Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I'd like to update xrdp in stretch for two important bugs: 1. #882463, CVE-2017-16927: Local DoS Security team says it's not critical enough for stretch-security and I should instead target stretch-pu (although I disagree). 2. #884453, High CPU load in ssl_tls_accept Remote users could use up quite a lot or all system resources by keeping TLS contexts in a certain state. Please find the debdiff attached. Cheers, Nik -----BEGIN PGP SIGNATURE----- iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlo0F1gxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h dHVyYWxuZXQuZGUACgkQt5o8FqDE8paeRA//apbQ6DhlOkmV6C5+bQ3dSPK0BYbV CAEwhIVSNSsIr7M8726DcoRPIcfdkmU9sE6T84QXf8wShBzoGPTjI9WWIhkwOF2o UuBWZ68wKnQ7A4wuH9br5TYkeF6TDHpct7PE2N+p/BlihXUuUqReXqa4KSjtmKuj l5Q2VJUyUUwyNlZWash8wAY+NmRqpF681sMJCol1v3LQ3F5JUije2rayw//2tdYW HGBYAZEzU/FXZEQyfS6507lyjjiGLWmiwYSGvpvEyr5dg1rJCDNr4P4KH9qbUYLS 4LVpbh8FcsGlnopyjlW9z791upwHUpyyJD2+GTda3zBCTIlTwII7+NJ3L5jpYL// JDXAigt1H09vb2ZYcfjm/P2gqd6yIP9PZDeBjetgQ2Z+pD8/1BrzG/OUd1glxNXU kElHUMvJQxv5jm6XKPldcoBN2CQqwm9NOxiQsx/DyEyhAEpL78+sg1hZ+oPUrj4j I/vX9CGE30mWCEwU6PQqkYS8urN+bvVVFYFO8jM+xYeJZTjwvnjPJkgp89+poGzp ZeRPYyY9+OxMMJJke3aSvrU5wXXpePvz29/KXzAuOTsLavkeL1RQkW7NPtHWtCYk qKICivi10AqLY2Ye2PScnUdAdgJ6spye/b2hju1Hzrz3oeUlxBd5ME2v90QsvbVq CW0Pxt5DlSX9Ir8= =8FZ1 -----END PGP SIGNATURE-----
diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog --- xrdp-0.9.1/debian/changelog 2017-10-18 11:56:31.000000000 +0200 +++ xrdp-0.9.1/debian/changelog 2017-12-15 19:28:28.000000000 +0100 @@ -1,3 +1,10 @@ +xrdp (0.9.1-9+deb9u2) stretch; urgency=medium + + * Fix CVE-2017-16927. (Closes: #882463) + * Fix high CPU load on ssl_tls_accept. (Closes: #884453) + + -- Dominik George <n...@naturalnet.de> Fri, 15 Dec 2017 19:28:28 +0100 + xrdp (0.9.1-9+deb9u1) stretch; urgency=medium * Fix high CPU load on SSL shutdown. (Closes: #876976) diff -Nru xrdp-0.9.1/debian/patches/cve-2017-16927.patch xrdp-0.9.1/debian/patches/cve-2017-16927.patch --- xrdp-0.9.1/debian/patches/cve-2017-16927.patch 1970-01-01 01:00:00.000000000 +0100 +++ xrdp-0.9.1/debian/patches/cve-2017-16927.patch 2017-12-15 19:28:28.000000000 +0100 @@ -0,0 +1,137 @@ +From: Idan Freiberg +Subject: sesman: scpv0, accept variable length data fields +Origin: https://github.com/neutrinolabs/xrdp/commit/ebd0510a7d4dab906b6e01570205dfa530d1f7bf.diff +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882463 +--- a/sesman/libscp/libscp_v0.c ++++ b/sesman/libscp/libscp_v0.c +@@ -157,7 +157,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + struct SCP_SESSION *session = 0; + tui16 sz; + tui32 code = 0; +- char buf[257]; ++ char *buf = 0; + + if (!skipVchk) + { +@@ -222,27 +222,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + + /* reading username */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); +- ++ buf[sz] = '\0'; + if (0 != scp_session_set_username(session, buf)) + { + scp_session_destroy(session); + log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__); ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + + /* reading password */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); +- ++ buf[sz] = '\0'; + if (0 != scp_session_set_password(session, buf)) + { + scp_session_destroy(session); + log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + + /* width */ + in_uint16_be(c->in_s, sz); +@@ -268,9 +272,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_domain(session, buf); ++ g_free(buf); + } + } + +@@ -281,9 +287,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_program(session, buf); ++ g_free(buf); + } + } + +@@ -294,9 +302,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_directory(session, buf); ++ g_free(buf); + } + } + +@@ -307,9 +317,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + + if (sz > 0) + { ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); + buf[sz] = '\0'; + scp_session_set_client_ip(session, buf); ++ g_free(buf); + } + } + } +@@ -328,29 +340,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c, + scp_session_set_type(session, SCP_GW_AUTHENTICATION); + /* reading username */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); ++ buf[sz] = '\0'; + + /* g_writeln("Received user name: %s",buf); */ + if (0 != scp_session_set_username(session, buf)) + { + scp_session_destroy(session); + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/ ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + + /* reading password */ + in_uint16_be(c->in_s, sz); +- buf[sz] = '\0'; ++ buf = g_new0(char, sz); + in_uint8a(c->in_s, buf, sz); ++ buf[sz] = '\0'; + + /* g_writeln("Received password: %s",buf); */ + if (0 != scp_session_set_password(session, buf)) + { + scp_session_destroy(session); + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */ ++ g_free(buf); + return SCP_SERVER_STATE_INTERNAL_ERR; + } ++ g_free(buf); + } + else + { diff -Nru xrdp-0.9.1/debian/patches/fix-ssl-accept-load.patch xrdp-0.9.1/debian/patches/fix-ssl-accept-load.patch --- xrdp-0.9.1/debian/patches/fix-ssl-accept-load.patch 1970-01-01 01:00:00.000000000 +0100 +++ xrdp-0.9.1/debian/patches/fix-ssl-accept-load.patch 2017-12-15 19:28:28.000000000 +0100 @@ -0,0 +1,32 @@ +From: jsorg71 +Subject: Avoid 100% CPU load on ssl_tls_accept +Origin: https://github.com/neutrinolabs/xrdp/commit/a9eb21e6d73d94989dc0fa221824b0625b37b7aa.diff +Bug: https://github.com/neutrinolabs/xrdp/issues/954 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884453 +--- a/common/ssl_calls.c ++++ b/common/ssl_calls.c +@@ -34,6 +34,8 @@ + #include "ssl_calls.h" + #include "trans.h" + ++#define SSL_WANT_READ_WRITE_TIMEOUT 100 ++ + #if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x0090800f) + #undef OLD_RSA_GEN1 + #else +@@ -726,6 +728,15 @@ ssl_tls_accept(struct ssl_tls *self, int + * SSL_ERROR_WANT_READ + * SSL_ERROR_WANT_WRITE + */ ++ switch (SSL_get_error(self->ssl, connection_status)) ++ { ++ case SSL_ERROR_WANT_READ: ++ g_sck_can_recv(self->trans->sck, SSL_WANT_READ_WRITE_TIMEOUT); ++ break; ++ case SSL_ERROR_WANT_WRITE: ++ g_sck_can_send(self->trans->sck, SSL_WANT_READ_WRITE_TIMEOUT); ++ break; ++ } + } + else + { diff -Nru xrdp-0.9.1/debian/patches/series xrdp-0.9.1/debian/patches/series --- xrdp-0.9.1/debian/patches/series 2017-10-18 11:56:31.000000000 +0200 +++ xrdp-0.9.1/debian/patches/series 2017-12-15 19:28:28.000000000 +0100 @@ -11,3 +11,5 @@ highres.diff cve-2017-6967.diff fix-876976.patch +cve-2017-16927.patch +fix-ssl-accept-load.patch