Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23482
Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <[email protected]> --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23482.patch | 69 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch new file mode 100644 index 0000000000..ef99baa8cf --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23482.patch @@ -0,0 +1,69 @@ +From bb9766c79f24a0238644e273bbcdcb2c9d2df1bf Mon Sep 17 00:00:00 2001 +From: matt335672 <[email protected]> +Date: Wed, 7 Dec 2022 11:05:46 +0000 +Subject: [PATCH] CVE-2022-23482 + +Check minimum length of TS_UD_CS_CORE message + +CVE: CVE-2022-23482 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/bb9766c79f24a0238644e273bbcdcb2c9d2df1bf] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + libxrdp/xrdp_sec.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c +index 691d4f04f3..084fca6b8d 100644 +--- a/libxrdp/xrdp_sec.c ++++ b/libxrdp/xrdp_sec.c +@@ -1946,6 +1946,17 @@ xrdp_sec_send_fastpath(struct xrdp_sec *self, struct stream *s) + static int + xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + { ++#define CS_CORE_MIN_LENGTH \ ++ (\ ++ 4 + /* Version */ \ ++ 2 + 2 + /* desktopWidth + desktopHeight */ \ ++ 2 + 2 + /* colorDepth + SASSequence */ \ ++ 4 + /* keyboardLayout */ \ ++ 4 + 32 + /* clientBuild + clientName */ \ ++ 4 + 4 + 4 + /* keyboardType + keyboardSubType + keyboardFunctionKey */ \ ++ 64 + /* imeFileName */ \ ++ 0) ++ + int version; + int colorDepth; + int postBeta2ColorDepth; +@@ -1956,7 +1967,12 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + + UNUSED_VAR(version); + +- /* TS_UD_CS_CORE requiered fields */ ++ /* TS_UD_CS_CORE required fields */ ++ if (!s_check_rem_and_log(s, CS_CORE_MIN_LENGTH, ++ "Parsing [MS-RDPBCGR] TS_UD_CS_CORE")) ++ { ++ return 1; ++ } + in_uint32_le(s, version); + in_uint16_le(s, self->rdp_layer->client_info.width); + in_uint16_le(s, self->rdp_layer->client_info.height); +@@ -1994,6 +2010,10 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + clientName); + + /* TS_UD_CS_CORE optional fields */ ++ if (!s_check_rem(s, 2)) ++ { ++ return 0; ++ } + in_uint16_le(s, postBeta2ColorDepth); + LOG_DEVEL(LOG_LEVEL_TRACE, "Received [MS-RDPBCGR] TS_UD_CS_CORE " + "<Optional Field> postBeta2ColorDepth %s", +@@ -2138,6 +2158,7 @@ xrdp_sec_process_mcs_data_CS_CORE(struct xrdp_sec *self, struct stream *s) + "<Optional Field> desktopOrientation (ignored)"); + + return 0; ++#undef CS_CORE_MIN_LENGTH + } + + /*****************************************************************************/ diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index ff14cf8397..29245f3747 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -23,6 +23,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23480-1.patch \ file://CVE-2022-23480-2.patch \ file://CVE-2022-23481.patch \ + file://CVE-2022-23482.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122309): https://lists.openembedded.org/g/openembedded-devel/message/122309 Mute This Topic: https://lists.openembedded.org/mt/116609068/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
