Bug#1008772: xrdp: Please integrate NMUs and gitlab MR

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1008772: xrdp: Please integrate NMUs and gitlab MR
From: Raphael Hertzog <raphael@offensive-security.com>
Date: Fri, 1 Apr 2022 08:55:45 +0200
Message-id: <[🔎] Ykah8R0ktAirr0IG@t14-buxy.home.ouaza.com>
Reply-to: Raphael Hertzog <raphael@offensive-security.com>, 1008772@bugs.debian.org

Source: xrdp
Version: 0.9.17-2
Severity: wishlist
Tags: patch
User: devel@kali.org
Usertags: origin-kali

Hello,

I have just uploaded an NMU prepared by a Kali contributor (in the NM
queue). Please find the relevant "git am" patches attached. (The two
patches by Arnaud are also in https://salsa.debian.org/arnaudr/xrdp)

It fixes CVE-2022-23613 and nothing else.

I noticed that you have open MR on Gitlab that it would be good to handle.
There's a former NMU that was never acked and that doesn't appear in
debian/changelog.

https://salsa.debian.org/debian-remote-team/xrdp/-/merge_requests


-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.16.0-5-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- 
Raphaël Hertzog

>From 6b20339946d23bae9848c00533d006a35ba16990 Mon Sep 17 00:00:00 2001
From: Arnaud Rebillout <arnaudr@kali.org>
Date: Fri, 1 Apr 2022 08:25:06 +0700
Subject: [PATCH 1/3] Import upstream patch to fix CVE-2022-23613 (Closes:
 #1005304)

---
 debian/patches/cve-2022-23613.diff | 47 ++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 debian/patches/cve-2022-23613.diff

diff --git a/debian/patches/cve-2022-23613.diff b/debian/patches/cve-2022-23613.diff
new file mode 100644
index 00000000..0a5ebdf1
--- /dev/null
+++ b/debian/patches/cve-2022-23613.diff
@@ -0,0 +1,47 @@
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 2 Feb 2022 10:39:50 +0000
+Subject: [PATCH] Add lower bound to sesman data input size check
+Origin: upstream, https://github.com/neutrinolabs/xrdp/commit/4def30ab
+
+---
+ sesman/sesman.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sesman/sesman.c b/sesman/sesman.c
+index a85769053..e2b057e6a 100644
+--- a/sesman/sesman.c
++++ b/sesman/sesman.c
+@@ -276,6 +276,7 @@ sesman_close_all(void)
+ static int
+ sesman_data_in(struct trans *self)
+ {
++#define HEADER_SIZE 8
+     int version;
+     int size;
+ 
+@@ -283,9 +284,9 @@ sesman_data_in(struct trans *self)
+     {
+         in_uint32_be(self->in_s, version);
+         in_uint32_be(self->in_s, size);
+-        if (size > self->in_s->size)
++        if (size < HEADER_SIZE || size > self->in_s->size)
+         {
+-            LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size");
++            LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size %d", size);
+             return 1;
+         }
+         self->header_size = size;
+@@ -302,11 +303,12 @@ sesman_data_in(struct trans *self)
+             return 1;
+         }
+         /* reset for next message */
+-        self->header_size = 8;
++        self->header_size = HEADER_SIZE;
+         self->extra_flags = 0;
+         init_stream(self->in_s, 0); /* Reset input stream pointers */
+     }
+     return 0;
++#undef HEADER_SIZE
+ }
+ 
+ /******************************************************************************/
diff --git a/debian/patches/series b/debian/patches/series
index ecf3e815..a3757c8a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ pulse-debian.patch
 var-run.diff
 document-certs.diff
 fix-environment.diff
+cve-2022-23613.diff
-- 
2.35.1

>From a0e029b28413f8900845e9e7135c252885b6d5ae Mon Sep 17 00:00:00 2001
From: Arnaud Rebillout <arnaudr@kali.org>
Date: Fri, 1 Apr 2022 09:34:56 +0700
Subject: [PATCH 2/3] Update changelog for 0.9.17-2.1 release

---
 debian/changelog | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 5773a467..527cfa87 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xrdp (0.9.17-2.1) unstable; urgency=medium
+
+  * Import upstream patch to fix CVE-2022-23613 (Closes: #1005304)
+
+ -- Arnaud Rebillout <arnaudr@kali.org>  Fri, 01 Apr 2022 09:34:47 +0700
+
 xrdp (0.9.17-2) unstable; urgency=medium
 
   * Initialise the environment properly (Closes: #996418, #984782)
-- 
2.35.1

>From 9f4ac4afcee73ce567e5734ba2cacfd1789fb23c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <raphael@offensive-security.com>
Date: Fri, 1 Apr 2022 08:44:24 +0200
Subject: [PATCH 3/3] Add non-maintainer upload to changelog entry.

---
 debian/changelog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/changelog b/debian/changelog
index 527cfa87..1a502830 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
 xrdp (0.9.17-2.1) unstable; urgency=medium
 
+  * Non-maintainer upload.
   * Import upstream patch to fix CVE-2022-23613 (Closes: #1005304)
 
  -- Arnaud Rebillout <arnaudr@kali.org>  Fri, 01 Apr 2022 09:34:47 +0700
-- 
2.35.1

Reply to:

Follow-Ups:
- Bug#1008772: xrdp: Please integrate NMUs and gitlab MR
  - From: Arnaud Rebillout <arnaudr@kali.org>
- Bug#1008772: xrdp: Please integrate NMUs and gitlab MR
  - From: Dominik George <natureshadow@debian.org>

Next by Date: Bug#1005304: marked as done (xrdp: CVE-2022-23613)
Next by thread: Bug#1008772: xrdp: Please integrate NMUs and gitlab MR
Index(es):
- Date
- Thread