100644 +--- a/sesman/verify_user_pam.c ++++ b/sesman/verify_user_pam.c +@@ -316,8 +316,8 @@ auth_userpass(const char *user, const char *pass, int *errorcode) + + /******************************************************************************/ + /* returns error */ +-int +-auth_start_session(long in_val, int in_display) ++static int ++auth_start_session_private(long in_val, int in_display) + { + struct t_auth_info *auth_info; + int error; +@@ -357,6 +357,26 @@ auth_start_session(long in_val, int in_display) + return 0; + } + ++/******************************************************************************/ ++/** ++ * Main routine to start a session ++ * ++ * Calls the private routine and logs an additional error if the private ++ * routine fails ++ */ ++int ++auth_start_session(long in_val, int in_display) ++{ ++ int result = auth_start_session_private(in_val, in_display); ++ if (result != 0) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "Can't start PAM session. See PAM logging for more info"); ++ } ++ ++ return result; ++} ++ + /******************************************************************************/ + /* returns error */ + int diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index f3d11522ac..5a1d904a15 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -27,6 +27,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23483.patch \ file://CVE-2022-23484.patch \ file://CVE-2022-23493.patch \ + file://CVE-2023-40184.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb" From patchwork Thu Dec 4 07:56:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 75868 X-Patchwork-Delegate: anuj.mittal@oss.qualcomm.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE761D1D88B for ; Thu, 4 Dec 2025 07:56:53 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.38419.1764835005418186755 for ; Wed, 03 Dec 2025 23:56:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WDuHf1nZ; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-477b1cc8fb4so3897255e9.1 for ; Wed, 03 Dec 2025 23:56:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764835004; x=1765439804; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=WIMgEOOmWfdqdivY9IjTVqQKUy/oh/Y69twsHn8P3iE=; b=WDuHf1nZS4x7HWhHwOFdvfaLDW8GgNezjvMQ1HWaqWJXsCAwRzoQygkOEdiAMCQKOX aM6QK/sKTVoOnYDdAx7T6w6/b9HQOFjbM73HASuBOI0s49pk9+00DGx1j4ldTeEj/AlY 04jGX2vBRRVh9a3yuBeglE9Ei9aCET65LIBfZ2QabS09UEjMvmcw1znswrsDklZK1JLk m7dxErNM47toK9P/OFx00edZqf75SZZW+HZBAbIvTgN6VECIo89qx70C5Pn5rOaS+RJ5 dYIvYMe+AtwyA/kG4+9F0ulyduLlEKKj+LvZ9PA1AP8rZMaLtIRCQV8rnY2kUyQptGZD qFfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764835004; x=1765439804; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=WIMgEOOmWfdqdivY9IjTVqQKUy/oh/Y69twsHn8P3iE=; b=l7gdm0xkBdO7Bd5ss9AGW4NPHfHBVvCfKzUVaWv0B3LhI8AW7YbvXIxMOB87EDMKNA KVumSU00UPoF1YlvXnfW5+MMkOkr3m6cnCbqyZJTB8sgPQBkLBUAlM6hoeFVBDNM87sa Pfv01SqqtbYIEn/gk0ogrk2nWTJzAwFo9IA7XOJ1z67iTo8bb6DCHakg8ec5ebCpJIUL AdSSzP1sd6ZHyHZGYFl/RdLcuJfJ2GAP7kX9qb4mpdbWNQWNafirMJtA7S3R6DMwnghj ixG1jCyXT2ObIKPAhiJuCrSwe0enGEBnQTsdFgrzvpIo7p+2IK796FLpgoonUhWlABB7 UNhQ== X-Gm-Message-State: AOJu0Yx+ZbiPSkmJm4KYLrtwGaTv3knRuX7RC7p42WJ8y+bwrzGT+c2N L2QNeNMX0VB0UgcoOja5jx7WiRNe5CAgtA8hUh5tJ/lgrSl8g/10OTgMrEMoPQ== X-Gm-Gg: ASbGnctG8HydonkPd/7laM5Fkoz4iK/Mh8Y63riEYkehqR23FM9l3NQAUa2vgxZjOrv uonJBE6f3kstDUHu+wcUyzoalJtkSVbyzC2E3v3UAz1c9xaZaY+omWk55wKZcG8YUp3mnin+Z9b L7gdAY6LUQrlswIVrqYgW/Aasg1HOhwFS86FndIaxFHDOmXYD1g00xXZEMNXvQFBFmww/0uy5b4 3aIdRDawrN3RL3LPa/mnc4FwJQDP36ItJms9y5fGmUuy4Km69LCn8Dik2XIqig7NsDKGQ9n7JO7 dzcSWbCz9hh9dw6ZuBxaEpI2UcsM0l7ZMsVdTzBkMVFOWC5bEdnvz/c7hm+uJWvi10jVRwQFhiT m8MY+ARPJchOxh6wCaJy6MeGRY2MM9Bjrcvt72hs20Bi4LylBR3Cvzk5UmBccX4iMorzxWFBX11 GAsb86GLxW X-Google-Smtp-Source: AGHT+IHeo1Rp+I/CDhC674fTJLw8J6FFGxc3ICg8BLw1AckZmrH9vSqqDJRJYCmjY4fDZ/q7LkQNfg== X-Received: by 2002:adf:e0c4:0:b0:42b:40b5:e64c with SMTP id ffacd0b85a97d-42f79853d08mr1257065f8f.30.1764835003633; Wed, 03 Dec 2025 23:56:43 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42f7d331e29sm1730883f8f.32.2025.12.03.23.56.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Dec 2025 23:56:43 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][scarthgap][PATCH v2 12/12] xrdp: patch CVE-2023-42822 Date: Thu, 4 Dec 2025 08:56:35 +0100 Message-ID: <20251204075635.1088007-12-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251204075635.1088007-1-skandigraun@gmail.com> References: <20251204075635.1088007-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 04 Dec 2025 07:56:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/122314 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822 Pick the patch the references the github advisory[1] and the cve ID also from the nvd report. The patch is a backported version of the patch referenced by the nvd report. [1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw Signed-off-by: Gyorgy Sarvari --- v2: no change .../xrdp/xrdp/CVE-2023-42822.patch | 304 ++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 305 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch new file mode 100644 index 0000000000..2cf7968f3c --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch @@ -0,0 +1,304 @@ +From 58c9c1f06aeb5c91386bca20fa1609d68bf37ae0 Mon Sep 17 00:00:00 2001 +From: matt335672 <30179339+matt335672@users.noreply.github.com> +Date: Mon, 25 Sep 2023 11:25:04 +0100 +Subject: [PATCH] CVE-2023-42822 + +- font_items in struct xrdp_font renamed to chars to catch all + accesses to it. This name is consistent with the type of + the array elements (struct xrdp_font_char). +- Additional fields added to struct xrdp_font to allow for range + checking and for a default character to be provided +- Additional checks and logic added to xrdp_font_create() +- New macro XRDP_FONT_GET_CHAR() added to perform checked access + to chars field in struct xrdp_font + +CVE: CVE-2023-42822 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/fd25fc546a68a94163413ff2cf3989c1e239e762] +Signed-off-by: Gyorgy Sarvari +--- + xrdp/xrdp.h | 9 ++++ + xrdp/xrdp_font.c | 113 +++++++++++++++++++++++++++++++++++++------- + xrdp/xrdp_painter.c | 10 ++-- + xrdp/xrdp_types.h | 8 +++- + 4 files changed, 115 insertions(+), 25 deletions(-) + +diff --git a/xrdp/xrdp.h b/xrdp/xrdp.h +index 36d8f87a9a..be008aa227 100644 +--- a/xrdp/xrdp.h ++++ b/xrdp/xrdp.h +@@ -345,6 +345,15 @@ xrdp_font_delete(struct xrdp_font *self); + int + xrdp_font_item_compare(struct xrdp_font_char *font1, + struct xrdp_font_char *font2); ++/** ++ * Gets a checked xrdp_font_char from a font ++ * @param f Font ++ * @param c32 Unicode codepoint ++ */ ++#define XRDP_FONT_GET_CHAR(f, c32) \ ++ (((unsigned int)(c32) >= ' ') && ((unsigned int)(c32) < (f)->char_count) \ ++ ? ((f)->chars + (unsigned int)(c32)) \ ++ : (f)->default_char) + + /* funcs.c */ + int +diff --git a/xrdp/xrdp_font.c b/xrdp/xrdp_font.c +index c089db0075..2b34f36ca6 100644 +--- a/xrdp/xrdp_font.c ++++ b/xrdp/xrdp_font.c +@@ -65,6 +65,12 @@ static char w_char[] = + }; + #endif + ++// Unicode definitions ++#define UNICODE_WHITE_SQUARE 0x25a1 ++ ++// First character allocated in the 'struct xrdp_font.chars' array ++#define FIRST_CHAR ' ' ++ + /*****************************************************************************/ + struct xrdp_font * + xrdp_font_create(struct xrdp_wm *wm) +@@ -74,7 +80,7 @@ xrdp_font_create(struct xrdp_wm *wm) + int fd; + int b; + int i; +- int index; ++ unsigned int char_count; + int datasize; + int file_size; + struct xrdp_font_char *f; +@@ -100,17 +106,39 @@ xrdp_font_create(struct xrdp_wm *wm) + } + + self = (struct xrdp_font *)g_malloc(sizeof(struct xrdp_font), 1); ++ if (self == NULL) ++ { ++ LOG(LOG_LEVEL_ERROR, "xrdp_font_create: " ++ "Can't allocate memory for font"); ++ return self; ++ } + self->wm = wm; + make_stream(s); + init_stream(s, file_size + 1024); + fd = g_file_open(file_path); + +- if (fd != -1) ++ if (fd < 0) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: Can't open %s - %s", file_path, ++ g_get_strerror()); ++ g_free(self); ++ self = NULL; ++ } ++ else + { + b = g_file_read(fd, s->data, file_size + 1024); + g_file_close(fd); + +- if (b > 0) ++ // Got at least a header? ++ if (b < (4 + 32 + 2 + 2 + 8)) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: Font %s is truncated", file_path); ++ g_free(self); ++ self = NULL; ++ } ++ else + { + s->end = s->data + b; + in_uint8s(s, 4); +@@ -118,11 +146,27 @@ xrdp_font_create(struct xrdp_wm *wm) + in_uint16_le(s, self->size); + in_uint16_le(s, self->style); + in_uint8s(s, 8); +- index = 32; ++ char_count = FIRST_CHAR; + +- while (s_check_rem(s, 16)) ++ while (!s_check_end(s)) + { +- f = self->font_items + index; ++ if (!s_check_rem(s, 16)) ++ { ++ LOG(LOG_LEVEL_WARNING, ++ "xrdp_font_create: " ++ "Can't parse header for character U+%X", char_count); ++ break; ++ } ++ ++ if (char_count >= MAX_FONT_CHARS) ++ { ++ LOG(LOG_LEVEL_WARNING, ++ "xrdp_font_create: " ++ "Ignoring characters >= U+%x", MAX_FONT_CHARS); ++ break; ++ } ++ ++ f = self->chars + char_count; + in_sint16_le(s, i); + f->width = i; + in_sint16_le(s, i); +@@ -139,23 +183,56 @@ xrdp_font_create(struct xrdp_wm *wm) + if (datasize < 0 || datasize > 512) + { + /* shouldn't happen */ +- LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create, datasize wrong " +- "width %d, height %d, datasize %d, index %d", +- f->width, f->height, datasize, index); ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: " ++ "datasize for U+%x wrong " ++ "width %d, height %d, datasize %d", ++ char_count, f->width, f->height, datasize); + break; + } + +- if (s_check_rem(s, datasize)) ++ if (!s_check_rem(s, datasize)) + { +- f->data = (char *)g_malloc(datasize, 0); +- in_uint8a(s, f->data, datasize); ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: " ++ "Not enough data for character U+%X", char_count); ++ break; + } +- else ++ ++ if ((f->data = (char *)g_malloc(datasize, 0)) == NULL) + { +- LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create"); ++ LOG(LOG_LEVEL_ERROR, ++ "xrdp_font_create: " ++ "Allocation error for character U+%X", char_count); ++ break; + } ++ in_uint8a(s, f->data, datasize); ++ ++ ++char_count; ++ } + +- index++; ++ self->char_count = char_count; ++ if (char_count <= FIRST_CHAR) ++ { ++ /* We read no characters from the font */ ++ xrdp_font_delete(self); ++ self = NULL; ++ } ++ else ++ { ++ // Find a default glyph ++ if (char_count > UNICODE_WHITE_SQUARE) ++ { ++ self->default_char = &self->chars[UNICODE_WHITE_SQUARE]; ++ } ++ else if (char_count > '?') ++ { ++ self->default_char = &self->chars['?']; ++ } ++ else ++ { ++ self->default_char = &self->chars[FIRST_CHAR]; ++ } + } + } + } +@@ -178,16 +255,16 @@ xrdp_font_create(struct xrdp_wm *wm) + void + xrdp_font_delete(struct xrdp_font *self) + { +- int i; ++ unsigned int i; + + if (self == 0) + { + return; + } + +- for (i = 0; i < NUM_FONTS; i++) ++ for (i = FIRST_CHAR; i < self->char_count; i++) + { +- g_free(self->font_items[i].data); ++ g_free(self->chars[i].data); + } + + g_free(self); +diff --git a/xrdp/xrdp_painter.c b/xrdp/xrdp_painter.c +index b02c9072b6..832186ff22 100644 +--- a/xrdp/xrdp_painter.c ++++ b/xrdp/xrdp_painter.c +@@ -455,7 +455,7 @@ xrdp_painter_text_width(struct xrdp_painter *self, const char *text) + + for (index = 0; index < len; index++) + { +- font_item = self->font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]); + rv = rv + font_item->incby; + } + +@@ -493,7 +493,7 @@ xrdp_painter_text_height(struct xrdp_painter *self, const char *text) + + for (index = 0; index < len; index++) + { +- font_item = self->font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]); + rv = MAX(rv, font_item->height); + } + +@@ -870,7 +870,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self, + total_height = 0; + for (index = 0; index < len; index++) + { +- font_item = font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(font, wstr[index]); + k = font_item->incby; + total_width += k; + total_height = MAX(total_height, font_item->height); +@@ -904,7 +904,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self, + draw_rect.bottom - draw_rect.top); + for (index = 0; index < len; index++) + { +- font_item = font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(font, wstr[index]); + g_memset(&pat, 0, sizeof(pat)); + pat.format = PT_FORMAT_c1; + pat.width = font_item->width; +@@ -946,7 +946,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self, + + for (index = 0; index < len; index++) + { +- font_item = font->font_items + wstr[index]; ++ font_item = XRDP_FONT_GET_CHAR(font, wstr[index]); + i = xrdp_cache_add_char(self->wm->cache, font_item); + f = HIWORD(i); + c = LOWORD(i); +diff --git a/xrdp/xrdp_types.h b/xrdp/xrdp_types.h +index 41b65702f0..b794890b08 100644 +--- a/xrdp/xrdp_types.h ++++ b/xrdp/xrdp_types.h +@@ -574,7 +574,7 @@ struct xrdp_bitmap + int crc16; + }; + +-#define NUM_FONTS 0x4e00 ++#define MAX_FONT_CHARS 0x4e00 + #define DEFAULT_FONT_NAME "sans-10.fv1" + + #define DEFAULT_ELEMENT_TOP 35 +@@ -594,7 +594,11 @@ struct xrdp_bitmap + struct xrdp_font + { + struct xrdp_wm *wm; +- struct xrdp_font_char font_items[NUM_FONTS]; ++ // Font characters, accessed by Unicode codepoint. The first 32 ++ // entries are unused. ++ struct xrdp_font_char chars[MAX_FONT_CHARS]; ++ unsigned int char_count; // # elements in above array ++ struct xrdp_font_char *default_char; // Pointer into above array + char name[32]; + int size; + int style; diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 5a1d904a15..d2ace79c55 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -28,6 +28,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23484.patch \ file://CVE-2022-23493.patch \ file://CVE-2023-40184.patch \ + file://CVE-2023-42822.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"