Details: https://nvd.nist.gov/vuln/detail/CVE-2022-23479
Pick the patch that mentions this vulnerability explicitly. Signed-off-by: Gyorgy Sarvari <[email protected]> --- v2: fix upstream-sattus formatting .../xrdp/xrdp/CVE-2022-23479.patch | 83 +++++++++++++++++++ meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch new file mode 100644 index 0000000000..6940ce8f17 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23479.patch @@ -0,0 +1,83 @@ +From 60864014b733c10881c078048560858067fe5d0f Mon Sep 17 00:00:00 2001 +From: matt335672 <[email protected]> +Date: Wed, 7 Dec 2022 09:44:56 +0000 +Subject: [PATCH] CVE-2022-23479 + +Detect attempts to overflow input buffer + +If application code hasn't properly sanitised the header_size +for a transport, it is possible for read requests to be issued +which overflow the input buffer. This change detects this +at a low level and bounces the read request. + +CVE: CVE-2022-23479 +Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/60864014b733c10881c078048560858067fe5d0f] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + common/trans.c | 19 +++++++++++++++---- + common/trans.h | 2 +- + 2 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/common/trans.c b/common/trans.c +index 55d2a63812..1d2d3e68ae 100644 +--- a/common/trans.c ++++ b/common/trans.c +@@ -297,8 +297,8 @@ trans_check_wait_objs(struct trans *self) + tbus in_sck = (tbus) 0; + struct trans *in_trans = (struct trans *) NULL; + int read_bytes = 0; +- int to_read = 0; +- int read_so_far = 0; ++ unsigned int to_read = 0; ++ unsigned int read_so_far = 0; + int rv = 0; + enum xrdp_source cur_source; + +@@ -369,13 +369,24 @@ trans_check_wait_objs(struct trans *self) + } + else if (self->trans_can_recv(self, self->sck, 0)) + { ++ /* CVE-2022-23479 - check a malicious caller hasn't managed ++ * to set the header_size to an unreasonable value */ ++ if (self->header_size > (unsigned int)self->in_s->size) ++ { ++ LOG(LOG_LEVEL_ERROR, ++ "trans_check_wait_objs: Reading %u bytes beyond buffer", ++ self->header_size - (unsigned int)self->in_s->size); ++ self->status = TRANS_STATUS_DOWN; ++ return 1; ++ } ++ + cur_source = XRDP_SOURCE_NONE; + if (self->si != 0) + { + cur_source = self->si->cur_source; + self->si->cur_source = self->my_source; + } +- read_so_far = (int) (self->in_s->end - self->in_s->data); ++ read_so_far = self->in_s->end - self->in_s->data; + to_read = self->header_size - read_so_far; + + if (to_read > 0) +@@ -415,7 +426,7 @@ trans_check_wait_objs(struct trans *self) + } + } + +- read_so_far = (int) (self->in_s->end - self->in_s->data); ++ read_so_far = self->in_s->end - self->in_s->data; + + if (read_so_far == self->header_size) + { +diff --git a/common/trans.h b/common/trans.h +index 1cd89fdac2..313c543b60 100644 +--- a/common/trans.h ++++ b/common/trans.h +@@ -98,7 +98,7 @@ struct trans + ttrans_data_in trans_data_in; + ttrans_conn_in trans_conn_in; + void *callback_data; +- int header_size; ++ unsigned int header_size; + struct stream *in_s; + struct stream *out_s; + char *listen_filename; diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index e28f457e87..1900b1e842 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb @@ -19,6 +19,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN file://CVE-2022-23468.patch \ file://CVE-2022-23477.patch \ file://CVE-2022-23478.patch \ + file://CVE-2022-23479.patch \ " SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122306): https://lists.openembedded.org/g/openembedded-devel/message/122306 Mute This Topic: https://lists.openembedded.org/mt/116609065/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
