Bug#1005304: xrdp: CVE-2022-23613

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1005304: xrdp: CVE-2022-23613
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 10 Feb 2022 22:33:47 +0100
Message-id: <[🔎] 164452882707.1416086.2757411405981020150.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1005304@bugs.debian.org

Source: xrdp
Version: 0.9.17-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for xrdp.

CVE-2022-23613[0]:
| xrdp is an open source remote desktop protocol (RDP) server. In
| affected versions an integer underflow leading to a heap overflow in
| the sesman server allows any unauthenticated attacker which is able to
| locally access a sesman server to execute code as root. This
| vulnerability has been patched in version 0.9.18.1 and above. Users
| are advised to upgrade. There are no known workarounds.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-23613
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23613
[1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8h98-h426-xf32
[2] https://github.com/neutrinolabs/xrdp/commit/4def30ab8ea445cdc06832a44c3ec40a506a0ffa

Regards,
Salvatore

Reply to:

Prev by Date: Bug#1005238: xrdp: Flood of error reports to xrdp.log
Next by Date: Processing of remmina_1.4.24+dfsg-1_source.changes
Previous by thread: Bug#1005238: xrdp: Flood of error reports to xrdp.log
Next by thread: Processing of remmina_1.4.24+dfsg-1_source.changes
Index(es):
- Date
- Thread