Bug#1126537: xrdp: diff for NMU version 0.10.1-4.1

Sat, 31 Jan 2026 12:35:15 -0800 

Control: tags 1126537 + patch
Control: tags 1126537 + pending


Dear maintainer,

I've prepared an NMU for xrdp (versioned as 0.10.1-4.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.

Regards,
Salvatore

diffstat for xrdp-0.10.1 xrdp-0.10.1

 changelog                                                   |    7 +
 patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch |   80 ++++++++++++
 patches/series                                              |    1 
 3 files changed, 88 insertions(+)

diff -Nru xrdp-0.10.1/debian/changelog xrdp-0.10.1/debian/changelog
--- xrdp-0.10.1/debian/changelog	2025-12-27 09:20:49.000000000 +0100
+++ xrdp-0.10.1/debian/changelog	2026-01-31 20:39:32.000000000 +0100
@@ -1,3 +1,10 @@
+xrdp (0.10.1-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-68670: Buffer overflow parsing domain (Closes: #1126537)
+
+ -- Salvatore Bonaccorso <[email protected]>  Sat, 31 Jan 2026 20:39:32 +0100
+
 xrdp (0.10.1-4) unstable; urgency=medium
 
   * Ack NMU.
diff -Nru xrdp-0.10.1/debian/patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch xrdp-0.10.1/debian/patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch
--- xrdp-0.10.1/debian/patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch	1970-01-01 01:00:00.000000000 +0100
+++ xrdp-0.10.1/debian/patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch	2026-01-31 20:38:49.000000000 +0100
@@ -0,0 +1,80 @@
+From: matt335672 <[email protected]>
+Date: Thu, 18 Dec 2025 11:37:30 +0000
+Subject: CVE-2025-68670: Buffer overflow parsing domain
+Origin: https://github.com/neutrinolabs/xrdp/commit/5cfd4817888c9a46e74db74e0e011182d04fa771
+Bug-Debian: https://bugs.debian.org/1126537
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-68670
+
+A potential overflow in xrdp_wm_parse_domain_information() is
+addressed
+
+(cherry picked from commit dd4b56c9873bd246ba3d815522b27d90c99fcc30)
+---
+ xrdp/xrdp_login_wnd.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c
+index 650be6bcb959..758f86b1de10 100644
+--- a/xrdp/xrdp_login_wnd.c
++++ b/xrdp/xrdp_login_wnd.c
+@@ -303,7 +303,8 @@ xrdp_wm_ok_clicked(struct xrdp_bitmap *wnd)
+ */
+ static int
+ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+-                                 int decode, char *resultBuffer)
++                                 int decode,
++                                 char *resultBuffer, unsigned int resultSize)
+ {
+     int ret;
+     int pos;
+@@ -313,8 +314,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+     /* If the first char in the domain name is '_' we use the domain
+        name as IP*/
+     ret = 0; /* default return value */
+-    /* resultBuffer assumed to be 256 chars */
+-    g_memset(resultBuffer, 0, 256);
++    g_memset(resultBuffer, 0, resultSize);
+     if (originalDomainInfo[0] == '_')
+     {
+         /* we try to locate a number indicating what combobox index the user
+@@ -324,7 +324,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+          * Invalid chars are ignored in microsoft client therefore we use '_'
+          * again. this sec '__' contains the split for index.*/
+         pos = g_pos(&originalDomainInfo[1], "__");
+-        if (pos > 0)
++        if (pos > 0 && (unsigned int)pos < resultSize)
+         {
+             /* an index is found we try to use it */
+             LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
+@@ -351,7 +351,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+         else
+         {
+             LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
+-            g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
++            g_strncpy(resultBuffer, &originalDomainInfo[1], resultSize - 1);
+         }
+     }
+     return ret;
+@@ -484,7 +484,8 @@ xrdp_wm_show_edits(struct xrdp_wm *self, struct xrdp_bitmap *combo)
+                     {
+                         xrdp_wm_parse_domain_information(
+                             self->session->client_info->domain,
+-                            combo->data_list->count, 0, resultIP);
++                            combo->data_list->count, 0,
++                            resultIP, sizeof(resultIP));
+                         g_strncpy(b->caption1, resultIP, 255);
+                         b->edit_pos = utf8_char_count(b->caption1);
+                     }
+@@ -999,7 +1000,8 @@ xrdp_login_wnd_create(struct xrdp_wm *self)
+     combo->item_index = xrdp_wm_parse_domain_information(
+                             self->session->client_info->domain,
+                             combo->data_list->count, 1,
+-                            resultIP /* just a dummy place holder, we ignore */ );
++                            resultIP,/* just a dummy place holder, we ignore */
++                            sizeof(resultIP));
+     xrdp_wm_show_edits(self, combo);
+ 
+     return 0;
+-- 
+2.51.0
+
diff -Nru xrdp-0.10.1/debian/patches/series xrdp-0.10.1/debian/patches/series
--- xrdp-0.10.1/debian/patches/series	2024-08-11 13:10:27.000000000 +0200
+++ xrdp-0.10.1/debian/patches/series	2026-01-31 20:38:56.000000000 +0100
@@ -8,3 +8,4 @@
 document-certs.diff
 #fix-environment.diff
 #cherry-pick-dvorak-pr-3112
+CVE-2025-68670-Buffer-overflow-parsing-domain.patch

Reply via email to