From patchwork Sat Jan 24 06:29:55 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79558
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 60BC9D715C1
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:13 +0000 (UTC)
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com
 [209.85.128.46])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14201.1769236210661296648
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:11 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=LkteCGtI;
 spf=pass (domain: gmail.com, ip: 209.85.128.46,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f46.google.com with SMTP id
 5b1f17b1804b1-48058548779so259275e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236209; x=1769841009;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=TdUIkoIpGpnT6CzjVT9dgH0Y5NhaXu/o3hkSsA7dRRU=;
        b=LkteCGtIJO//Ef2hrb1uWttSpjmrLl1K9R2vpfxna7GMGUbkpDvwqoHfuTto/pbpH8
         3gZCeGwdoDAj1OheNx7JNMDBQx2dLiQgKacngcCTR5Xvd7m7PCGh2Nibs8IBPsCCPtZ1
         o5rTPvnOtHAOI0CEjCIcFusJ9OuuM4ULj4q4qOtmR43UgkrS2fTCS3t6z2sKwOEnqAUj
         9l2xX9/wNY5KfSyZUIhpZgBXJ1MeVtB2Kd2MSPBnfs3CCeD27JSId+Q0rkfGL5CNadkJ
         kXtV56DVTVIl3pXpKMnGrYHLbkoEJUd0xoWKr9tWPRNtLClYQWlou9PYgfH2TLdYyVvr
         K7Kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236209; x=1769841009;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=TdUIkoIpGpnT6CzjVT9dgH0Y5NhaXu/o3hkSsA7dRRU=;
        b=YGvXgXwbsloMk6HJJsPK1sUkMGrdGoRZy+4Uk85Atv1Mc1eE7rHPabVva48hx2Lh09
         /CiiimLoCGYasaEnGveYDGK7Qq2QwOkxfk7bPKMKr/GAf6eTbaSOvzeuYjV01j8SbxAm
         wDvEINMcYPOq4vLDcGLFOG375xU9PhUfQqkIl+bb2NmpS+qgaenka3LbwD7LlLFVzjP2
         5DVYHmRfvsww8VSjvn9hWdFh6OrhE5PZHtX1sgvBWVTUOspumHglUsSj6giwrv6ATSFd
         s7mjCmhaO2APhLtL3KwT5BD1FOkbCIPLFvhwBvz1o8Cjxp3KPf8e9fjH0aH12eS2y6vz
         W7jQ==
X-Gm-Message-State: AOJu0YyxJAZWTdrTU9YK3j/rV91e4w4wCNVJ578DbXSMlu82jIrML5Ty
	+lgKhmLflteHTCDQ5JEKUSgjHkX+NzEac2QFVGiTYZ4qs5eayufqVlLrZjWoYg==
X-Gm-Gg: AZuq6aJkU+klL5DxSc9Kb68dxUARgRrkw4C5OOWBy4bnULZM2PHqol8NiAZAnvF3CP3
	dbNHMTA6+XK2CFyemufji7O+Cs2s6nYH4xnLGfEbdVvReluMjaF3asm2mg3CEZaYAdWXADqJI6t
	QNiIcKQLy1RGkjzSpejlWDO0f0Jg/jAatTTBTJ0xnJVfhOnNOfx11NNYNtTnetE0W9gDuCB4aGz
	bg1jyb2LBJETX1eaZeOOvQ/dH4rvVXBq4TMQsHbOWZSNwPCuh1+pju6UnkCmwaBl/Aq+9t6NwiA
	qILs8X/oyUGDDOUx21ErhAFGqv8qa6XqZPr2/dUGyW+0fgMTI/2ydDRnuA6Ay73xprKpWtATIkS
	/URnALiFJ+3nqK3cJ9+K6M48eLCU0VwDawJSpCWfMxr/i8f2A75cApFu8ArYvDIo3WZEzTb0C08
	Zm6sVIvUj6bGeuGcBEXmQ=
X-Received: by 2002:a05:600c:6095:b0:480:39ad:3b7c with SMTP id
 5b1f17b1804b1-4804c9624f5mr97136535e9.16.1769236208409;
        Fri, 23 Jan 2026 22:30:08 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.07
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:07 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 01/13] frr: patch CVE-2025-61099..61107
Date: Sat, 24 Jan 2026 07:29:55 +0100
Message-ID: <20260124063007.28313-1-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:13 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123808

Details:
https://nvd.nist.gov/vuln/detail/CVE-2025-61099
https://nvd.nist.gov/vuln/detail/CVE-2025-61100
https://nvd.nist.gov/vuln/detail/CVE-2025-61101
https://nvd.nist.gov/vuln/detail/CVE-2025-61102
https://nvd.nist.gov/vuln/detail/CVE-2025-61103
https://nvd.nist.gov/vuln/detail/CVE-2025-61104
https://nvd.nist.gov/vuln/detail/CVE-2025-61105
https://nvd.nist.gov/vuln/detail/CVE-2025-61106
https://nvd.nist.gov/vuln/detail/CVE-2025-61107

The NVD advisory refernces a PR[1] that contains only an unfinished, and
ultimately unmerged attempt at the fixes. The actual solution comes from
a different PR[2]. These patches are 3 commits from that PR. The last
commit wasn't backported, because it is just code formatting.

[1]: https://github.com/FRRouting/frr/pull/19480
[2]: https://github.com/FRRouting/frr/pull/19983

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3cd47f72ad8d3889e2ef44c63ce6414cb1a9964d)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../frr/frr/CVE-2025-61099-61107-1.patch      |  40 +++
 .../frr/frr/CVE-2025-61099-61107-2.patch      |  80 +++++
 .../frr/frr/CVE-2025-61099-61107-3.patch      | 293 ++++++++++++++++++
 .../recipes-protocols/frr/frr_10.4.2.bb       |   3 +
 4 files changed, 416 insertions(+)
 create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-1.patch
 create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-2.patch
 create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-3.patch

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-1.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-1.patch
new file mode 100644
index 0000000000..a1e1246cce
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-1.patch
@@ -0,0 +1,40 @@
+From e21276d430663fd8312940bb3b0ce081957e3d85 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 24 Aug 2025 21:17:55 +0800
+Subject: [PATCH] ospfd: Add null check for vty_out in check_tlv_size
+
+From: s1awwhy <seawwhy@163.com>
+
+Add security check for vty_out. Specifically,  Check NULL for vty. If vty is not available, dump info via zlog.
+
+Signed-off-by: s1awwhy <seawwhy@163.com>
+
+CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/b7d9b7aa47627b31e4b50795284408ab6de98660]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ ospfd/ospf_ext.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
+index df0b3b9081..8ca0df3200 100644
+--- a/ospfd/ospf_ext.c
++++ b/ospfd/ospf_ext.c
+@@ -1705,11 +1705,15 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op)
+  * ------------------------------------
+  */
+ 
++/* Check NULL for vty. If vty is not available, dump info via zlog */
+ #define check_tlv_size(size, msg)                                              \
+ 	do {                                                                   \
+ 		if (ntohs(tlvh->length) != size) {                             \
+-			vty_out(vty, "  Wrong %s TLV size: %d(%d). Abort!\n",  \
+-				msg, ntohs(tlvh->length), size);               \
++			if (vty != NULL)                         \
++				vty_out(vty, "  Wrong %s TLV size: %d(%d). Abort!\n",  \
++					msg, ntohs(tlvh->length), size);               \
++			else                                              \
++				zlog_debug("    Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size);    \
+ 			return size + TLV_HDR_SIZE;                            \
+ 		}                                                              \
+ 	} while (0)
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-2.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-2.patch
new file mode 100644
index 0000000000..eacada0ec4
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-2.patch
@@ -0,0 +1,80 @@
+From d9ed123b814dad7cf4b069de5601c9f279596191 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Tue, 6 Jan 2026 15:32:32 +0100
+Subject: [PATCH] ospfd: skip subsequent tlvs after invalid length
+
+From: Louis Scalbert <louis.scalbert@6wind.com>
+
+Do not attempt to read subsequent TLVs after an TLV invalid length is
+detected.
+
+Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
+
+CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/33dfc7e7be1ac8b66abbf47c30a709215fbc1926]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ ospfd/ospf_ext.c | 6 +++---
+ ospfd/ospf_ri.c  | 6 +++---
+ ospfd/ospf_te.c  | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
+index 8ca0df3200..62b0020148 100644
+--- a/ospfd/ospf_ext.c
++++ b/ospfd/ospf_ext.c
+@@ -1710,11 +1710,11 @@ static void ospf_ext_lsa_schedule(struct ext_itf *exti, enum lsa_opcode op)
+ 	do {                                                                   \
+ 		if (ntohs(tlvh->length) != size) {                             \
+ 			if (vty != NULL)                         \
+-				vty_out(vty, "  Wrong %s TLV size: %d(%d). Abort!\n",  \
++				vty_out(vty, "  Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n",  \
+ 					msg, ntohs(tlvh->length), size);               \
+ 			else                                              \
+-				zlog_debug("    Wrong %s TLV size: %d(%d). Abort!", msg, ntohs(tlvh->length), size);    \
+-			return size + TLV_HDR_SIZE;                            \
++				zlog_debug("    Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!", msg, ntohs(tlvh->length), size);    \
++			return OSPF_MAX_LSA_SIZE + 1;                            \
+ 		}                                                              \
+ 	} while (0)
+ 
+diff --git a/ospfd/ospf_ri.c b/ospfd/ospf_ri.c
+index 76e6efeb83..7934b25451 100644
+--- a/ospfd/ospf_ri.c
++++ b/ospfd/ospf_ri.c
+@@ -1208,12 +1208,12 @@ static int ospf_router_info_lsa_update(struct ospf_lsa *lsa)
+ 	do {                                                                   \
+ 		if (ntohs(tlvh->length) > size) {                              \
+ 			if (vty != NULL)                                       \
+-				vty_out(vty, "  Wrong %s TLV size: %d(%d)\n",  \
++				vty_out(vty, "  Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n",  \
+ 					msg, ntohs(tlvh->length), size);       \
+ 			else                                                   \
+-				zlog_debug("    Wrong %s TLV size: %d(%d)",    \
++				zlog_debug("    Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!",    \
+ 					   msg, ntohs(tlvh->length), size);    \
+-			return size + TLV_HDR_SIZE;                            \
++			return OSPF_MAX_LSA_SIZE + 1;                            \
+ 		}                                                              \
+ 	} while (0)
+ 
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index d187485b9f..850a7039f1 100644
+--- a/ospfd/ospf_te.c
++++ b/ospfd/ospf_te.c
+@@ -3161,12 +3161,12 @@ static void ospf_te_init_ted(struct ls_ted *ted, struct ospf *ospf)
+ 	do {                                                                   \
+ 		if (ntohs(tlvh->length) > size) {                              \
+ 			if (vty != NULL)                                       \
+-				vty_out(vty, "  Wrong %s TLV size: %d(%d)\n",  \
++				vty_out(vty, "  Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!\n",  \
+ 					msg, ntohs(tlvh->length), size);       \
+ 			else                                                   \
+-				zlog_debug("    Wrong %s TLV size: %d(%d)",    \
++				zlog_debug("    Wrong %s TLV size: %d(expected %d). Skip subsequent TLVs!",    \
+ 					   msg, ntohs(tlvh->length), size);    \
+-			return size + TLV_HDR_SIZE;                            \
++			return OSPF_MAX_LSA_SIZE + 1;                            \
+ 		}                                                              \
+ 	} while (0)
+ 
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-3.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-3.patch
new file mode 100644
index 0000000000..7b983198f5
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2025-61099-61107-3.patch
@@ -0,0 +1,293 @@
+From 2d02bca97251ee53fb10b4c34c8cda0e20ae8b8e Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 24 Aug 2025 21:21:23 +0800
+Subject: [PATCH] ospfd: Fix NULL Pointer Deference when dumping link info
+
+From: s1awwhy <seawwhy@163.com>
+
+When the command debug ospf packet all send/recv detail is enabled in the OSPF
+configuration,  ospfd will dump detailed information of any received or sent
+OSPF packets, either via VTY or through the zlog. However, the original Opaque
+LSA handling code failed to check whether the VTY context and show_opaque_info
+were available, resulting in NULL pointer dereference and crashes in ospfd.
+The patch fixes the Null Pointer Deference Vulnerability in
+show_vty_ext_link_rmt_itf_addr, show_vty_ext_link_adj_sid,
+show_vty_ext_link_lan_adj_sid, show_vty_unknown_tlv,
+show_vty_link_info, show_vty_ext_pref_pref_sid, show_vtY_pref_info.
+Specifically, add NULL check for vty. If vty is not available, dump details
+via zlog.
+
+Signed-off-by: s1awwhy <seawwhy@163.com>
+Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
+
+CVE: CVE-2025-61099 CVE-2025-61100 CVE-2025-61101 CVE-2025-61102 CVE-2025-61103 CVE-2025-61104 CVE-2025-61105 CVE-2025-61106 CVE-2025-61107
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/034e6fe67078810b952630055614ee5710d1196e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ ospfd/ospf_ext.c | 200 ++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 138 insertions(+), 62 deletions(-)
+
+diff --git a/ospfd/ospf_ext.c b/ospfd/ospf_ext.c
+index 62b0020148..c1fcd632e0 100644
+--- a/ospfd/ospf_ext.c
++++ b/ospfd/ospf_ext.c
+@@ -1729,9 +1729,15 @@ static uint16_t show_vty_ext_link_rmt_itf_addr(struct vty *vty,
+ 	check_tlv_size(EXT_SUBTLV_RMT_ITF_ADDR_SIZE, "Remote Itf. Address");
+ 
+ 	if (!json)
+-		vty_out(vty,
+-			"  Remote Interface Address Sub-TLV: Length %u\n	Address: %pI4\n",
+-			ntohs(top->header.length), &top->value);
++		if (vty != NULL) {
++			vty_out(vty,
++				"  Remote Interface Address Sub-TLV: Length %u\n	Address: %pI4\n",
++				ntohs(top->header.length), &top->value);
++		} else {
++			zlog_debug("  Remote Interface Address Sub-TLV: Length %u",
++				   ntohs(top->header.length));
++			zlog_debug("  Address: %pI4", &top->value);
++		}
+ 	else
+ 		json_object_string_addf(json, "remoteInterfaceAddress", "%pI4",
+ 					&top->value);
+@@ -1752,18 +1758,30 @@ static uint16_t show_vty_ext_link_adj_sid(struct vty *vty,
+ 			      : SID_INDEX_SIZE(EXT_SUBTLV_ADJ_SID_SIZE);
+ 	check_tlv_size(tlv_size, "Adjacency SID");
+ 
+-	if (!json)
+-		vty_out(vty,
+-			"  Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n",
+-			ntohs(top->header.length), top->flags, top->mtid,
+-			top->weight,
+-			CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+-				? "Label"
+-				: "Index",
+-			CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+-				? GET_LABEL(ntohl(top->value))
+-				: ntohl(top->value));
+-	else {
++	if (!json) {
++		/* Add security check for vty_out. If vty is not available, dump info via zlog.*/
++		if (vty != NULL)
++			vty_out(vty,
++				"  Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\t%s: %u\n",
++				ntohs(top->header.length), top->flags, top->mtid, top->weight,
++				CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
++										     : "Index",
++				CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
++					? GET_LABEL(ntohl(top->value))
++					: ntohl(top->value));
++		else {
++			zlog_debug("  Adj-SID Sub-TLV: Length %u", ntohs(top->header.length));
++			zlog_debug("    Flags: 0x%x", top->flags);
++			zlog_debug("    MT-ID:0x%x", top->mtid);
++			zlog_debug("    Weight: 0x%x", top->weight);
++			zlog_debug("    %s: %u",
++				   CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
++											: "Index",
++				   CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
++					   ? GET_LABEL(ntohl(top->value))
++					   : ntohl(top->value));
++		}
++	} else {
+ 		json_object_string_addf(json, "flags", "0x%x", top->flags);
+ 		json_object_string_addf(json, "mtID", "0x%x", top->mtid);
+ 		json_object_string_addf(json, "weight", "0x%x", top->weight);
+@@ -1791,18 +1809,32 @@ static uint16_t show_vty_ext_link_lan_adj_sid(struct vty *vty,
+ 			      : SID_INDEX_SIZE(EXT_SUBTLV_LAN_ADJ_SID_SIZE);
+ 	check_tlv_size(tlv_size, "LAN-Adjacency SID");
+ 
+-	if (!json)
+-		vty_out(vty,
+-			"  LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n",
+-			ntohs(top->header.length), top->flags, top->mtid,
+-			top->weight, &top->neighbor_id,
+-			CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+-				? "Label"
+-				: "Index",
+-			CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
+-				? GET_LABEL(ntohl(top->value))
+-				: ntohl(top->value));
+-	else {
++	if (!json) {
++		/* Add security check for vty_out. If vty is not available, dump info via zlog. */
++		if (vty != NULL) {
++			vty_out(vty,
++				"  LAN-Adj-SID Sub-TLV: Length %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\tWeight: 0x%x\n\tNeighbor ID: %pI4\n\t%s: %u\n",
++				ntohs(top->header.length), top->flags, top->mtid, top->weight,
++				&top->neighbor_id,
++				CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
++										     : "Index",
++				CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
++					? GET_LABEL(ntohl(top->value))
++					: ntohl(top->value));
++		} else {
++			zlog_debug("  LAN-Adj-SID Sub-TLV: Length %u", ntohs(top->header.length));
++			zlog_debug("    Flags: 0x%x", top->flags);
++			zlog_debug("    MT-ID:0x%x", top->mtid);
++			zlog_debug("    Weight: 0x%x", top->weight);
++			zlog_debug("    Neighbor ID: %pI4", &top->neighbor_id);
++			zlog_debug("    %s: %u",
++				   CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG) ? "Label"
++											: "Index",
++				   CHECK_FLAG(top->flags, EXT_SUBTLV_LINK_ADJ_SID_VFLG)
++					   ? GET_LABEL(ntohl(top->value))
++					   : ntohl(top->value));
++		}
++	} else {
+ 		json_object_string_addf(json, "flags", "0x%x", top->flags);
+ 		json_object_string_addf(json, "mtID", "0x%x", top->mtid);
+ 		json_object_string_addf(json, "weight", "0x%x", top->weight);
+@@ -1823,14 +1855,23 @@ static uint16_t show_vty_unknown_tlv(struct vty *vty, struct tlv_header *tlvh,
+ {
+ 	json_object *obj;
+ 
++	/* Add security check for vty_out. If vty is not available, dump info via zlog. */
+ 	if (TLV_SIZE(tlvh) > buf_size) {
+-		vty_out(vty, "    TLV size %d exceeds buffer size. Abort!",
+-			TLV_SIZE(tlvh));
++		if (vty != NULL)
++			vty_out(vty, "    TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh));
++		else
++			zlog_debug("    TLV size %d exceeds buffer size. Abort!", TLV_SIZE(tlvh));
++
+ 		return buf_size;
+ 	}
+ 	if (!json)
+-		vty_out(vty, "    Unknown TLV: [type(0x%x), length(0x%x)]\n",
+-			ntohs(tlvh->type), ntohs(tlvh->length));
++		if (vty != NULL) {
++			vty_out(vty, "    Unknown TLV: [type(0x%x), length(0x%x)]\n",
++				ntohs(tlvh->type), ntohs(tlvh->length));
++		} else {
++			zlog_debug("    Unknown TLV: [type(0x%x), length(0x%x)]",
++				   ntohs(tlvh->type), ntohs(tlvh->length));
++		}
+ 	else {
+ 		obj = json_object_new_object();
+ 		json_object_string_addf(obj, "type", "0x%x",
+@@ -1855,19 +1896,31 @@ static uint16_t show_vty_link_info(struct vty *vty, struct tlv_header *ext,
+ 
+ 	/* Verify that TLV length is valid against remaining buffer size */
+ 	if (length > buf_size) {
+-		vty_out(vty,
+-			"  Extended Link TLV size %d exceeds buffer size. Abort!\n",
+-			length);
++		/* Add security check for vty_out. If vty is not available, dump info via zlog. */
++		if (vty != NULL) {
++			vty_out(vty, "  Extended Link TLV size %d exceeds buffer size. Abort!\n",
++				length);
++		} else {
++			zlog_debug("  Extended Link TLV size %d exceeds buffer size. Abort!",
++				   length);
++		}
+ 		return buf_size;
+ 	}
+ 
+ 	if (!json) {
+-		vty_out(vty,
+-			"  Extended Link TLV: Length %u\n	Link Type: 0x%x\n"
+-			"	Link ID: %pI4\n",
+-			ntohs(top->header.length), top->link_type,
+-			&top->link_id);
+-		vty_out(vty, "	Link data: %pI4\n", &top->link_data);
++		/* Add security check for vty_out. If vty is not available, dump info via zlog. */
++		if (vty != NULL) {
++			vty_out(vty,
++				"  Extended Link TLV: Length %u\n	Link Type: 0x%x\n"
++				"	Link ID: %pI4\n",
++				ntohs(top->header.length), top->link_type, &top->link_id);
++			vty_out(vty, "	Link data: %pI4\n", &top->link_data);
++		} else {
++			zlog_debug("  Extended Link TLV: Length %u", ntohs(top->header.length));
++			zlog_debug("    Link Type: 0x%x", top->link_type);
++			zlog_debug("    Link ID: %pI4", &top->link_id);
++			zlog_debug("    Link data: %pI4", &top->link_data);
++		}
+ 	} else {
+ 		json_object_string_addf(json, "linkType", "0x%x",
+ 					top->link_type);
+@@ -1959,18 +2012,29 @@ static uint16_t show_vty_ext_pref_pref_sid(struct vty *vty,
+ 			      : SID_INDEX_SIZE(EXT_SUBTLV_PREFIX_SID_SIZE);
+ 	check_tlv_size(tlv_size, "Prefix SID");
+ 
+-	if (!json)
+-		vty_out(vty,
+-			"  Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n",
+-			ntohs(top->header.length), top->algorithm, top->flags,
+-			top->mtid,
+-			CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
+-				? "Label"
+-				: "Index",
+-			CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
+-				? GET_LABEL(ntohl(top->value))
+-				: ntohl(top->value));
+-	else {
++	if (!json) {
++		if (vty != NULL) {
++			vty_out(vty,
++				"  Prefix SID Sub-TLV: Length %u\n\tAlgorithm: %u\n\tFlags: 0x%x\n\tMT-ID:0x%x\n\t%s: %u\n",
++				ntohs(top->header.length), top->algorithm, top->flags, top->mtid,
++				CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label"
++										   : "Index",
++				CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
++					? GET_LABEL(ntohl(top->value))
++					: ntohl(top->value));
++		} else {
++			zlog_debug("  Prefix SID Sub-TLV: Length %u", ntohs(top->header.length));
++			zlog_debug("    Algorithm: %u", top->algorithm);
++			zlog_debug("    Flags: 0x%x", top->flags);
++			zlog_debug("    MT-ID:0x%x", top->mtid);
++			zlog_debug("    %s: %u",
++				   CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG) ? "Label"
++										      : "Index",
++				   CHECK_FLAG(top->flags, EXT_SUBTLV_PREFIX_SID_VFLG)
++					   ? GET_LABEL(ntohl(top->value))
++					   : ntohl(top->value));
++		}
++	} else {
+ 		json_object_int_add(json, "algorithm", top->algorithm);
+ 		json_object_string_addf(json, "flags", "0x%x", top->flags);
+ 		json_object_string_addf(json, "mtID", "0x%x", top->mtid);
+@@ -1995,19 +2059,31 @@ static uint16_t show_vty_pref_info(struct vty *vty, struct tlv_header *ext,
+ 
+ 	/* Verify that TLV length is valid against remaining buffer size */
+ 	if (length > buf_size) {
+-		vty_out(vty,
+-			"  Extended Link TLV size %d exceeds buffer size. Abort!\n",
+-			length);
++		if (vty != NULL) {
++			vty_out(vty, "  Extended Link TLV size %d exceeds buffer size. Abort!\n",
++				length);
++		} else {
++			zlog_debug("  Extended Link TLV size %d exceeds buffer size. Abort!",
++				   length);
++		}
+ 		return buf_size;
+ 	}
+ 
+-	if (!json)
+-		vty_out(vty,
+-			"  Extended Prefix TLV: Length %u\n\tRoute Type: %u\n"
+-			"\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n",
+-			ntohs(top->header.length), top->route_type, top->af,
+-			top->flags, &top->address, top->pref_length);
+-	else {
++	if (!json) {
++		if (vty != NULL) {
++			vty_out(vty,
++				"  Extended Prefix TLV: Length %u\n\tRoute Type: %u\n"
++				"\tAddress Family: 0x%x\n\tFlags: 0x%x\n\tAddress: %pI4/%u\n",
++				ntohs(top->header.length), top->route_type, top->af, top->flags,
++				&top->address, top->pref_length);
++		} else {
++			zlog_debug("  Extended Prefix TLV: Length %u", ntohs(top->header.length));
++			zlog_debug("    Route Type: %u", top->route_type);
++			zlog_debug("    Address Family: 0x%x", top->af);
++			zlog_debug("    Flags: 0x%x", top->flags);
++			zlog_debug("    Address: %pI4/%u", &top->address, top->pref_length);
++		}
++	} else {
+ 		json_object_int_add(json, "routeType", top->route_type);
+ 		json_object_string_addf(json, "addressFamily", "0x%x", top->af);
+ 		json_object_string_addf(json, "flags", "0x%x", top->flags);
diff --git a/meta-networking/recipes-protocols/frr/frr_10.4.2.bb b/meta-networking/recipes-protocols/frr/frr_10.4.2.bb
index a0a42859f7..a246b3459f 100644
--- a/meta-networking/recipes-protocols/frr/frr_10.4.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_10.4.2.bb
@@ -12,6 +12,9 @@ LIC_FILES_CHKSUM = "file://doc/licenses/GPL-2.0;md5=b234ee4d69f5fce4486a80fdaf4a
 
 SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/10.4;tag=frr-${PV} \
            file://frr.pam \
+           file://CVE-2025-61099-61107-1.patch \
+           file://CVE-2025-61099-61107-2.patch \
+           file://CVE-2025-61099-61107-3.patch \
            "
 
 SRCREV = "642f65b9e5853c7207982a9cf8275732737d4e44"

From patchwork Sat Jan 24 06:29:56 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79557
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 59CA1D715CE
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:13 +0000 (UTC)
Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com
 [209.85.128.51])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14202.1769236210732671900
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:11 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=m5oi4vZz;
 spf=pass (domain: gmail.com, ip: 209.85.128.51,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f51.google.com with SMTP id
 5b1f17b1804b1-4801bc328easo32936075e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236209; x=1769841009;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=R0LOQCJ0KNGIel9cruvis2fCNoEYXay+3Wqgk05d2Lw=;
        b=m5oi4vZzxBOAodSFQqAP1rFIV/fGVA7HyX/Sk3R/ORfonsJ85js3o9cCtQEZu7C+9P
         5WYyLlQeKtBuI3EPMtq57DuM2Ap6XCSUEtxGTO896ye7DtPyVG9OzJABvealGmIKvZXn
         4Vkn0EI8dZAFNm50iDHiZ7vkUWKcoPZvtgG0zZUbsudai5/P9xP35dwTL2kyImfzvncw
         Traa7L+wUlabhVq7uqhjUtjC/5l4bwwnJZQqMtEJojl2+w2tPSiaZsVSkvSfTiBsqRyC
         aIYfWcICIJ6iqstm2xunwQrYbVz9x6iKFzty5Z1r7ejaD4F4qVzV3tuqecWoU4qIqw5H
         bkCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236209; x=1769841009;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=R0LOQCJ0KNGIel9cruvis2fCNoEYXay+3Wqgk05d2Lw=;
        b=cOjtqk9oLxlEAi6DvMe4ifMqkHmVRLXs5urUY4q9pdYukaTKAFCoQCBII/74bA5L1W
         d6UwkxBdjozmMb+yGHCDR4uPqEdQizuBOyUHQrlpsOEbLXgttDBW5ztjyczNuc7gah/A
         oMhaheZH5oJsvkVElOSFt+KbeRQeYHE4AwBhoLWtgxIbxXg+CklcLtZrl3+cgkp8emMM
         mWI4yktZGy/9g7a9HKFVXqycyXmwP3AIvyJ8aMpKoERwSUQlqDhdZeJ5TQoJc11k4dCS
         elI58DcabXzyqDtIcYlQTyTQkubUxPl7WQ8DJRc8qrUv53NjL2yQvPwJ4ZRcN6p21oye
         +gww==
X-Gm-Message-State: AOJu0YwJjSVB4UPyv6urdkrvakaLRQN8qFZZ1H9ehtrN87PgBrhFw0CO
	yG6uiiOQPRTq0FjsKY/J+Xu2CuiCpbasUeOfhxXt5wKdaq7FRwV7kyrCHmpPBg==
X-Gm-Gg: AZuq6aJUSg8w9BIwIA+HiqcP+9aMEcirEwnlo59LJ90axI9B6l/EOkuyu1EdQxz33+i
	9fKU1Rifn2uLa0y0+E5jiLgYBNXMZtm8LghSM8e1IhHsuyafZ4IkYeaR8hOTDfJ/4A/hmlCFVEd
	XvUWN5x0d2sWvajyP6V2Nf02uG7YpC5UYgxptbODPggzjIp/1Ox1Zy8rKkb7h8PnQ3VQfjTDzBE
	mCfrIZMl2xQlbjyWPGU6cQoeYpO+EnKeiJXAalEsJ5RMCDzxqhd1IYAqkuJo3N3uIKtL7xRcbg/
	rNg+Umxd28z73Om6+zEALyYZIMjLl5f5NemmoLhYsm+o0PmhKvjxZ83DzU8I4HQWPMq3gj7VhMC
	swWu44Hf6Qt2s90J01j36JNcXXDf/K3NHAcDseLa3Bg6W+cuAuntp2kNAP5WZgWAbnm/2VTeg21
	vbfDpc2jZO
X-Received: by 2002:a05:600c:c16b:b0:475:dd89:acb with SMTP id
 5b1f17b1804b1-4804c9b2097mr83915885e9.22.1769236209051;
        Fri, 23 Jan 2026 22:30:09 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.08
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:08 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 02/13] xrdp: patch CVE-2022-23468
Date: Sat, 24 Jan 2026 07:29:56 +0100
Message-ID: <20260124063007.28313-2-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:13 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123807

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23468

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 1cb08277fe367850eb130c0995d85dca8e609787)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23468.patch            | 34 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch
new file mode 100644
index 0000000000..6f8b3a0fb1
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23468.patch
@@ -0,0 +1,34 @@
+From 43cf272b1138462c1bdfc48ef7e9142208194382 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 09:16:44 +0000
+Subject: [PATCH] CVE-2022-23468
+
+Login window - replace g_sprintf() withl g_snprintf() calls
+
+CVE: CVE-2022-23468
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/43cf272b1138462c1bdfc48ef7e9142208194382]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ xrdp/xrdp_login_wnd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c
+index 7a3134fd3e..28748676a1 100644
+--- a/xrdp/xrdp_login_wnd.c
++++ b/xrdp/xrdp_login_wnd.c
+@@ -722,13 +722,13 @@ xrdp_login_wnd_create(struct xrdp_wm *self)
+     if (globals->ls_title[0] == 0)
+     {
+         g_gethostname(buf1, 256);
+-        g_sprintf(buf, "Login to %s", buf1);
++        g_snprintf(buf, sizeof(buf), "Login to %s", buf1);
+         set_string(&self->login_window->caption1, buf);
+     }
+     else
+     {
+         /*self->login_window->caption1 = globals->ls_title[0];*/
+-        g_sprintf(buf, "%s", globals->ls_title);
++        g_snprintf(buf, sizeof(buf), "%s", globals->ls_title);
+         set_string(&self->login_window->caption1, buf);
+     }
+ 
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index a60c125d06..d2527950d5 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://0001-Fix-the-compile-error.patch \
            file://0001-arch-Define-NO_NEED_ALIGN-on-ppc64.patch \
            file://0001-mark-count-with-unused-attribute.patch \
+           file://CVE-2022-23468.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:29:57 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79561
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 64F3DD715D1
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:13 +0000 (UTC)
Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com
 [209.85.128.54])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14203.1769236211458848341
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:11 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=NjqeQ8LY;
 spf=pass (domain: gmail.com, ip: 209.85.128.54,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f54.google.com with SMTP id
 5b1f17b1804b1-4801c731d0aso21926205e9.1
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236210; x=1769841010;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=+16SN5hSC4C8Ynhjm3hyn1oRfFSY6XAK5p06M7KCLpY=;
        b=NjqeQ8LY3iJDnyTsKZ9wil+P8tKwit1/27MuBQwELV5digvXqtWYt6pKfKwM5YlA5W
         OF8FMumF+ws/eXkJkl7M3r2aNQw9Ueb0EDs2ExlAWhTqeNKjdCvId469Qv2YIG7Ku07s
         RKahx9Njj7kGInpH/QA2ReDeVFeGZxqVZ7iQ01RKb8SL5Ge+uKVzT/i4AfNBUr6ZsHKl
         wGv9rMNQF8Mf9ft4iZVALmTGPbRLIdGi7lb7pnv1ytFfjJ6IBYY48476TObvcayqAosU
         N0Q0Vh0NI/l1skquzMPbo2Oa+OKoOtFOILxuBYg6ExuoSZwl6QpsjKEh8fNsqyv9Ytrx
         l7lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236210; x=1769841010;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=+16SN5hSC4C8Ynhjm3hyn1oRfFSY6XAK5p06M7KCLpY=;
        b=O0K15n6fKrWM/nFpW1d6c0CHwJWkr5wImPkOgJb/9AN2KeD/e02y5Gd0sBAl1HqaEp
         4jgFjWAtUvds72xifQXj8cQRjTEayU1iKKVZtQeW+28XUF3omdeT155wRSA33AhgnOiT
         /72Lcit6iwzIeFJZpwKurLAibjnzLIn9ZZJvor0Dkxqyb5PAvQV1WFF42UK72znFnz8P
         ZoxD7LjObwAML1BOKrVaWsWUhc98iLLZRVw6q4pW1wIwr8Wu5iFcSifgUSFo9zLgo/ch
         0zCKscHJO08AwkVY5B0bu5NNvmw04XhOviwnDC63RwtaRw1MabMpyySo5e3ViHc9fU5f
         D8KQ==
X-Gm-Message-State: AOJu0YwQtkQ9AyNNQpOi4t3fcnau1zA28ZCAvnLhl8zBZuVMZCFydRhD
	E17DHaRjGWSCDPu/l//5yQAMoke1DX5lomTPKnxgnP6YUZKIpm8clP8yOA7V0g==
X-Gm-Gg: AZuq6aKRE7xWclcRft4WmOmVIY/muaLqVAXPzioDDcQQJm+ZTXZFwiPkjhb0BTjYH3Y
	jjhDdsKbJl2XuWpbgmA2Oc1ZiJFcjQug4lO47svxTNapsG7Rvo4F8QcfaGXw50kwnTKpjC9AWs4
	bM8Qp+IyYB5C/3IJB1AJHYwvi7q0B1vzPr7N0IwSQsaM+m7d/Fxidg3DDyExvYqVnweFa4juKOh
	kyhgHR6odW4ONbjuWPtLj/HIpek3mOrkPH958ALvH6Tm+BMhzSAfB1VSo8WjOa8aO1OIu4ksoqk
	G2tVQk/FJycXcvPQnthBo4hWqw8PtVu9pbp12lXpbxqufxweSjadUAN6uI0lsbhnJ6RocS909WY
	Qt63U1qN9NY6wKk2rsLVk86KVedboioIVDaejNvtwYYP4z7q754//UqH6m9m7z2KfXgQV3OYHlM
	aYT/NTgB07
X-Received: by 2002:a05:600c:811a:b0:47e:e7e5:ff32 with SMTP id
 5b1f17b1804b1-48055c1e691mr12361665e9.34.1769236209720;
        Fri, 23 Jan 2026 22:30:09 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.09
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:09 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 03/13] xrdp: patch CVE-2022-23477
Date: Sat, 24 Jan 2026 07:29:57 +0100
Message-ID: <20260124063007.28313-3-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:13 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123809

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23477

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit a6efc5b2850036cadb044eb8de8bde2e54c97c28)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23477.patch            | 38 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch
new file mode 100644
index 0000000000..5c2b48a507
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23477.patch
@@ -0,0 +1,38 @@
+From d49f269af82be5f14b193d4edfcb63b547a16ff4 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Tue, 6 Dec 2022 11:31:31 +0000
+Subject: [PATCH] CVE-2022-23477
+
+Prevent buffer overflow for oversized audio format from client
+
+CVE: CVE-2022-23477
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/d49f269af82be5f14b193d4edfcb63b547a16ff4]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ sesman/chansrv/audin.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sesman/chansrv/audin.c b/sesman/chansrv/audin.c
+index cd802fa519..36a8027a57 100644
+--- a/sesman/chansrv/audin.c
++++ b/sesman/chansrv/audin.c
+@@ -181,15 +181,16 @@ audin_send_open(int chan_id)
+     int error;
+     int bytes;
+     struct stream *s;
+-    struct xr_wave_format_ex *wf;
++    struct xr_wave_format_ex *wf = g_client_formats[g_current_format];
+ 
+     LOG_DEVEL(LOG_LEVEL_INFO, "audin_send_open:");
+     make_stream(s);
+-    init_stream(s, 8192);
++    /* wf->cbSize was checked when the format was received */
++    init_stream(s, wf->cbSize + 64);
++
+     out_uint8(s, MSG_SNDIN_OPEN);
+     out_uint32_le(s, 2048); /* FramesPerPacket */
+     out_uint32_le(s, g_current_format); /* initialFormat */
+-    wf = g_client_formats[g_current_format];
+     out_uint16_le(s, wf->wFormatTag);
+     out_uint16_le(s, wf->nChannels);
+     out_uint32_le(s, wf->nSamplesPerSec);
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index d2527950d5..a953342910 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://0001-arch-Define-NO_NEED_ALIGN-on-ppc64.patch \
            file://0001-mark-count-with-unused-attribute.patch \
            file://CVE-2022-23468.patch \
+           file://CVE-2022-23477.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:29:58 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79559
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 712EBD715D3
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:13 +0000 (UTC)
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com
 [209.85.128.41])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14205.1769236212049280040
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:12 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=iiCvrN1h;
 spf=pass (domain: gmail.com, ip: 209.85.128.41,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f41.google.com with SMTP id
 5b1f17b1804b1-47f3b7ef761so20740895e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236210; x=1769841010;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=bWbX+zrOA+bu7yOLZ4H/aXfF4jz6fjR6P2jrTzyOTSY=;
        b=iiCvrN1hv2wif8ARWT0ozsGtLbYnydXORueROdjbgMRR896DiD2QZuzY0c7DUzJZL3
         V+DFfNNW4Izl9KZQoqnQFLkvtOeflxS3LjHjgFMkgJ+7jXB9b5Mi1/JNabAhSD6KeUO/
         g5UcluAB1VtYJm35e+3p6quF4OuWd6nh7DGxrH72jQ5+FnfbsdaPIsCADHE2GioNqa4Y
         SqwUOMhi+AAgk0pFFvydWv2fBWnMoBKBFDQn+QHTugweobRkA5ypozNidowXdzvLrpBL
         wp3F0HvIcymaxjrX/9QI80YlBjo4dR6uvSy4rJyqE4nnjqsUDqqTCZfQYpqDa04oLNqU
         0mnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236210; x=1769841010;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=bWbX+zrOA+bu7yOLZ4H/aXfF4jz6fjR6P2jrTzyOTSY=;
        b=o1qKEXfuT1z9w/PqYv+JQjZ9kOZaivg4z4HZ1I5upxiOUFhW/mxXHImGAYfmwtXwKj
         p4K0cQ74xC/NPkZiEuxyePJJfYQlpttkQ7sHpzTV7t4ejh4t2t+uEEBH04EbMHjD8fQ6
         Va0+5HCUZyEgctjc6U9zMXcWqlzItRWDz3VjU8C6A0RsDUiplbTvxVcftX2R2kGtwsaT
         NeOXrUHWmPuKx+nX75S8InEsFz40nERKatbkoJWNaQdMChDvD0DiQO3BCr46x33VqfUX
         J8TDqVyB/FN0g55H/nYGP0qh9p3FNqfEMSYqLURiCjYhE5foLS5TeTPRfLzPQwPvgzsF
         xYgA==
X-Gm-Message-State: AOJu0YzqysfqXkSmfsquVE9ucxxWhDhKnACmlYsfknRvz2Jjw7IiPa3L
	HN0T6W8c3khr9LHVVv7raoL0kV2U/XX8+pXt9S+ugDZvxrsQy7ZhwQoBL34waA==
X-Gm-Gg: AZuq6aKJRBX8nOjlgeo3PZ0X4F2JDe8wdhNvmilaq/2JXqQK4p+XLAdSOIBl15Pp4JP
	Sq7s2XIyPOdaCj3n5kXJKLADOjkFXKzXvXCBMb0XCbo0vCbUQQ1yDm2ygxOeZELHMTRNioT4tSw
	+o2Wus/Q1iQZ+UBRbEES3TsA03v7P7cl1o3F8/+or828AkM5P9Qj+ij+R4RRRsJJMWs+x+T9n/W
	XrUyjx0q1if8thWMIfIrle4nn0W/6rmFCEWjbAimV+8WoZ6EpDw4EwtJgmd5vjx95gixUW5KiyL
	u8Ka+HZueMDG24kIvs14qmtydXD3QCYyf43S3SLwJ9ukD5BdHaQ/F8F7T0VOOfhbtZggCcgzmTG
	3OtrvdLefeNyom0Dgf9n11IOwL23cLsPErqBfeeXMlWCmOqL7QdVFZOhFhWlHl0WapdXPR1gEu/
	gUfv8hrqEb
X-Received: by 2002:a05:600c:3b0d:b0:47b:deb9:f8a with SMTP id
 5b1f17b1804b1-4804c9b736dmr74444175e9.30.1769236210388;
        Fri, 23 Jan 2026 22:30:10 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.09
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:10 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 04/13] xrdp: patch CVE-2022-23478
Date: Sat, 24 Jan 2026 07:29:58 +0100
Message-ID: <20260124063007.28313-4-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:13 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123810

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23478

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 63b5fff9755a5849a0bbfba5447e117130efcf54)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23478.patch            | 85 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 86 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch
new file mode 100644
index 0000000000..de4f773332
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23478.patch
@@ -0,0 +1,85 @@
+From 6cb54a1c26b53617e1c79a0abc96d03c4add1eb8 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 11:12:42 +0000
+Subject: [PATCH] CVE-2022-23478
+
+Fix potential OOB write if invalid chansrv channel opened
+
+Also removed an unnecessary dynamic memory allocation
+
+CVE: CVE-2022-23478
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/6cb54a1c26b53617e1c79a0abc96d03c4add1eb8]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ xrdp/xrdp_mm.c | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
+index 74b0516afa..c91e03ab56 100644
+--- a/xrdp/xrdp_mm.c
++++ b/xrdp/xrdp_mm.c
+@@ -1360,7 +1360,7 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
+     int error;
+     int chan_id;
+     int chansrv_chan_id;
+-    char *name;
++    char name[1024 + 1];
+     struct xrdp_drdynvc_procs procs;
+ 
+     if (!s_check_rem(s, 2))
+@@ -1368,33 +1368,32 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
+         return 1;
+     }
+     in_uint32_le(s, name_bytes);
+-    if ((name_bytes < 1) || (name_bytes > 1024))
+-    {
+-        return 1;
+-    }
+-    name = g_new(char, name_bytes + 1);
+-    if (name == NULL)
++    if ((name_bytes < 1) || (name_bytes > (int)(sizeof(name) - 1)))
+     {
+         return 1;
+     }
+     if (!s_check_rem(s, name_bytes))
+     {
+-        g_free(name);
+         return 1;
+     }
+     in_uint8a(s, name, name_bytes);
+     name[name_bytes] = 0;
+     if (!s_check_rem(s, 8))
+     {
+-        g_free(name);
+         return 1;
+     }
+     in_uint32_le(s, flags);
+     in_uint32_le(s, chansrv_chan_id);
++    if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
++    {
++        LOG(LOG_LEVEL_ERROR, "Attempting to open invalid chansrv channel %d",
++            chansrv_chan_id);
++        return 1;
++    }
++
+     if (flags == 0)
+     {
+         /* open static channel, not supported */
+-        g_free(name);
+         return 1;
+     }
+     else
+@@ -1410,13 +1409,11 @@ xrdp_mm_trans_process_drdynvc_channel_open(struct xrdp_mm *self,
+                                      &chan_id);
+         if (error != 0)
+         {
+-            g_free(name);
+             return 1;
+         }
+         self->xr2cr_cid_map[chan_id] = chansrv_chan_id;
+         self->cs2xr_cid_map[chansrv_chan_id] = chan_id;
+     }
+-    g_free(name);
+     return 0;
+ }
+ 
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index a953342910..bffed4c265 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://0001-mark-count-with-unused-attribute.patch \
            file://CVE-2022-23468.patch \
            file://CVE-2022-23477.patch \
+           file://CVE-2022-23478.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:29:59 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79560
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7E379D715D5
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:13 +0000 (UTC)
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com
 [209.85.128.46])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.14297.1769236212703847877
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:13 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=EJLa/3Jz;
 spf=pass (domain: gmail.com, ip: 209.85.128.46,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f46.google.com with SMTP id
 5b1f17b1804b1-47ee937ecf2so24607805e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236211; x=1769841011;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=OMMa1wYrR3lumjYbx2XLYwON4fpB3VOGc8Q3lZxtudA=;
        b=EJLa/3Jz1lnQBCTnHbTEctqDK5L2ApxrhY3ZMbJP8pckDYerN815PdbAFoysnlLwTa
         eHFcwUo4kFPnuB+e6QVMTcQ8Lq5EYicniKYQRmiwW30h/wqS7iSZQOFJ7QGmzXJd5yKJ
         dyg+AdDdDEvszQkUF8Y7TTT8neepM6ClvESG1niZSL2TNxGFodEVzK8HJlW68Xg23bHl
         LDwba+Gm+aqYsA8PR8xmKiSA0NCLhiPigAM2W8M7vjR8uzo/85opFIIsgvudZ/o1/uw0
         kZqSf+3ax7Lcx1+FfcKlKKoYVO4U9plmFXdz/jyLu5qFYwZur31N1vqbYOY2GdGyclY0
         9ZYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236211; x=1769841011;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=OMMa1wYrR3lumjYbx2XLYwON4fpB3VOGc8Q3lZxtudA=;
        b=QPG5qnYEr44FxCRCZJ55vN4/ayN8p3PoBWaIXfqIdt1G0ZFopJgvKT+VH1NMAZDs5n
         zL19+CN9zEcC/e3soiiCKnEqFXQEzRclA3/DF5ohwP0Pl4esUl9DbZ9RjjU9GUJ1qAdi
         uufpPAAQRRNLNNeZQuj2mVQo1iD5J1rUXEdwuUrcTpTSHvdLWz3jpBN2hGcnK3FJmDBq
         yhfgF40UhSuHU4Ocme37AtBAFeBOvIRZsa5oLlEKA/bZYtRs2J3FaHsHO+bX3/3k61aJ
         +SZWbtojctjY1o73pD8YIRmsPPKwx/o3pJmHYWLE3wEx6uPp5h/Isrn53Fj3JnFfRbWc
         VTUQ==
X-Gm-Message-State: AOJu0YxBB9fJP7liXysEVboaktvjo3eHAngtbeIuhyZ0wPFLMC2klBmg
	net7kClCHY8Rg45Ch55fdhXaaBHQltfstSQ+drWtIxev89Czq+/rWW90aJuANQ==
X-Gm-Gg: AZuq6aIHMKwqim2v8DDBYmAr9K/qKj5NkC73T60msc6zYCIgbge0CGQME2iAnCWwvI0
	PePaEtVvSOFIJR1vBh/iRiOFkLLOGWYNDx8NTANhi70POw1nPXHVrTBL6+c4/3Y+81+JiI+HZJq
	IyB54Qy9QNU7jelW4kmVinH67WiR2lpDwH0OCwGmIwd/mXx1naMk4927g5tLtIEzj38EZOlm3ZV
	JN+nDykLG88hr4Ig/QQDkdiuBdIo0zCb8zpFxv2Rtnvi9CPKgJLs0I0M28dF8hpTg9A2/YPXrXV
	SLN17D89pSZv8PBpaNkbzT8JNmcc0kuaI19bHXUbX5utR+iBuV1EwUK8YVKKIuct4pCVUw1mQFx
	KMSKdF7OMRHak2dJ/7UBPnAgnOa1cGKKcdKZWEjc0QgTKS33gkZtxJm1nBpsZhVIQTQks6FBsgK
	QbNa52mg2XZJYHfXUJ0fc=
X-Received: by 2002:a05:600c:3e0e:b0:46f:a2ba:581f with SMTP id
 5b1f17b1804b1-4804d307b0cmr88565025e9.16.1769236211032;
        Fri, 23 Jan 2026 22:30:11 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.10
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:10 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 05/13] xrdp: patch CVE-2022-23479
Date: Sat, 24 Jan 2026 07:29:59 +0100
Message-ID: <20260124063007.28313-5-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:13 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123811

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 19e076e66b3e3230b1fa05580e64de45a832ab13)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23479.patch            | 83 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 84 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch
new file mode 100644
index 0000000000..6940ce8f17
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch
@@ -0,0 +1,83 @@
+From 60864014b733c10881c078048560858067fe5d0f Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 09:44:56 +0000
+Subject: [PATCH] CVE-2022-23479
+
+Detect attempts to overflow input buffer
+
+If application code hasn't properly sanitised the header_size
+for a transport, it is possible for read requests to be issued
+which overflow the input buffer. This change detects this
+at a low level and bounces the read request.
+
+CVE: CVE-2022-23479
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/60864014b733c10881c078048560858067fe5d0f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ common/trans.c | 19 +++++++++++++++----
+ common/trans.h |  2 +-
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/common/trans.c b/common/trans.c
+index 55d2a63812..1d2d3e68ae 100644
+--- a/common/trans.c
++++ b/common/trans.c
+@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self)
+     tbus in_sck = (tbus) 0;
+     struct trans *in_trans = (struct trans *) NULL;
+     int read_bytes = 0;
+-    int to_read = 0;
+-    int read_so_far = 0;
++    unsigned int to_read = 0;
++    unsigned int read_so_far = 0;
+     int rv = 0;
+     enum xrdp_source cur_source;
+ 
+@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self)
+         }
+         else if (self->trans_can_recv(self, self->sck, 0))
+         {
++            /* CVE-2022-23479 - check a malicious caller hasn't managed
++             * to set the header_size to an unreasonable value */
++            if (self->header_size > (unsigned int)self->in_s->size)
++            {
++                LOG(LOG_LEVEL_ERROR,
++                    "trans_check_wait_objs: Reading %u bytes beyond buffer",
++                    self->header_size - (unsigned int)self->in_s->size);
++                self->status = TRANS_STATUS_DOWN;
++                return 1;
++            }
++
+             cur_source = XRDP_SOURCE_NONE;
+             if (self->si != 0)
+             {
+                 cur_source = self->si->cur_source;
+                 self->si->cur_source = self->my_source;
+             }
+-            read_so_far = (int) (self->in_s->end - self->in_s->data);
++            read_so_far = self->in_s->end - self->in_s->data;
+             to_read = self->header_size - read_so_far;
+ 
+             if (to_read > 0)
+@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self)
+                 }
+             }
+ 
+-            read_so_far = (int) (self->in_s->end - self->in_s->data);
++            read_so_far = self->in_s->end - self->in_s->data;
+ 
+             if (read_so_far == self->header_size)
+             {
+diff --git a/common/trans.h b/common/trans.h
+index 1cd89fdac2..313c543b60 100644
+--- a/common/trans.h
++++ b/common/trans.h
+@@ -98,7 +98,7 @@ struct trans
+     ttrans_data_in trans_data_in;
+     ttrans_conn_in trans_conn_in;
+     void *callback_data;
+-    int header_size;
++    unsigned int header_size;
+     struct stream *in_s;
+     struct stream *out_s;
+     char *listen_filename;
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index bffed4c265..ea895f169e 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23468.patch \
            file://CVE-2022-23477.patch \
            file://CVE-2022-23478.patch \
+           file://CVE-2022-23479.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:30:00 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79567
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7E4AAD715D6
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:23 +0000 (UTC)
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com
 [209.85.128.53])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14206.1769236213412069078
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:13 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=mSbKWpRc;
 spf=pass (domain: gmail.com, ip: 209.85.128.53,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f53.google.com with SMTP id
 5b1f17b1804b1-47ee301a06aso32913275e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236212; x=1769841012;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=lzgvOFpIVoJISX1MkLnPuhEpEG/ZyGRmZNv6oeMprrk=;
        b=mSbKWpRcz2+WRW1eukPZCIsdxD7mOSwc9rdAvpno6qTGlZPI0Wesd/fGwYucJez60K
         s+tN172x+Io8JoFXK8E6NC404ZclyLOYLW/S/4/QdDjhVfmfg6Mt8gf1lPlw6xGIRtOS
         Z90qfD/xp6XfiZO7jmzzjjflJ83xK7gsrBBa4Bo22yWXSqXHtKgT2eBVz6umNz6UGb1x
         zYSRNYrTEaw9ujAaai/hFpmLDoFFGgwza8aHKfNdpjQNyOOaz0eTz1HF/OYAVD+RQ0ju
         jvmDif6cKqf6io3v4VujX8s2SJ9p899fUzg+xNZhP3zhf27wrtRPI9RdvHDPpve9F5Bj
         AY3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236212; x=1769841012;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=lzgvOFpIVoJISX1MkLnPuhEpEG/ZyGRmZNv6oeMprrk=;
        b=OACsdiYdVZlKu+fIwYWlvbTC4Swx43zJtpNRh/z7ub99BeLL2PndqOZJLJBYhopilX
         luSUsDY5wh7nWF65MZF+1oWbQZpqeijqUxxxXOqdjs0PNi17VRUmZFdKioO9jw1MSkmi
         AvilaEqEliujCmOah18FU2ds0w+m2c0JhQZCtwJVHJlCTJplY0rxnJWpsNhZcRzHl42C
         4X2v2pM22fX73JHV8PNyRenoXV3UvuwedTc66dm8+zQaSmzdHEK0wbAHwmwxSzIU/vs0
         c71tsSiwB+tH3kXOlzaMplZIQRnClxNQEc5F8BXP4L3Fti5dcSwl9j2Gj54D0Glt/pUP
         VkHQ==
X-Gm-Message-State: AOJu0YwcQm1ASpWwL2Ht8RlwGjlRc75aOOTxVKvJExwfcrgfGVrmazZE
	dmXrtXNkNAGPjS6bTLaIZgXIktA3S/F5OfAg5OmIQBTvZrGGv0pVs/il03ZP2Q==
X-Gm-Gg: AZuq6aI4IKu6CsH9DvVW0qj4n3T5oN3Jn41dRp7bQPnb19DuhmE88eHPjLjGY8ehtcb
	yC/nP8AivLkGXQhRif4mQyejQFdJdFuQj6ZYcLMLHaeOL2JBxwZr5VupGBIt64dSyS0rsUI2wsT
	x6ITSJoFzzKJ9MrVaCLtMMFdkqpbVlevo11tJGCTdDOqmRp4cuyGteVEK+Ra1HAXMSPYePCyfC5
	e51AyLEemXRdVJ/oNovWMcWpVwkUFu6QhnKA8lOlEpnfmXWnrScd5rGucCuiMcXVa+nAj091OMx
	R+Ye+HGrSoluYmkrJyOBOH39dnxgAlYBvUJi3rctnmazKTn8J2efHq26+wwReXjlw8tPoDwQ1gv
	N+YEIsO6iAeM1NQSSc4Vl9ZXAA8wpNU0/HWealo9pgRQyJtdEgf0TIS7RNLYHvy8q0XSyoMndg9
	hT6thggXuV
X-Received: by 2002:a05:600c:a10e:b0:46e:4b79:551 with SMTP id
 5b1f17b1804b1-4804f823613mr61478525e9.31.1769236211701;
        Fri, 23 Jan 2026 22:30:11 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.11
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:11 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 06/13] xrdp: patch CVE-2022-23480
Date: Sat, 24 Jan 2026 07:30:00 +0100
Message-ID: <20260124063007.28313-6-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123812

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23480

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 71e9d02b125578593eebde2422223a9ede7265f6)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23480-1.patch          | 356 ++++++++++++++++++
 .../xrdp/xrdp/CVE-2022-23480-2.patch          |  54 +++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |   2 +
 3 files changed, 412 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch
new file mode 100644
index 0000000000..259044eb00
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-1.patch
@@ -0,0 +1,356 @@
+From 7ad7b05261c698b867c7c4f1bfffb4f911036847 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Tue, 6 Dec 2022 12:48:57 +0000
+Subject: [PATCH] CVE-2022-23480
+
+Added length checking to redirector response parsing
+
+CVE: CVE-2022-23480
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/7ad7b05261c698b867c7c4f1bfffb4f911036847]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ sesman/chansrv/devredir.c | 151 +++++++++++++++++++++++++++++++-------
+ 1 file changed, 123 insertions(+), 28 deletions(-)
+
+diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c
+index a44d47e635..7faa9bfc7a 100644
+--- a/sesman/chansrv/devredir.c
++++ b/sesman/chansrv/devredir.c
+@@ -131,10 +131,10 @@ static void devredir_send_server_core_cap_req(void);
+ static void devredir_send_server_clientID_confirm(void);
+ static void devredir_send_server_user_logged_on(void);
+ 
+-static void devredir_proc_client_core_cap_resp(struct stream *s);
+-static void devredir_proc_client_devlist_announce_req(struct stream *s);
+-static void devredir_proc_client_devlist_remove_req(struct stream *s);
+-static void devredir_proc_device_iocompletion(struct stream *s);
++static int devredir_proc_client_core_cap_resp(struct stream *s);
++static int devredir_proc_client_devlist_announce_req(struct stream *s);
++static int devredir_proc_client_devlist_remove_req(struct stream *s);
++static int devredir_proc_device_iocompletion(struct stream *s);
+ static void devredir_proc_query_dir_response(IRP *irp,
+         struct stream *s_in,
+         tui32 DeviceId,
+@@ -323,6 +323,11 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
+     }
+ 
+     /* read header from incoming data */
++    if (!s_check_rem_and_log(ls, 4, "Parsing [MS-RDPEFS] RDPDR_HEADER"))
++    {
++        rv = -1;
++        goto done;
++    }
+     xstream_rd_u16_le(ls, comp_type);
+     xstream_rd_u16_le(ls, pktID);
+ 
+@@ -340,27 +345,34 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
+     switch (pktID)
+     {
+         case PAKID_CORE_CLIENTID_CONFIRM:
+-            xstream_seek(ls, 2);  /* major version, we ignore it */
+-            xstream_rd_u16_le(ls, minor_ver);
+-            xstream_rd_u32_le(ls, g_clientID);
++            if (!s_check_rem_and_log(ls, 6, "Parsing [MS-RDPEFS] DR_CORE_CLIENT_ANNOUNCE_RSP"))
++            {
++                rv = -1;
++            }
++            else
++            {
++                xstream_seek(ls, 2);  /* major version, we ignore it */
++                xstream_rd_u16_le(ls, minor_ver);
++                xstream_rd_u32_le(ls, g_clientID);
+ 
+-            g_client_rdp_version = minor_ver;
++                g_client_rdp_version = minor_ver;
+ 
+-            switch (minor_ver)
+-            {
+-                case RDP_CLIENT_50:
+-                    break;
++                switch (minor_ver)
++                {
++                    case RDP_CLIENT_50:
++                        break;
+ 
+-                case RDP_CLIENT_51:
+-                    break;
++                    case RDP_CLIENT_51:
++                        break;
+ 
+-                case RDP_CLIENT_52:
+-                    break;
++                    case RDP_CLIENT_52:
++                        break;
+ 
+-                case RDP_CLIENT_60_61:
+-                    break;
++                    case RDP_CLIENT_60_61:
++                        break;
++                }
++                // LK_TODO devredir_send_server_clientID_confirm();
+             }
+-            // LK_TODO devredir_send_server_clientID_confirm();
+             break;
+ 
+         case PAKID_CORE_CLIENT_NAME:
+@@ -378,19 +390,19 @@ devredir_data_in(struct stream *s, int chan_id, int chan_flags, int length,
+             break;
+ 
+         case PAKID_CORE_CLIENT_CAPABILITY:
+-            devredir_proc_client_core_cap_resp(ls);
++            rv = devredir_proc_client_core_cap_resp(ls);
+             break;
+ 
+         case PAKID_CORE_DEVICELIST_ANNOUNCE:
+-            devredir_proc_client_devlist_announce_req(ls);
++            rv = devredir_proc_client_devlist_announce_req(ls);
+             break;
+ 
+         case PAKID_CORE_DEVICELIST_REMOVE:
+-            devredir_proc_client_devlist_remove_req(ls);
++            rv = devredir_proc_client_devlist_remove_req(ls);
+             break;
+ 
+         case PAKID_CORE_DEVICE_IOCOMPLETION:
+-            devredir_proc_device_iocompletion(ls);
++            rv = devredir_proc_device_iocompletion(ls);
+             break;
+ 
+         default:
+@@ -727,8 +739,9 @@ devredir_send_drive_dir_request(IRP *irp, tui32 device_id,
+  * @brief process client's response to our core_capability_req() msg
+  *
+  * @param   s   stream containing client's response
++ * @return  0   for success, -1 otherwise
+  *****************************************************************************/
+-static void
++static int
+ devredir_proc_client_core_cap_resp(struct stream *s)
+ {
+     int i;
+@@ -738,15 +751,31 @@ devredir_proc_client_core_cap_resp(struct stream *s)
+     tui32 cap_version;
+     char *holdp;
+ 
++    if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_CAPABLITY_RSP"))
++    {
++        return -1;
++    }
+     xstream_rd_u16_le(s, num_caps);
+     xstream_seek(s, 2);  /* padding */
+ 
+     for (i = 0; i < num_caps; i++)
+     {
+         holdp = s->p;
++        if (!s_check_rem_and_log(s, 8, "Parsing [MS-RDPEFS] CAPABILITY_HEADER"))
++        {
++            return -1;
++        }
+         xstream_rd_u16_le(s, cap_type);
+         xstream_rd_u16_le(s, cap_len);
+         xstream_rd_u32_le(s, cap_version);
++        /* Convert the length to a remaining length. Underflow is possible,
++         * but this is an unsigned type so that's OK */
++        cap_len -= (s->p - holdp);
++        if (cap_len > 0 &&
++                !s_check_rem_and_log(s, cap_len, "Parsing [MS-RDPEFS] CAPABILITY_HEADER length"))
++        {
++            return -1;
++        }
+ 
+         switch (cap_type)
+         {
+@@ -779,11 +808,12 @@ devredir_proc_client_core_cap_resp(struct stream *s)
+                 scard_init();
+                 break;
+         }
+-        s->p = holdp + cap_len;
++        xstream_seek(s, cap_len);
+     }
++    return 0;
+ }
+ 
+-static void
++static int
+ devredir_proc_client_devlist_announce_req(struct stream *s)
+ {
+     unsigned int i;
+@@ -795,12 +825,22 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
+     enum NTSTATUS response_status;
+ 
+     /* get number of devices being announced */
++    if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CORE_DEVICELIST_ANNOUNCE_REQ"))
++    {
++        return -1;
++    }
++
+     xstream_rd_u32_le(s, device_count);
+ 
+     LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices announced: %d", device_count);
+ 
+     for (i = 0; i < device_count; i++)
+     {
++        if (!s_check_rem_and_log(s, 4 + 4 + 8 + 4,
++                                 "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE"))
++        {
++            return -1;
++        }
+         xstream_rd_u32_le(s, device_type);
+         xstream_rd_u32_le(s, g_device_id);
+         /* get preferred DOS name
+@@ -816,6 +856,12 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
+ 
+         /* Read the device data length from the stream */
+         xstream_rd_u32_le(s, device_data_len);
++        if (device_data_len > 0 && !
++                !s_check_rem_and_log(s, device_data_len,
++                                     "Parsing [MS-RDPEFS] DEVICE_ANNOUNCE devdata"))
++        {
++            return -1;
++        }
+ 
+         switch (device_type)
+         {
+@@ -881,9 +927,11 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
+         devredir_send_server_device_announce_resp(g_device_id,
+                 response_status);
+     }
++
++    return 0;
+ }
+ 
+-static void
++static int
+ devredir_proc_client_devlist_remove_req(struct stream *s)
+ {
+     unsigned int i;
+@@ -891,7 +939,16 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
+     tui32 device_id;
+ 
+     /* get number of devices being announced */
++    if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE"))
++    {
++        return -1;
++    }
+     xstream_rd_u32_le(s, device_count);
++    if (!s_check_rem_and_log(s, 4 * device_count,
++                             "Parsing [MS-RDPEFS] DR_DEVICELIST_REMOVE list"))
++    {
++        return -1;
++    }
+ 
+     LOG_DEVEL(LOG_LEVEL_DEBUG, "num of devices removed: %d", device_count);
+     {
+@@ -901,9 +958,10 @@ devredir_proc_client_devlist_remove_req(struct stream *s)
+             xfuse_delete_share(device_id);
+         }
+     }
++    return 0;
+ }
+ 
+-static void
++static int
+ devredir_proc_device_iocompletion(struct stream *s)
+ {
+     IRP       *irp       = NULL;
+@@ -914,6 +972,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+     tui32      Length;
+     enum COMPLETION_TYPE comp_type;
+ 
++    if (!s_check_rem_and_log(s, 12, "Parsing [MS-RDPEFS] DR_DEVICE_IOCOMPLETION"))
++    {
++        return -1;
++    }
+     xstream_rd_u32_le(s, DeviceId);
+     xstream_rd_u32_le(s, CompletionId);
+     xstream_rd_u32_le(s, IoStatus32);
+@@ -959,6 +1021,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 }
+                 else
+                 {
++                    if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
++                    {
++                        return -1;
++                    }
+                     xstream_rd_u32_le(s, irp->FileId);
+                     devredir_send_drive_dir_request(irp, DeviceId,
+                                                     1, irp->pathname);
+@@ -966,6 +1032,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_CREATE_REQ:
++                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
++                {
++                    return -1;
++                }
+                 xstream_rd_u32_le(s, irp->FileId);
+ 
+                 xfuse_devredir_cb_create_file(
+@@ -978,6 +1048,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_OPEN_REQ:
++                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
++                {
++                    return -1;
++                }
+                 xstream_rd_u32_le(s, irp->FileId);
+ 
+                 xfuse_devredir_cb_open_file((struct state_open *) irp->fuse_info,
+@@ -989,7 +1063,15 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_READ:
++                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_READ_RSP"))
++                {
++                    return -1;
++                }
+                 xstream_rd_u32_le(s, Length);
++                if (!s_check_rem_and_log(s, Length, "Parsing [MS-RDPEFS] DR_READ_RSP"))
++                {
++                    return -1;
++                }
+                 xfuse_devredir_cb_read_file((struct state_read *) irp->fuse_info,
+                                             IoStatus,
+                                             s->p, Length);
+@@ -997,6 +1079,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_WRITE:
++                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_WRITE_RSP"))
++                {
++                    return -1;
++                }
+                 xstream_rd_u32_le(s, Length);
+                 xfuse_devredir_cb_write_file((struct state_write *) irp->fuse_info,
+                                              IoStatus,
+@@ -1019,6 +1105,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_RMDIR_OR_FILE:
++                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
++                {
++                    return -1;
++                }
+                 xstream_rd_u32_le(s, irp->FileId);
+                 devredir_proc_cid_rmdir_or_file(irp, IoStatus);
+                 break;
+@@ -1028,6 +1118,10 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+ 
+             case CID_RENAME_FILE:
++                if (!s_check_rem_and_log(s, 4, "Parsing [MS-RDPEFS] DR_CREATE_RSP"))
++                {
++                    return -1;
++                }
+                 xstream_rd_u32_le(s, irp->FileId);
+                 devredir_proc_cid_rename_file(irp, IoStatus);
+                 break;
+@@ -1051,6 +1145,7 @@ devredir_proc_device_iocompletion(struct stream *s)
+                 break;
+         }
+     }
++    return 0;
+ }
+ 
+ static void
diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch
new file mode 100644
index 0000000000..38c444efcf
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23480-2.patch
@@ -0,0 +1,54 @@
+From 191ed3e3fa892c7dc26e142c7af7af546fcce87d Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Thu, 8 Dec 2022 14:13:48 +0000
+Subject: [PATCH] Remove unused g_full_name_for_filesystem
+
+Not only was this unused, the way it was read could lead to a
+buffer overflow (CVE-2022-23480)
+
+CVE: CVE-2022-23480
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/191ed3e3fa892c7dc26e142c7af7af546fcce87d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ sesman/chansrv/devredir.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c
+index 7faa9bfc7a..6ce35e34de 100644
+--- a/sesman/chansrv/devredir.c
++++ b/sesman/chansrv/devredir.c
+@@ -103,7 +103,6 @@ int g_is_port_redir_supported = 0;
+ int g_is_drive_redir_supported = 0;
+ int g_is_smartcard_redir_supported = 0;
+ int g_drive_redir_version = 1;
+-char g_full_name_for_filesystem[1024];
+ tui32 g_completion_id = 1;
+ 
+ tui32 g_clientID;           /* unique client ID - announced by client */
+@@ -866,21 +865,18 @@ devredir_proc_client_devlist_announce_req(struct stream *s)
+         switch (device_type)
+         {
+             case RDPDR_DTYP_FILESYSTEM:
+-                /* get device data len */
+-                if (device_data_len)
+-                {
+-                    xstream_rd_string(g_full_name_for_filesystem, s,
+-                                      device_data_len);
+-                }
++                /* At present we don't use the full name - see
++                 * [MS-RDPEFS] 2.2.3.1 for details of the contents */
++                xstream_skip_u8(s, device_data_len);
+ 
+                 LOG(LOG_LEVEL_INFO, "Detected remote drive '%s'",
+                     preferred_dos_name);
+ 
+                 LOG_DEVEL(LOG_LEVEL_DEBUG,
+                           "device_type=FILE_SYSTEM device_id=0x%x dosname=%s "
+-                          "device_data_len=%d full_name=%s", g_device_id,
++                          "device_data_len=%d", g_device_id,
+                           preferred_dos_name,
+-                          device_data_len, g_full_name_for_filesystem);
++                          device_data_len);
+ 
+                 response_status = STATUS_SUCCESS;
+ 
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index ea895f169e..e50accfe17 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -20,6 +20,8 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23477.patch \
            file://CVE-2022-23478.patch \
            file://CVE-2022-23479.patch \
+           file://CVE-2022-23480-1.patch \
+           file://CVE-2022-23480-2.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:30:01 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79562
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7D66ED715D5
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:23 +0000 (UTC)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14207.1769236214123213541
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:14 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=AEu3xyre;
 spf=pass (domain: gmail.com, ip: 209.85.128.43,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-4801d21c411so15235455e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236212; x=1769841012;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=V3UYq1webEq96XVEauGYnu63wao1pBSE1evbJ5lMMI0=;
        b=AEu3xyrezKh8l+A1XIrdLH1gDujjKZPlQKb/T6zDkPm2mHVkwaRk6CfZWXvHJNpNwC
         xis50spTichocnqgP8W3krKNXmbfZMOFnITFK+IXBkGEihuTGUJQkfeIzIKw3CpQ6u5I
         2n1S/VapjBdzufQHq2Z9MYMyDWLqZbiexbu/NlkvIcJA+gz/RfOJcM84LAfisbpwR+M4
         s5XEvwHyoTT/DCk9CJSkhIC6hY7WhbLSF7vFwcquzvP0OjFY+wtih9AxjE+lvCtHd31i
         dCkwCmsiaeXE3fvhEsDli/dC9m+lYjIAsqraP8TJetRftW7bJsQqNSsR70gGr35Ubk+h
         K0vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236212; x=1769841012;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=V3UYq1webEq96XVEauGYnu63wao1pBSE1evbJ5lMMI0=;
        b=MhgB/OPeLkM4AuvoPKRUx5Y2R2ZEygv8vv29fyL/fxXazWFPkyHk5S9Sgs68DRlBhP
         ehLyeNXFWt0h45GWNoE2CdBwnex4+lzG1xYVy8ltTpYeYY/6kNF3K4NdN0Lby8DH3gGx
         6oEyS3Q69N+DiSonMt7SF9Nj7ItRmB6S3HVPDHl14/eKbIJJDw8tUX13LTmHmwpYIMGK
         KTuW7lkoPj9IclRittHfp1sQ7GaEC9Kzw0kESXn8cMezmRyg419dLTKh5Ysy2iIjZKgM
         570cf9Cpi1TJN3M4QkfLoef64QTSIq0iGbwz595iFg0JMdOoB0PWaTWG5YFSG+YV6Igk
         eo0Q==
X-Gm-Message-State: AOJu0YzawPxl0e/cx8kJXjGcJCx/NAR5yFXGbquIxl+k5QaPSkco+fHV
	I6Qx9wES75q/l4Yr6QsBEv9PHC7gW/oZf7PmwCS50rZTxlJwOttZu2STuHt24Q==
X-Gm-Gg: AZuq6aIZuxR6garkm7SiwDBMopprxfC6Lo6qIxtOKEASSWu0N1/qEK2SIM+vv7tSIxE
	8HeGb++0rOuQ2fALiFjj+l9qDGZ6iDfU1f/bN1nyP6hnPes3z81Ho3cD1Ck5TN9gsYAfXhPtge8
	ND5Rev69CIRCFrTLicWfP0YESlXIhvLbc10EhYmuTXnRfY0SHoDKaLBEqUJprT5zA+Wtgu/gw/5
	zClRNNeETbf3mMruovW1Q/MSapS1YmFsjyPs8/6A7mZb+NBoSX5tj3bBYCrmrr17R2VQajpHYtw
	QV1DE1gvgZK3J76lJgjlrkDITkqltzOk5P3X/MULmcFZjbr9NKo81BC6f4VIe/CH8yAbPiRi8aP
	f+sgSxqBe+cijt6N3IrKNjJzHb9o7koVGdzMq2H6q/9M5WNDaFqHqeggL3Ore5iBlW7zjWed1Zp
	VnUgCeAc6U
X-Received: by 2002:a05:600c:198d:b0:47e:e8de:7420 with SMTP id
 5b1f17b1804b1-4804c9af7f2mr84222715e9.22.1769236212365;
        Fri, 23 Jan 2026 22:30:12 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.11
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:12 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 07/13] xrdp: patch CVE-2022-23481
Date: Sat, 24 Jan 2026 07:30:01 +0100
Message-ID: <20260124063007.28313-7-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123813

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23481

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 64ee8f84c4edfb4d0b9b2e299e1a1afe6a6168e0)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23481.patch            | 46 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch
new file mode 100644
index 0000000000..bb2d3c8cfa
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23481.patch
@@ -0,0 +1,46 @@
+From c77e974080da8267d902f99ca5ab7d22ea02d98c Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 10:40:25 +0000
+Subject: [PATCH] CVE-2022-23481
+
+Add length checks to client confirm active PDU parsing
+
+CVE: CVE-2022-23481
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/c77e974080da8267d902f99ca5ab7d22ea02d98c]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libxrdp/xrdp_caps.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/libxrdp/xrdp_caps.c b/libxrdp/xrdp_caps.c
+index 5c5e74a579..ac21cc0a18 100644
+--- a/libxrdp/xrdp_caps.c
++++ b/libxrdp/xrdp_caps.c
+@@ -667,13 +667,27 @@ xrdp_caps_process_confirm_active(struct xrdp_rdp *self, struct stream *s)
+     int len;
+     char *p;
+ 
++    if (!s_check_rem_and_log(s, 10,
++                             "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
++                             " - header"))
++    {
++        return 1;
++    }
+     in_uint8s(s, 4); /* rdp_shareid */
+     in_uint8s(s, 2); /* userid */
+     in_uint16_le(s, source_len); /* sizeof RDP_SOURCE */
+     in_uint16_le(s, cap_len);
++
++    if (!s_check_rem_and_log(s, source_len + 2 + 2,
++                             "Parsing [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU"
++                             " - header2"))
++    {
++        return 1;
++    }
+     in_uint8s(s, source_len);
+     in_uint16_le(s, num_caps);
+     in_uint8s(s, 2); /* pad */
++
+     LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_CONFIRM_ACTIVE_PDU "
+               "shareID (ignored), originatorID (ignored), lengthSourceDescriptor %d, "
+               "lengthCombinedCapabilities  %d, sourceDescriptor (ignored), "
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index e50accfe17..308822e8f5 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23479.patch \
            file://CVE-2022-23480-1.patch \
            file://CVE-2022-23480-2.patch \
+           file://CVE-2022-23481.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:30:02 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79565
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 91760D715DA
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:23 +0000 (UTC)
Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com
 [209.85.128.50])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.14298.1769236214768805045
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:15 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=CT6K+ObO;
 spf=pass (domain: gmail.com, ip: 209.85.128.50,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f50.google.com with SMTP id
 5b1f17b1804b1-47ff94b46afso24142625e9.1
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236213; x=1769841013;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=11ISxnbPruBEBQDpjfDdqTY0ANE6canDdRC19CS/CYo=;
        b=CT6K+ObOs5XxTQ0A8//FUsswZuuwKnsuAIxDlhgRT8BLLrVxc953lhHFhlVkXDqKXL
         /vCT0xaMXAkkkeBWaHu1ECpE9e8dEbm2K4SoPlsRxpRSM9LgOTm7S/R6QR97gwhpYpI0
         TF5q5tpESgNsFi5ZttczLh8+pwtz1i6bQca1QYZ9Y0sqLyhbdkFfO3VJ8rhUUjSXYv2w
         5qzfgUVgvkVr9ZscYbNntUccsBwV0kw23A6Oyf9q8+leOWZC9iYwGog1TkgP/m48fVZN
         d6Na9I+QIVfyyop3uMoeJs1lIV20KL5dsJsCoJ5bs4xxJvRy534F97Qa6Y0D3b48ByvH
         +zaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236213; x=1769841013;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=11ISxnbPruBEBQDpjfDdqTY0ANE6canDdRC19CS/CYo=;
        b=Z9dzmMSNe3A3a61FISvKrWNUbQ7uTBlG0LehZagCLuGNHHVa8259x9JV2FBFWQsW6f
         XGuMYSj2Tud2bpC5LaxmBTUYGt3A83NI6MjGiaBQlFh6cW2lXb64DZ0SgM8u6p+gEkrn
         1w6BW287F7QV1/DJyBS2D5imuOtiG9LitcgWNQIB/UXKvvCIDDn7UwvlwLTxZ6B3RKYF
         xArSJiNYHHrDEMVFGhinzXNuIjt71vb0Coze/Hp9EveA6eQVH1sFc0M4GXKwyjxRzCH2
         CYAT/4fHKdFSxBrPTJquh2xqiX80iA0ekofLyARBYxUPboXiFgP3GoDbJmbw65LkqChb
         BJRg==
X-Gm-Message-State: AOJu0Yxgw4UafovAquX1KqlVK1PAWlldFrq9RjK3AXW9TUm9GttqPm2n
	SrwwWB3+HOkeQfFRHC3WSxzTjm0uLQrnpxMgj3kHi61LV3PNpzEVClJP2Hvl1Q==
X-Gm-Gg: AZuq6aIe9iRh9zWaQE2Hv427evCckabutjFEpKT6eQSJ3QAL4ISyM7+kiJ9RpMe4Mw3
	szTzOTEOzKGRo3QPM4YP/ghAp5MvRi/+PL6HRqC64VWHaBrYOgSCEx5cmIwKaTGsoJufrWRzj4z
	4m4mk7cZkPjGBBAGEwNbcA0PFAiy+o4qgfM0Ua+q+REOhRnd5as/uumVPPJ7szhl1nrU48cH2SO
	+So2wx1/FeXqzEuaVtp04F+jmnOLIr6HAKmjgRlxPiMA3/xl+XnxRlfAwkba8+eZUQVhHZYgU9c
	vdhX+wK2OPSP8mVBI/A6CsCHJVmbDtYM1QpcejWZkNJZq40fl8nnXP1RyjYTIHaY2ApbqQzkEeu
	CgBUdGbMqd6QnD9XttWK3ruvW1hcYnTEoFb+juKdIzjgUojagmbslkeFdpjk5ZiO/lBroc+UxHr
	8l5f02NqRN
X-Received: by 2002:a05:600c:6d03:b0:477:a53c:8ca1 with SMTP id
 5b1f17b1804b1-480470c7671mr83697745e9.14.1769236213058;
        Fri, 23 Jan 2026 22:30:13 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.12
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:12 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 08/13] xrdp: patch CVE-2022-23482
Date: Sat, 24 Jan 2026 07:30:02 +0100
Message-ID: <20260124063007.28313-8-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123814

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 31694c82e3269855fe6a9cc3614f66c4e1067589)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23482.patch            | 69 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
new file mode 100644
index 0000000000..ef99baa8cf
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch
@@ -0,0 +1,69 @@
+From bb9766c79f24a0238644e273bbcdcb2c9d2df1bf Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 11:05:46 +0000
+Subject: [PATCH] CVE-2022-23482
+
+Check minimum length of TS_UD_CS_CORE message
+
+CVE: CVE-2022-23482
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/bb9766c79f24a0238644e273bbcdcb2c9d2df1bf]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
+index 691d4f04f3..084fca6b8d 100644
+--- a/libxrdp/xrdp_sec.c
++++ b/libxrdp/xrdp_sec.c
+@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s)
+ static int
+ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
+ {
++#define CS_CORE_MIN_LENGTH \
++    (\
++     4 +            /* Version */ \
++     2 + 2 +        /* desktopWidth + desktopHeight */ \
++     2 + 2 +        /* colorDepth + SASSequence */ \
++     4 +            /* keyboardLayout */ \
++     4 + 32 +       /* clientBuild + clientName */ \
++     4 + 4 + 4 +    /* keyboardType + keyboardSubType + keyboardFunctionKey */ \
++     64 +           /* imeFileName */ \
++     0)
++
+     int version;
+     int colorDepth;
+     int postBeta2ColorDepth;
+@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
+ 
+     UNUSED_VAR(version);
+ 
+-    /* TS_UD_CS_CORE requiered fields */
++    /* TS_UD_CS_CORE required fields */
++    if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH,
++                             "Parsing [MS-RDPBCGR] TS_UD_CS_CORE"))
++    {
++        return 1;
++    }
+     in_uint32_le(s, version);
+     in_uint16_le(s, self->rdp_layer->client_info.width);
+     in_uint16_le(s, self->rdp_layer->client_info.height);
+@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
+               clientName);
+ 
+     /* TS_UD_CS_CORE optional fields */
++    if (!s_check_rem(s, 2))
++    {
++        return 0;
++    }
+     in_uint16_le(s, postBeta2ColorDepth);
+     LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE "
+               "<Optional Field> postBeta2ColorDepth %s",
+@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s)
+               "<Optional Field> desktopOrientation (ignored)");
+ 
+     return 0;
++#undef CS_CORE_MIN_LENGTH
+ }
+ 
+ /*****************************************************************************/
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index 308822e8f5..0faf664f61 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23480-1.patch \
            file://CVE-2022-23480-2.patch \
            file://CVE-2022-23481.patch \
+           file://CVE-2022-23482.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:30:03 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79568
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 98992D715DC
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:23 +0000 (UTC)
Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com
 [209.85.128.48])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14208.1769236215454319085
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:15 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=dmLlCDiJ;
 spf=pass (domain: gmail.com, ip: 209.85.128.48,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f48.google.com with SMTP id
 5b1f17b1804b1-4801eb2c0a5so28723415e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236214; x=1769841014;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Ou+N8oGGTQYF6EkO/AEKMGFyA75aH6UH6OzZcsxuT5A=;
        b=dmLlCDiJ00ujMOVDx1fBYXYkjHxyQsbkI2pBfEjpSWOb2vB5wTMvX+vyZ4exUn3GpU
         kZC7m3nMJJ8dFqst9cDwCJOZklPdTMR1OL4Lu8C7ANEpcPJBavcFk4hoZjLBJXPKFpCA
         nitWoLTvcJDG+6LK6FCTXwDK1J51vXddah5BaN4SazB5vxoJawXK8121lFgT+jCgMktT
         lSa5hM1daXoDQrtK2aJVaJZK19wj8997471ewv3Dsq8LsypdsZay+uUHCQ3Bee1m9ybv
         wv0s2NGP/jU6kmUCkdfl25uRrP80TMKK881LxxIp5HIBKx1LuRsDDM/2H+zSKKWIvp0K
         cZgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236214; x=1769841014;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=Ou+N8oGGTQYF6EkO/AEKMGFyA75aH6UH6OzZcsxuT5A=;
        b=gDeA8+PS79+/wvIc58mymybpXXuZi63Q75DDTMKU3NDJxTj0eh3OMMzf7/KbO37dt+
         GFdvwnCcw7mkyjB5dOMEjhb/DaZwFHwS1q82F4dbEeqbrZiHEaePJCCdhDoWrATmpq6n
         ewBX0vFLB4EkQaSsAlbxslkU935xlkF8sZcDyvpRm4Rvb1h2vhy4GOrwqV4Ru2/+KaJN
         ou3j5JmrZ/AqL+S+fJdkVnikJO8jlpZTLBp/kfHqnHrvmM2Q6fIt2KjENH7fFEB0OUvF
         jd1oQTkhxuPtdQ3BOY0kHIzqYF20V+8hurLWNvMg5/5KzQVqoeHjI5bjLu2fuYg4q5Eb
         9XrQ==
X-Gm-Message-State: AOJu0YyC4CBxXrlPchepeDwK1TCCgukWB3Bf1gitpS8KzkTrtJdomeyf
	xJaoTI+Z+YmF8qDJFsfpsSeGUXUgfqMrkwuzfvK7ohgoAw0B5wN+sslj0xaFhw==
X-Gm-Gg: AZuq6aLk6AYvjgeL98cNEVKovyJa2VdlKDN+3c8tuCASCz8jJ6kdXFdjJiHqvaL2HY0
	0anlbNse73sz4N7GPwB9h67c0/gMuRP2mtsrMG/zz2OK1c6+Nk3xQVfL4bpK0S6hUBKOQBnyl18
	MxpSxhmcjEmhDHqAI3o7svTOAGiXrBNig1sMUwLfV2wqK1t8GIliodXMwPmwgwdjtdNg8Yvw+J2
	GI18AmNec8CKcbRU23nw0CtRLe79sWg9gNeKAK1svB01mA5hKpvVWhw3nQeG4q5sP8MmFytdn8M
	4WDhI8COTm2TY/V178gRngetYdR9+NMk9s+y9DxCZOLvuaXkCCU14svZx44BFRHBJj5jygYyPeT
	LteH0yoZegImjXB12CkrHpiywGc6x/2DsshmAzIhwX3cWcU/8nrTKP+Ny/sKpWWK1tZOMuACZ+7
	LThwtTN8rV
X-Received: by 2002:a05:600c:8b55:b0:471:1717:411 with SMTP id
 5b1f17b1804b1-4804c9bcb67mr88005025e9.24.1769236213719;
        Fri, 23 Jan 2026 22:30:13 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.13
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:13 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 09/13] xrdp: patch CVE-2022-23483
Date: Sat, 24 Jan 2026 07:30:03 +0100
Message-ID: <20260124063007.28313-9-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123815

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23483

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 8ffd8f29d5f055e390d4475c99f2d2c22f9797d9)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23483.patch            | 65 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch
new file mode 100644
index 0000000000..7172a8264c
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch
@@ -0,0 +1,65 @@
+From 35cca701c753db65d3c05b7ea4fff9bd09e76661 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 10:21:41 +0000
+Subject: [PATCH] CVE-2022-23483
+
+Sanitise channel data being passed from application
+
+Avoids OOB read if the size field is incorrect.
+
+CVE: CVE-2022-23483
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/35cca701c753db65d3c05b7ea4fff9bd09e76661]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+
+---
+ xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
+index 74b0516afa..64ae229e01 100644
+--- a/xrdp/xrdp_mm.c
++++ b/xrdp/xrdp_mm.c
+@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans)
+ static int
+ xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s)
+ {
+-    int size;
+-    int total_size;
++    unsigned int size;
++    unsigned int total_size;
+     int chan_id;
+     int chan_flags;
+-    int rv;
+-
+-    in_uint16_le(s, chan_id);
+-    in_uint16_le(s, chan_flags);
+-    in_uint16_le(s, size);
+-    in_uint32_le(s, total_size);
+-    rv = 0;
++    int rv = 0;
+ 
+-    if (rv == 0)
++    if (!s_check_rem_and_log(s, 10, "Reading channel data header"))
++    {
++        rv = 1;
++    }
++    else
+     {
+-        rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size,
+-                                     chan_flags);
++        in_uint16_le(s, chan_id);
++        in_uint16_le(s, chan_flags);
++        in_uint16_le(s, size);
++        in_uint32_le(s, total_size);
++        if (!s_check_rem_and_log(s, size, "Reading channel data data"))
++        {
++            rv = 1;
++        }
++        else
++        {
++            rv = libxrdp_send_to_channel(self->wm->session, chan_id,
++                                         s->p, size, total_size, chan_flags);
++        }
+     }
+ 
+     return rv;
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index 0faf664f61..f8fd052e7f 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23480-2.patch \
            file://CVE-2022-23481.patch \
            file://CVE-2022-23482.patch \
+           file://CVE-2022-23483.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:30:04 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79566
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A3834D715DB
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:23 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14209.1769236216070629164
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:16 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=e+Ae3HPv;
 spf=pass (domain: gmail.com, ip: 209.85.128.44,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-47ee07570deso21967605e9.1
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236214; x=1769841014;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=9yFaB9uobUqFYFclXT33ZgLJHGv499WWh+sjCff8NjQ=;
        b=e+Ae3HPvnwE2t/sALXPL8/4h4yP3y/A76hKDUNMJ35O9LpZf43JiEB6GNfNoujsDeR
         tVxhH8IXdnEB8jkeGgxbSzTbVycmb8UgjQYIfNvtYizmY9G4QF4n+kKwZAdPHlgHDCDt
         Jxksgtf2OlQMOmp8uuhPmHD6yZ7aUdARcqk1/Gpe65dxZDwUwCbI3Hfk4WJ8hJdrR/6+
         6nd8yxERnFivT+hZN1EHyT76AMwItjU3zZ8Hdepd4pk7CzVKwHzzlAYYA5vUIr75+Auy
         zIC6n87PRFb8Suk+A9VZOJXbW0tMvPNgWa/fqVlpaV7jGMyGHPbh3ON0Dpz6jWMwXHmg
         7cVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236214; x=1769841014;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=9yFaB9uobUqFYFclXT33ZgLJHGv499WWh+sjCff8NjQ=;
        b=LVwyufAogOCRg1Pcsqpvd2TWjdqVdwsAnErY+Nmj6sxuqcOnYCAySOR5ZVVZSEiKap
         CQ7q5XJCLs+GtqGJPo8LDUv7k4SxzMjJuTe37A2DC2wciEkNX5wZjIJ6dwSagbqNxCI7
         XpH1CsCeHrl0RuvZ4vDvmEOaiYvCgElaQSIlMLF9Zn3XI3uXHo8kxPY4z/dGTyjv/jAg
         0hgym7jDbMMcxti1PdhHAd3wuKSvQjT+XUvRzWwCQIUH4wL5yU83VY3zurw2TqvUTNYV
         rcYOfG4LyEhsSk9cdfDOI/Jw87blKlP+JKj4w7TWFR1kpM+Fy8AP9sbTntOjnWqEYwkG
         QsLQ==
X-Gm-Message-State: AOJu0YzIHs+g90Bc9EUyHO6gXAj/YjrZaauptHXOGplEOpaIyKjy5W2u
	5SJ3Rv5ezWIKOLJMvPF7xwDzVQn/2CNibRQRAec3flA8/O9ZZUG/YKC1ZSdQIg==
X-Gm-Gg: AZuq6aLmYCxCwdWASL7XaJuIlMAuxQIKUI5UzIO+oU4q6mdlCR/vKEXamn9gikY1fP5
	lUNeftAsdp0VeHqv0yayWb+y8T348DjujPHYp/GQyi9n/HGVe9N27HsEjSlM+64SWXp0kTOu7wS
	8LeG7pH3KleHaxjM2koCro5UbM7x7dvslSmpXRi2YqKE56JwQrEX2062CJeK933sKNYyZqVNmrI
	om4ROWZioGId12J3FHIlyRsJVVy5CY6CsXsDTfoJw9ee26Idv/FZ102tVzwKUFOtdd2jA96d6qz
	p2Uxo+fUA1xB1UrvBp2BqlqtWHFphTAyyjwrFq/GxIliAKx1hvTr1Aqf70i75xyKbiVe4UVKXak
	un+SYPvPSh3OnYmeYEffIMIoETJT2Rt+uQ3Fqe4+GcAj9XDt2kMPwcP+YxwRIt/pQ5j3EFkDoyk
	BXTufzFdnRGgpF/LgPK54=
X-Received: by 2002:a05:600c:3f12:b0:477:7af8:c8ad with SMTP id
 5b1f17b1804b1-4804c9cca64mr94072475e9.31.1769236214337;
        Fri, 23 Jan 2026 22:30:14 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.13
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:14 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 10/13] xrdp: patch CVE-2022-23484
Date: Sat, 24 Jan 2026 07:30:04 +0100
Message-ID: <20260124063007.28313-10-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123816

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23484

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 2578e5c17d95cdb56e3d85cecaf541d7473122f9)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23484.patch            | 31 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch
new file mode 100644
index 0000000000..af27c50376
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23484.patch
@@ -0,0 +1,31 @@
+From c2c6efb1d377be6baaa4acbc9d3700490fe92887 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 10:03:24 +0000
+Subject: [PATCH] CVE-2022-23484
+
+Add check for RAIL window text size
+
+CVE: CVE-2022-23484
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/c2c6efb1d377be6baaa4acbc9d3700490fe92887]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ xrdp/xrdp_mm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
+index 74b0516afa..4352625874 100644
+--- a/xrdp/xrdp_mm.c
++++ b/xrdp/xrdp_mm.c
+@@ -929,6 +929,12 @@ xrdp_mm_process_rail_update_window_text(struct xrdp_mm *self, struct stream *s)
+ 
+     g_memset(&rwso, 0, sizeof(rwso));
+     in_uint32_le(s, size); /* title size */
++    if (size < 0 || !s_check_rem(s, size))
++    {
++        LOG(LOG_LEVEL_ERROR, "%s : invalid window text size %d",
++            __func__, size);
++        return 1;
++    }
+     rwso.title_info = g_new(char, size + 1);
+     in_uint8a(s, rwso.title_info, size);
+     rwso.title_info[size] = 0;
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index f8fd052e7f..c67f2e83d8 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23481.patch \
            file://CVE-2022-23482.patch \
            file://CVE-2022-23483.patch \
+           file://CVE-2022-23484.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:30:05 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79564
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8B6BAD715D9
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:23 +0000 (UTC)
Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com
 [209.85.128.49])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14210.1769236216714258965
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:17 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=L+UNejRM;
 spf=pass (domain: gmail.com, ip: 209.85.128.49,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f49.google.com with SMTP id
 5b1f17b1804b1-47d6a1f08bbso14344715e9.2
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236215; x=1769841015;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=suoezuSfjL92Sl6M7WWpi31eHAvjvZwYLjzH6XnDSrg=;
        b=L+UNejRMzIgdsk3DTs+gYWBUpAPX0RK8hJ14K1h/vkSWK14QGXZ+e4wREmOZTlJHAx
         0+kHCp5TLFEqZUWKxWXbZzUU/HuueHkl2F/1XqGM4netX7HxhyzYq8wMWKvUDOHdhjNn
         6UjsSaTVNAxoqLnLWxNRSMnLME80eExTxDABwspIWjf1erXi2D3MJVAYXJpc3Ha446Gc
         relVtkyUnQkTnHfURqLR8oAcOm1b30EXj8KwTYG6lUtnacgiBnRMv9q54TIprq16apoL
         aE0pv52a5AF8nUbVQE1yaCYhtkfEti2v4AfVqTp/PnSuGdkimsvnkND+n+ZnuKiFoivr
         X+XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236215; x=1769841015;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=suoezuSfjL92Sl6M7WWpi31eHAvjvZwYLjzH6XnDSrg=;
        b=gQHUwZVIFc6gctYgeHD9R1lA8cq0gZqPOy0hSaIBFMnjxDRhiiasEnyd1VsoTVmgRz
         u7/CUCkVczQMlkXxe7uwZsMUu1fkXxYGGeHMQxGJ4Gt4DcDKpzQ1AlhJaWe3ahwmY+AZ
         yufNZvkFXgJihj3ehV9qy/2T01UpL8eUWnJR5n0B3s7PShaf6IIuGxW4EfXPUnKx66dt
         uzO+h114pnCzVYm7azv4sbZZggD3LFxg6C4lo/UgHaHjfTlyOABR2XAhaxpG2vhhfZtM
         whnaEqG4nT2W4BrmdQH3QemcXfSDERckbF/yWVOCZq3np6rJaCmIbwutavxa8k2xPMrp
         SWWA==
X-Gm-Message-State: AOJu0YyHJSXpBEOt27aHBoyzI48DJGpudQRQ/6Ir/d6sbyvOSqGRE3Rh
	3OQ8X5Uqwpwcd0dlmRKJH4nq9mLygpyWvCYFjXq3XeL0JxJn1yblT067J7Tu/g==
X-Gm-Gg: AZuq6aKHlZfYrF/yDrELEtYi5mQfmI17S1/EHXfF5wwWIJH6t4Q9kVu1BFWBLbvBgpv
	r436A6kIIXwA2BiJKwp8cPjYnSX0aJ5yoN/eMyadi7w/kKRF+FlV3taAcLLboHLHKwq8tNc14Je
	nxjgH5BgZxuouEYwX146z1l0MiBpS/E4FxfzlyZ0xuXVYIOfldcKDXRBo57+80URv6dql3BUMnV
	IEKy7IXj4TiE43CJI4bnKMUWj6zH3injNmpwXnkxkxGASMrNHI9XWb8f3/A5AiG4pFadhxnbQo1
	1XdJFrTmAyW+K2pKXX8vmJ0zv/rxVigT/qvcemwaFQlgu8YQEDW2tWYUfbXixl5UKNLUl//fQui
	yERyHL/Yx+ccEvqO975lHZIm7bYhO0VgTgsZyNfhMIYL2UKvqZPfc1gYKwdsepDnOYA6Iv5bKz7
	Wru92ehbPd5C3zCE9uKfM=
X-Received: by 2002:a05:600c:1c17:b0:47e:e20e:bba3 with SMTP id
 5b1f17b1804b1-4804c9418f3mr102784165e9.7.1769236215050;
        Fri, 23 Jan 2026 22:30:15 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.14
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:14 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 11/13] xrdp: patch CVE-2022-23493
Date: Sat, 24 Jan 2026 07:30:05 +0100
Message-ID: <20260124063007.28313-11-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123817

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23493

Pick the patch that mentions this vulnerability explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit f81041bb39d0fb10bbf3c0edcae47a65c573088c)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2022-23493.patch            | 33 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch
new file mode 100644
index 0000000000..de3f7a42f3
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23493.patch
@@ -0,0 +1,33 @@
+From 030db5524be7616967ae9e7d26b3d4477cf6082d Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 10:49:06 +0000
+Subject: [PATCH] CVE-2022-23493
+
+Check chansrv channel ID on a channel close
+
+Prevent OOB read if an invalid channel ID is sent.
+
+CVE: CVE-2022-23493
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/030db5524be7616967ae9e7d26b3d4477cf6082d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ xrdp/xrdp_mm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
+index 74b0516afa..068424885e 100644
+--- a/xrdp/xrdp_mm.c
++++ b/xrdp/xrdp_mm.c
+@@ -1435,6 +1435,12 @@ xrdp_mm_trans_process_drdynvc_channel_close(struct xrdp_mm *self,
+         return 1;
+     }
+     in_uint32_le(s, chansrv_chan_id);
++    if (chansrv_chan_id < 0 || chansrv_chan_id > 255)
++    {
++        LOG(LOG_LEVEL_ERROR, "Attempting to close invalid chansrv channel %d",
++            chansrv_chan_id);
++        return 1;
++    }
+     chan_id = self->cs2xr_cid_map[chansrv_chan_id];
+     /* close dynamic channel */
+     error = libxrdp_drdynvc_close(self->wm->session, chan_id);
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index c67f2e83d8..663ee9297a 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -26,6 +26,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23482.patch \
            file://CVE-2022-23483.patch \
            file://CVE-2022-23484.patch \
+           file://CVE-2022-23493.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:30:06 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79569
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B060AD715E0
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:23 +0000 (UTC)
Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com
 [209.85.128.50])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14211.1769236217445728418
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:17 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=jd3nGaqz;
 spf=pass (domain: gmail.com, ip: 209.85.128.50,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f50.google.com with SMTP id
 5b1f17b1804b1-4801d24d91bso31429375e9.2
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236216; x=1769841016;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=H8KlEqcOPu+bmiCswZOs5Dy2ptAfBsrmu8Ta4ips9H8=;
        b=jd3nGaqzDF+7xXcTIeAToK8P0ZYd0+BupJJeiBdOtf7FyiMQ8ZSFVOgc9yYxIShiJe
         8LDs5T1vbZniZmop55zNvbd1pSmkPztc1EhhfFu1OiJwBn3jXo+nBtXGVp62O2+0p2Nf
         HgZDq+BPe6+nG4sg2As7OHi10Oi7VGJATWSiiVs95H7+9YnvGZJYQOIJZiaSwm4dEzpt
         VH9K2hravXx+8Ij8ypsPcqfSB+zZUVlSgj4t+iUGZfn7gKkh+FQizoBbHtJ79xHioRex
         k0St7HwZgtxEMPrPhZvnFe2y3LJy+a7GSPYVqy+CB/L4K0RKp6GZu5f/C07DYLk9JQTs
         FgAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236216; x=1769841016;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=H8KlEqcOPu+bmiCswZOs5Dy2ptAfBsrmu8Ta4ips9H8=;
        b=ew1iOPUn+WDgZVEx75/5EDWhZusxcF/LO80tj09K3hjgtqXEt3FgHOiOuuUqoodFBG
         DfEyEZYAbe55EuNTRuxfZ9z/SvL/qiYxFNX2ryvZfAr35nrtP2A9sv5K54bvAaEAJU8l
         SOL/xG4ap62mVeeCpRt+v+QFyR/2kQLcOP64J/eoTdXxWZmYi8VDKg9swyPrsXRDF0Qn
         V88lPLPp48hnH5j5qwUoH7MVSkmAalF9YgwlCjqQ3tA9c/yGX29V2P2I+l362Dcrjx9U
         52PZdwLtnnbwxb4UQ1p3wpmEl48Dr7ujJ7marNpPjesMmF3ty8/wE8m1qeebG4VKgkEF
         pT/g==
X-Gm-Message-State: AOJu0Yx0OiOY955JLsaRqP6bZJEOd7twS2/FyLSMMrMR+UUAncNQ3zHQ
	bqCU7xBiy+pBcFTY2UanAexzhJ3lDem8lWTgD3nApWrM/G4Y7fU3MfL+O0jIlw==
X-Gm-Gg: AZuq6aLKHwalOvmRuHCYeX4cJcKkZfZ9ugKxK3qP1nGjU0P8qEvPYtWQJJGIrpo0/JE
	5d6XSlbqBHKRvxLeUwK2+NzI9imasLv7J8c3JKnO2zUaFmuP74f3lvRj5qjEyiKPQhN1mEhoe5O
	gsqJDeEKTnsIIrUPGju+/ZDn8FOUBcZI/5xgE+DctwESQaqni8MXkiYYN21Y5YgESlgzmn7l07E
	Xtjz4mAqxJvQwQYj4rSHSZDyvi0tb7r/MvUZi84qYvHgu1B6BWqwQ1oWSCfdObZgaq94oy5dZxI
	Hkz1k5uROY+dHhPETkGLAxXFqFKxz+d3ruYzwMTqcz+FhR5bejuHnQrOEtdzp/VwJNf7aEQ7Hak
	lrhYproWy8+MIZmHOTs0xZkjsJgBZVQ4hGsd1XY7v3RLJACZdOKDY2YvgpD5fIp6t+dxnWD13j/
	HFPmYsFpU0gY6/VpHEFDk=
X-Received: by 2002:a05:600c:3e19:b0:480:3a72:524a with SMTP id
 5b1f17b1804b1-4804c9b23bemr82478235e9.19.1769236215665;
        Fri, 23 Jan 2026 22:30:15 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.15
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:15 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 12/13] xrdp: patch CVE-2023-40184
Date: Sat, 24 Jan 2026 07:30:06 +0100
Message-ID: <20260124063007.28313-12-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123818

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40184

Pick the patch that is associated with the github advisory[1], which is
a backported version of the patch that is referenced by the nvd report.

[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 259e4f9266680f4afd2c54a3a4a6358151edf41b)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2023-40184.patch            | 73 +++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |  1 +
 2 files changed, 74 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch
new file mode 100644
index 0000000000..c4a6a1b862
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-40184.patch
@@ -0,0 +1,73 @@
+From 322d11b431e4773f77aaeb764571a3a8d60f9fca Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Sat, 19 Aug 2023 13:26:44 +0100
+Subject: [PATCH] [v0.9] Check auth_start_session() result
+
+CVE: CVE-2023-40184
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/8c5b7cdff3929dc59c5f13e33cec839ed45d1c34]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ sesman/session.c         |  7 ++++++-
+ sesman/verify_user_pam.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/sesman/session.c b/sesman/session.c
+index 441f8d3a60..d352f5e859 100644
+--- a/sesman/session.c
++++ b/sesman/session.c
+@@ -526,7 +526,12 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s)
+         g_delete_wait_obj(g_sigchld_event);
+         g_delete_wait_obj(g_term_event);
+ 
+-        auth_start_session(data, display);
++        if (auth_start_session(data, display) != 0)
++        {
++            // Errors are logged by the auth module, as they are
++            // specific to that module
++            g_exit(1);
++        }
+         sesman_close_all();
+         g_sprintf(geometry, "%dx%d", s->width, s->height);
+         g_sprintf(depth, "%d", s->bpp);
+diff --git a/sesman/verify_user_pam.c b/sesman/verify_user_pam.c
+index a34d83cd7d..ed17397fc3 100644
+--- a/sesman/verify_user_pam.c
++++ b/sesman/verify_user_pam.c
+@@ -316,8 +316,8 @@ auth_userpass(const char *user, const char *pass, int *errorcode)
+ 
+ /******************************************************************************/
+ /* returns error */
+-int
+-auth_start_session(long in_val, int in_display)
++static int
++auth_start_session_private(long in_val, int in_display)
+ {
+     struct t_auth_info *auth_info;
+     int error;
+@@ -357,6 +357,26 @@ auth_start_session(long in_val, int in_display)
+     return 0;
+ }
+ 
++/******************************************************************************/
++/**
++ * Main routine to start a session
++ *
++ * Calls the private routine and logs an additional error if the private
++ * routine fails
++ */
++int
++auth_start_session(long in_val, int in_display)
++{
++    int result = auth_start_session_private(in_val, in_display);
++    if (result != 0)
++    {
++        LOG(LOG_LEVEL_ERROR,
++            "Can't start PAM session. See PAM logging for more info");
++    }
++
++    return result;
++}
++
+ /******************************************************************************/
+ /* returns error */
+ int
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index 663ee9297a..4ede3d285c 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23483.patch \
            file://CVE-2022-23484.patch \
            file://CVE-2022-23493.patch \
+           file://CVE-2023-40184.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

From patchwork Sat Jan 24 06:30:07 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79563
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 776F2D715D1
	for <webhook@archiver.kernel.org>; Sat, 24 Jan 2026 06:30:23 +0000 (UTC)
Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com
 [209.85.128.50])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14212.1769236218221843083
 for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:18 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=XQAA75KL;
 spf=pass (domain: gmail.com, ip: 209.85.128.50,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f50.google.com with SMTP id
 5b1f17b1804b1-47f3b7ef761so20741345e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Fri, 23 Jan 2026 22:30:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769236217; x=1769841017;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=6aRcbLz+mQiw7K9dQMepmZ5XfgIy/3hdnVhTyEzN3p0=;
        b=XQAA75KLg54zPwTnM485mVBSDbcqctg0aMeB6klhrmssQ2tDA0BJZNiUfHqgJm1U33
         6eIwzoQcjeuqeDfjbTP2//JhRXNXxKmoh+6zAZgk8KuZzdldvZNj6mm5Vb8TlrZnBceu
         GFIswLO410+GGpRhQuz9bY+aPy3emj9EmuMdiIMchMrp0qbfD7bx5JVW56VQoc+KjEoD
         1r/eaplsfI24zCdCnq9szES52siltFtO7olGutst02N7uUbF04+x2Y6SnFXOpQ8c/xaI
         rXA6RRjI4FqT/amyBZLcVQ0oXsvdeOgppVPlyoSILho7EEWiLsIgQcsk5KDl0YMQWOxW
         Zlkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769236217; x=1769841017;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=6aRcbLz+mQiw7K9dQMepmZ5XfgIy/3hdnVhTyEzN3p0=;
        b=EBR3PlHk5EgSrrivHZxFPyTLTAwu1Oh+FtASz133+6U3BpQuiav+CtOYvIYJzp9EJU
         lYJbssVd/Usp9TrxIJ2NWdz6PaewaokACRNMJaeL97VpXt2DADvTEFzNFwh+d1uUXPrV
         +JZsJV2oi2uFjIuVhDksyy0d9cDRev53Wypnfydkcwga+CJ+QMaW3nf1U/b8vyq/gylQ
         2tTuo8oT5jAwOTLcgdYUW3aSb5RMjvvQUoNkz2bsaUqSsZkIZI9d6UaOOJBr2J2K+eH8
         GG8Wg7mx/Z7+Gw4LStwgZFgm33ZDI3GFBt79SwN1gtqi3xFXBVTqUma7gfjShT63B3bd
         S9gg==
X-Gm-Message-State: AOJu0YxNVGUdPjLU2472Rz+JlApPHVeMG0puNIY/DQoaVfZBarneXZ/6
	Wy37iX/lEtjDYJb6KsqjYTOiWDsVIEFLYtYpMPfPgeGFjn8T9uMeHox62460jQ==
X-Gm-Gg: AZuq6aL+eZIj14HegV5cJsODOs3VaHAXPbwzIyBtYVPrWDBGKLLX83KYrP1uLRnambi
	5FMEHX4M5WGT9UDVcli0Gz5g/ge0IjsC8+S7pTiQ9twfMKiqJHlP/bNffq5X5oJGNNxlywVpevi
	s7sSb7ubORKEO/Kqxfj0EChlJCMT3AIWwmSqTzEWF+N391yMVl8fawiGM/mZNQONyVSkHDjfUCy
	Pbk+k9ExXbTOXOv3Wkdh/h81UA1qJl8GDIDxmS34x507mpJESNmHtoL8LUZgISVTTwBZxmc+Xfl
	GgfUEHWca81cTpMbBeBsYtDtpa9FMP61sM1I6kKTYOsleldm2EzVKdhfLdnfMl05cBR918fSqal
	Jda8ClQyBEthx9gUAzrfF7F6JJ8iNg78PbSjzQtaTYm3tlJRcUuNOTbv8nvrUQ+oEN7rqGQqWNK
	Nw+T2XCdBROU3VCwVybLY=
X-Received: by 2002:a05:600c:8b09:b0:480:1e9e:f9b with SMTP id
 5b1f17b1804b1-4804c960f04mr95213015e9.16.1769236216446;
        Fri, 23 Jan 2026 22:30:16 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48047028928sm265354385e9.2.2026.01.23.22.30.15
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Jan 2026 22:30:16 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][whinlatter][PATCH 13/13] xrdp: patch CVE-2023-42822
Date: Sat, 24 Jan 2026 07:30:07 +0100
Message-ID: <20260124063007.28313-13-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260124063007.28313-1-skandigraun@gmail.com>
References: <20260124063007.28313-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Sat, 24 Jan 2026 06:30:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123819

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-42822

Pick the patch the references the github advisory[1] and the cve ID also from
the nvd report. The patch is a backported version of the patch referenced by
the nvd report.

[1]: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit a9fa1c5c2a83d301aa004cd16d18a516ae383042)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../xrdp/xrdp/CVE-2023-42822.patch            | 304 ++++++++++++++++++
 meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb   |   1 +
 2 files changed, 305 insertions(+)
 create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch
new file mode 100644
index 0000000000..2cf7968f3c
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2023-42822.patch
@@ -0,0 +1,304 @@
+From 58c9c1f06aeb5c91386bca20fa1609d68bf37ae0 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Mon, 25 Sep 2023 11:25:04 +0100
+Subject: [PATCH] CVE-2023-42822
+
+- font_items in struct xrdp_font renamed to chars to catch all
+  accesses to it. This name is consistent with the type of
+  the array elements (struct xrdp_font_char).
+- Additional fields added to struct xrdp_font to allow for range
+  checking and for a default character to be provided
+- Additional checks and logic added to xrdp_font_create()
+- New macro XRDP_FONT_GET_CHAR() added to perform checked access
+  to chars field in struct xrdp_font
+
+CVE: CVE-2023-42822
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/fd25fc546a68a94163413ff2cf3989c1e239e762]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ xrdp/xrdp.h         |   9 ++++
+ xrdp/xrdp_font.c    | 113 +++++++++++++++++++++++++++++++++++++-------
+ xrdp/xrdp_painter.c |  10 ++--
+ xrdp/xrdp_types.h   |   8 +++-
+ 4 files changed, 115 insertions(+), 25 deletions(-)
+
+diff --git a/xrdp/xrdp.h b/xrdp/xrdp.h
+index 36d8f87a9a..be008aa227 100644
+--- a/xrdp/xrdp.h
++++ b/xrdp/xrdp.h
+@@ -345,6 +345,15 @@ xrdp_font_delete(struct xrdp_font *self);
+ int
+ xrdp_font_item_compare(struct xrdp_font_char *font1,
+                        struct xrdp_font_char *font2);
++/**
++ * Gets a checked xrdp_font_char from a font
++ * @param f Font
++ * @param c32 Unicode codepoint
++ */
++#define XRDP_FONT_GET_CHAR(f, c32) \
++    (((unsigned int)(c32) >= ' ') && ((unsigned int)(c32) < (f)->char_count) \
++     ? ((f)->chars + (unsigned int)(c32)) \
++     : (f)->default_char)
+ 
+ /* funcs.c */
+ int
+diff --git a/xrdp/xrdp_font.c b/xrdp/xrdp_font.c
+index c089db0075..2b34f36ca6 100644
+--- a/xrdp/xrdp_font.c
++++ b/xrdp/xrdp_font.c
+@@ -65,6 +65,12 @@ static char w_char[] =
+ };
+ #endif
+ 
++// Unicode definitions
++#define UNICODE_WHITE_SQUARE 0x25a1
++
++// First character allocated in the 'struct xrdp_font.chars' array
++#define FIRST_CHAR ' '
++
+ /*****************************************************************************/
+ struct xrdp_font *
+ xrdp_font_create(struct xrdp_wm *wm)
+@@ -74,7 +80,7 @@ xrdp_font_create(struct xrdp_wm *wm)
+     int fd;
+     int b;
+     int i;
+-    int index;
++    unsigned int char_count;
+     int datasize;
+     int file_size;
+     struct xrdp_font_char *f;
+@@ -100,17 +106,39 @@ xrdp_font_create(struct xrdp_wm *wm)
+     }
+ 
+     self = (struct xrdp_font *)g_malloc(sizeof(struct xrdp_font), 1);
++    if (self == NULL)
++    {
++        LOG(LOG_LEVEL_ERROR, "xrdp_font_create: "
++            "Can't allocate memory for font");
++        return self;
++    }
+     self->wm = wm;
+     make_stream(s);
+     init_stream(s, file_size + 1024);
+     fd = g_file_open(file_path);
+ 
+-    if (fd != -1)
++    if (fd < 0)
++    {
++        LOG(LOG_LEVEL_ERROR,
++            "xrdp_font_create: Can't open %s - %s", file_path,
++            g_get_strerror());
++        g_free(self);
++        self = NULL;
++    }
++    else
+     {
+         b = g_file_read(fd, s->data, file_size + 1024);
+         g_file_close(fd);
+ 
+-        if (b > 0)
++        // Got at least a header?
++        if (b < (4 + 32 + 2 + 2 + 8))
++        {
++            LOG(LOG_LEVEL_ERROR,
++                "xrdp_font_create: Font %s is truncated", file_path);
++            g_free(self);
++            self = NULL;
++        }
++        else
+         {
+             s->end = s->data + b;
+             in_uint8s(s, 4);
+@@ -118,11 +146,27 @@ xrdp_font_create(struct xrdp_wm *wm)
+             in_uint16_le(s, self->size);
+             in_uint16_le(s, self->style);
+             in_uint8s(s, 8);
+-            index = 32;
++            char_count = FIRST_CHAR;
+ 
+-            while (s_check_rem(s, 16))
++            while (!s_check_end(s))
+             {
+-                f = self->font_items + index;
++                if (!s_check_rem(s, 16))
++                {
++                    LOG(LOG_LEVEL_WARNING,
++                        "xrdp_font_create: "
++                        "Can't parse header for character U+%X", char_count);
++                    break;
++                }
++
++                if (char_count >= MAX_FONT_CHARS)
++                {
++                    LOG(LOG_LEVEL_WARNING,
++                        "xrdp_font_create: "
++                        "Ignoring characters >= U+%x", MAX_FONT_CHARS);
++                    break;
++                }
++
++                f = self->chars + char_count;
+                 in_sint16_le(s, i);
+                 f->width = i;
+                 in_sint16_le(s, i);
+@@ -139,23 +183,56 @@ xrdp_font_create(struct xrdp_wm *wm)
+                 if (datasize < 0 || datasize > 512)
+                 {
+                     /* shouldn't happen */
+-                    LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create, datasize wrong "
+-                        "width %d, height %d, datasize %d, index %d",
+-                        f->width, f->height, datasize, index);
++                    LOG(LOG_LEVEL_ERROR,
++                        "xrdp_font_create: "
++                        "datasize for U+%x wrong "
++                        "width %d, height %d, datasize %d",
++                        char_count, f->width, f->height, datasize);
+                     break;
+                 }
+ 
+-                if (s_check_rem(s, datasize))
++                if (!s_check_rem(s, datasize))
+                 {
+-                    f->data = (char *)g_malloc(datasize, 0);
+-                    in_uint8a(s, f->data, datasize);
++                    LOG(LOG_LEVEL_ERROR,
++                        "xrdp_font_create: "
++                        "Not enough data for character U+%X", char_count);
++                    break;
+                 }
+-                else
++
++                if ((f->data = (char *)g_malloc(datasize, 0)) == NULL)
+                 {
+-                    LOG(LOG_LEVEL_ERROR, "error in xrdp_font_create");
++                    LOG(LOG_LEVEL_ERROR,
++                        "xrdp_font_create: "
++                        "Allocation error for character U+%X", char_count);
++                    break;
+                 }
++                in_uint8a(s, f->data, datasize);
++
++                ++char_count;
++            }
+ 
+-                index++;
++            self->char_count = char_count;
++            if (char_count <= FIRST_CHAR)
++            {
++                /* We read no characters from the font */
++                xrdp_font_delete(self);
++                self = NULL;
++            }
++            else
++            {
++                // Find a default glyph
++                if (char_count > UNICODE_WHITE_SQUARE)
++                {
++                    self->default_char = &self->chars[UNICODE_WHITE_SQUARE];
++                }
++                else if (char_count > '?')
++                {
++                    self->default_char = &self->chars['?'];
++                }
++                else
++                {
++                    self->default_char = &self->chars[FIRST_CHAR];
++                }
+             }
+         }
+     }
+@@ -178,16 +255,16 @@ xrdp_font_create(struct xrdp_wm *wm)
+ void
+ xrdp_font_delete(struct xrdp_font *self)
+ {
+-    int i;
++    unsigned int i;
+ 
+     if (self == 0)
+     {
+         return;
+     }
+ 
+-    for (i = 0; i < NUM_FONTS; i++)
++    for (i = FIRST_CHAR; i < self->char_count; i++)
+     {
+-        g_free(self->font_items[i].data);
++        g_free(self->chars[i].data);
+     }
+ 
+     g_free(self);
+diff --git a/xrdp/xrdp_painter.c b/xrdp/xrdp_painter.c
+index b02c9072b6..832186ff22 100644
+--- a/xrdp/xrdp_painter.c
++++ b/xrdp/xrdp_painter.c
+@@ -455,7 +455,7 @@ xrdp_painter_text_width(struct xrdp_painter *self, const char *text)
+ 
+     for (index = 0; index < len; index++)
+     {
+-        font_item = self->font->font_items + wstr[index];
++        font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]);
+         rv = rv + font_item->incby;
+     }
+ 
+@@ -493,7 +493,7 @@ xrdp_painter_text_height(struct xrdp_painter *self, const char *text)
+ 
+     for (index = 0; index < len; index++)
+     {
+-        font_item = self->font->font_items + wstr[index];
++        font_item = XRDP_FONT_GET_CHAR(self->font, wstr[index]);
+         rv = MAX(rv, font_item->height);
+     }
+ 
+@@ -870,7 +870,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self,
+             total_height = 0;
+             for (index = 0; index < len; index++)
+             {
+-                font_item = font->font_items + wstr[index];
++                font_item = XRDP_FONT_GET_CHAR(font, wstr[index]);
+                 k = font_item->incby;
+                 total_width += k;
+                 total_height = MAX(total_height, font_item->height);
+@@ -904,7 +904,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self,
+                                      draw_rect.bottom - draw_rect.top);
+                     for (index = 0; index < len; index++)
+                     {
+-                        font_item = font->font_items + wstr[index];
++                        font_item = XRDP_FONT_GET_CHAR(font, wstr[index]);
+                         g_memset(&pat, 0, sizeof(pat));
+                         pat.format = PT_FORMAT_c1;
+                         pat.width = font_item->width;
+@@ -946,7 +946,7 @@ xrdp_painter_draw_text(struct xrdp_painter *self,
+ 
+     for (index = 0; index < len; index++)
+     {
+-        font_item = font->font_items + wstr[index];
++        font_item = XRDP_FONT_GET_CHAR(font, wstr[index]);
+         i = xrdp_cache_add_char(self->wm->cache, font_item);
+         f = HIWORD(i);
+         c = LOWORD(i);
+diff --git a/xrdp/xrdp_types.h b/xrdp/xrdp_types.h
+index 41b65702f0..b794890b08 100644
+--- a/xrdp/xrdp_types.h
++++ b/xrdp/xrdp_types.h
+@@ -574,7 +574,7 @@ struct xrdp_bitmap
+     int crc16;
+ };
+ 
+-#define NUM_FONTS 0x4e00
++#define MAX_FONT_CHARS 0x4e00
+ #define DEFAULT_FONT_NAME "sans-10.fv1"
+ 
+ #define DEFAULT_ELEMENT_TOP   35
+@@ -594,7 +594,11 @@ struct xrdp_bitmap
+ struct xrdp_font
+ {
+     struct xrdp_wm *wm;
+-    struct xrdp_font_char font_items[NUM_FONTS];
++    // Font characters, accessed by Unicode codepoint. The first 32
++    // entries are unused.
++    struct xrdp_font_char chars[MAX_FONT_CHARS];
++    unsigned int char_count; // # elements in above array
++    struct xrdp_font_char *default_char; // Pointer into above array
+     char name[32];
+     int size;
+     int style;
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index 4ede3d285c..bcadd03adf 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
            file://CVE-2022-23484.patch \
            file://CVE-2022-23493.patch \
            file://CVE-2023-40184.patch \
+           file://CVE-2023-42822.patch \
            "
 
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"