--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package xrdp/0.9.1-9+deb9u1
- From: Dominik George <nik@naturalnet.de>
- Date: Fri, 15 Dec 2017 19:41:29 +0100
- Message-id: <151336328904.21921.3435619185205862185.reportbug@portux.lan.naturalnet.de>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I'd like to update xrdp in stretch for two important bugs:
1. #882463, CVE-2017-16927: Local DoS
Security team says it's not critical enough for stretch-security and I should instead
target stretch-pu (although I disagree).
2. #884453, High CPU load in ssl_tls_accept
Remote users could use up quite a lot or all system resources by keeping TLS contexts
in a certain state.
Please find the debdiff attached.
Cheers,
Nik
-----BEGIN PGP SIGNATURE-----
iQJ4BAEBCABiFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlo0F1gxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYxIcbmlrQG5h
dHVyYWxuZXQuZGUACgkQt5o8FqDE8paeRA//apbQ6DhlOkmV6C5+bQ3dSPK0BYbV
CAEwhIVSNSsIr7M8726DcoRPIcfdkmU9sE6T84QXf8wShBzoGPTjI9WWIhkwOF2o
UuBWZ68wKnQ7A4wuH9br5TYkeF6TDHpct7PE2N+p/BlihXUuUqReXqa4KSjtmKuj
l5Q2VJUyUUwyNlZWash8wAY+NmRqpF681sMJCol1v3LQ3F5JUije2rayw//2tdYW
HGBYAZEzU/FXZEQyfS6507lyjjiGLWmiwYSGvpvEyr5dg1rJCDNr4P4KH9qbUYLS
4LVpbh8FcsGlnopyjlW9z791upwHUpyyJD2+GTda3zBCTIlTwII7+NJ3L5jpYL//
JDXAigt1H09vb2ZYcfjm/P2gqd6yIP9PZDeBjetgQ2Z+pD8/1BrzG/OUd1glxNXU
kElHUMvJQxv5jm6XKPldcoBN2CQqwm9NOxiQsx/DyEyhAEpL78+sg1hZ+oPUrj4j
I/vX9CGE30mWCEwU6PQqkYS8urN+bvVVFYFO8jM+xYeJZTjwvnjPJkgp89+poGzp
ZeRPYyY9+OxMMJJke3aSvrU5wXXpePvz29/KXzAuOTsLavkeL1RQkW7NPtHWtCYk
qKICivi10AqLY2Ye2PScnUdAdgJ6spye/b2hju1Hzrz3oeUlxBd5ME2v90QsvbVq
CW0Pxt5DlSX9Ir8=
=8FZ1
-----END PGP SIGNATURE-----
diff -Nru xrdp-0.9.1/debian/changelog xrdp-0.9.1/debian/changelog
--- xrdp-0.9.1/debian/changelog 2017-10-18 11:56:31.000000000 +0200
+++ xrdp-0.9.1/debian/changelog 2017-12-15 19:28:28.000000000 +0100
@@ -1,3 +1,10 @@
+xrdp (0.9.1-9+deb9u2) stretch; urgency=medium
+
+ * Fix CVE-2017-16927. (Closes: #882463)
+ * Fix high CPU load on ssl_tls_accept. (Closes: #884453)
+
+ -- Dominik George <nik@naturalnet.de> Fri, 15 Dec 2017 19:28:28 +0100
+
xrdp (0.9.1-9+deb9u1) stretch; urgency=medium
* Fix high CPU load on SSL shutdown. (Closes: #876976)
diff -Nru xrdp-0.9.1/debian/patches/cve-2017-16927.patch xrdp-0.9.1/debian/patches/cve-2017-16927.patch
--- xrdp-0.9.1/debian/patches/cve-2017-16927.patch 1970-01-01 01:00:00.000000000 +0100
+++ xrdp-0.9.1/debian/patches/cve-2017-16927.patch 2017-12-15 19:28:28.000000000 +0100
@@ -0,0 +1,137 @@
+From: Idan Freiberg
+Subject: sesman: scpv0, accept variable length data fields
+Origin: https://github.com/neutrinolabs/xrdp/commit/ebd0510a7d4dab906b6e01570205dfa530d1f7bf.diff
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882463
+--- a/sesman/libscp/libscp_v0.c
++++ b/sesman/libscp/libscp_v0.c
+@@ -157,7 +157,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+ struct SCP_SESSION *session = 0;
+ tui16 sz;
+ tui32 code = 0;
+- char buf[257];
++ char *buf = 0;
+
+ if (!skipVchk)
+ {
+@@ -222,27 +222,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ /* reading username */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+-
++ buf[sz] = '\0';
+ if (0 != scp_session_set_username(session, buf))
+ {
+ scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+
+ /* reading password */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+-
++ buf[sz] = '\0';
+ if (0 != scp_session_set_password(session, buf))
+ {
+ scp_session_destroy(session);
+ log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+
+ /* width */
+ in_uint16_be(c->in_s, sz);
+@@ -268,9 +272,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_domain(session, buf);
++ g_free(buf);
+ }
+ }
+
+@@ -281,9 +287,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_program(session, buf);
++ g_free(buf);
+ }
+ }
+
+@@ -294,9 +302,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_directory(session, buf);
++ g_free(buf);
+ }
+ }
+
+@@ -307,9 +317,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+
+ if (sz > 0)
+ {
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
+ buf[sz] = '\0';
+ scp_session_set_client_ip(session, buf);
++ g_free(buf);
+ }
+ }
+ }
+@@ -328,29 +340,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c,
+ scp_session_set_type(session, SCP_GW_AUTHENTICATION);
+ /* reading username */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
++ buf[sz] = '\0';
+
+ /* g_writeln("Received user name: %s",buf); */
+ if (0 != scp_session_set_username(session, buf))
+ {
+ scp_session_destroy(session);
+ /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+
+ /* reading password */
+ in_uint16_be(c->in_s, sz);
+- buf[sz] = '\0';
++ buf = g_new0(char, sz);
+ in_uint8a(c->in_s, buf, sz);
++ buf[sz] = '\0';
+
+ /* g_writeln("Received password: %s",buf); */
+ if (0 != scp_session_set_password(session, buf))
+ {
+ scp_session_destroy(session);
+ /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
++ g_free(buf);
+ return SCP_SERVER_STATE_INTERNAL_ERR;
+ }
++ g_free(buf);
+ }
+ else
+ {
diff -Nru xrdp-0.9.1/debian/patches/fix-ssl-accept-load.patch xrdp-0.9.1/debian/patches/fix-ssl-accept-load.patch
--- xrdp-0.9.1/debian/patches/fix-ssl-accept-load.patch 1970-01-01 01:00:00.000000000 +0100
+++ xrdp-0.9.1/debian/patches/fix-ssl-accept-load.patch 2017-12-15 19:28:28.000000000 +0100
@@ -0,0 +1,32 @@
+From: jsorg71
+Subject: Avoid 100% CPU load on ssl_tls_accept
+Origin: https://github.com/neutrinolabs/xrdp/commit/a9eb21e6d73d94989dc0fa221824b0625b37b7aa.diff
+Bug: https://github.com/neutrinolabs/xrdp/issues/954
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884453
+--- a/common/ssl_calls.c
++++ b/common/ssl_calls.c
+@@ -34,6 +34,8 @@
+ #include "ssl_calls.h"
+ #include "trans.h"
+
++#define SSL_WANT_READ_WRITE_TIMEOUT 100
++
+ #if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x0090800f)
+ #undef OLD_RSA_GEN1
+ #else
+@@ -726,6 +728,15 @@ ssl_tls_accept(struct ssl_tls *self, int
+ * SSL_ERROR_WANT_READ
+ * SSL_ERROR_WANT_WRITE
+ */
++ switch (SSL_get_error(self->ssl, connection_status))
++ {
++ case SSL_ERROR_WANT_READ:
++ g_sck_can_recv(self->trans->sck, SSL_WANT_READ_WRITE_TIMEOUT);
++ break;
++ case SSL_ERROR_WANT_WRITE:
++ g_sck_can_send(self->trans->sck, SSL_WANT_READ_WRITE_TIMEOUT);
++ break;
++ }
+ }
+ else
+ {
diff -Nru xrdp-0.9.1/debian/patches/series xrdp-0.9.1/debian/patches/series
--- xrdp-0.9.1/debian/patches/series 2017-10-18 11:56:31.000000000 +0200
+++ xrdp-0.9.1/debian/patches/series 2017-12-15 19:28:28.000000000 +0100
@@ -11,3 +11,5 @@
highres.diff
cve-2017-6967.diff
fix-876976.patch
+cve-2017-16927.patch
+fix-ssl-accept-load.patch
--- End Message ---