Bug#964573: xrdp: CVE-2020-4044

2020-07-19 Thread Salvatore Bonaccorso 
Hi

Attached ist the debdiff as prepared for buster-security, will send
shortly as well the one for unstable.

Regards,
Salvatore
diff -Nru xrdp-0.9.9/debian/changelog xrdp-0.9.9/debian/changelog
--- xrdp-0.9.9/debian/changelog 2019-01-13 13:49:36.0 +0100
+++ xrdp-0.9.9/debian/changelog 2020-07-19 17:02:11.0 +0200
@@ -1,3 +1,13 @@
+xrdp (0.9.9-1+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * libscp v1 server set height twice, and not set width
+  * xrdp-sesman can be crashed remotely over port 3350 (CVE-2020-4044)
+(Closes: #964573)
+  * Fixed CVE-2020-4044 CI errors
+
+ -- Salvatore Bonaccorso   Sun, 19 Jul 2020 17:02:11 +0200
+
 xrdp (0.9.9-1) unstable; urgency=medium
 
   [ Thorsten Glaser ]
diff -Nru xrdp-0.9.9/debian/patches/Fix-for-CVE-2020-4044.patch 
xrdp-0.9.9/debian/patches/Fix-for-CVE-2020-4044.patch
--- xrdp-0.9.9/debian/patches/Fix-for-CVE-2020-4044.patch   1970-01-01 
01:00:00.0 +0100
+++ xrdp-0.9.9/debian/patches/Fix-for-CVE-2020-4044.patch   2020-07-19 
17:02:11.0 +0200
@@ -0,0 +1,1270 @@
+From: matt335672 <30179339+matt335...@users.noreply.github.com>
+Date: Fri, 12 Jun 2020 09:56:47 +0100
+Subject: Fix for CVE-2020-4044
+Origin: 
https://github.com/neutrinolabs/xrdp/commit/ba2f727c9a2acbee59c27b5883b36b43b022ea9c
+Bug-Debian: https://bugs.debian.org/964573
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-4044
+
+Reported by: Ashley Newson
+---
+ sesman/libscp/libscp_types.h   |   4 +
+ sesman/libscp/libscp_v0.c  | 335 
+ sesman/libscp/libscp_v1s.c | 336 +++--
+ sesman/libscp/libscp_v1s_mng.c | 164 +---
+ sesman/scp.c   |  12 +-
+ 5 files changed, 592 insertions(+), 259 deletions(-)
+
+diff --git a/sesman/libscp/libscp_types.h b/sesman/libscp/libscp_types.h
+index 8cb9166c515f..84e6c4651e7e 100644
+--- a/sesman/libscp/libscp_types.h
 b/sesman/libscp/libscp_types.h
+@@ -59,6 +59,10 @@
+ 
+ #include "libscp_types_mng.h"
+ 
++/* Max server incoming and outgoing message size, used to stop memory
++   exhaustion attempts (CVE-2020-4044) */
++#define SCP_MAX_MESSAGE_SIZE 8192
++
+ struct SCP_CONNECTION
+ {
+   int in_sck;
+diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c
+index 61bf4fdae43a..55168b4f515f 100644
+--- a/sesman/libscp/libscp_v0.c
 b/sesman/libscp/libscp_v0.c
+@@ -34,6 +34,65 @@
+ 
+ extern struct log_config *s_log;
+ 
++/** Maximum length of a string (two bytes + len), excluding the terminator
++ *
++ * Practially this is limited by [MS-RDPBCGR] TS_INFO_PACKET
++ * */
++#define STRING16_MAX_LEN 512
++
++/**
++ * Reads a big-endian uint16 followed by a string into a buffer
++ *
++ * Buffer is null-terminated on success
++ *
++ * @param s Input stream
++ * @param [out] Output buffer (must be >= (STRING16_MAX_LEN+1) chars)
++ * @param param Parameter we're reading
++ * @param line Line number reference
++ * @return != 0 if string read OK
++ */
++static
++int in_string16(struct stream *s, char str[], const char *param, int line)
++{
++int result;
++
++if (!s_check_rem(s, 2))
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: %s len missing",
++line, param);
++result = 0;
++}
++else
++{
++unsigned int sz;
++
++in_uint16_be(s, sz);
++if (sz > STRING16_MAX_LEN)
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: %s too long (%u chars)",
++line, param, sz);
++result = 0;
++}
++else
++{
++result = s_check_rem(s, sz);
++if (!result)
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: %s data missing",
++line, param);
++}
++else
++{
++in_uint8a(s, str, sz);
++str[sz] = '\0';
++}
++}
++}
++return result;
++}
+ /* client API */
+ 
/**/
+ enum SCP_CLIENT_STATES_E
+@@ -71,10 +130,24 @@ scp_v0c_connect(struct SCP_CONNECTION *c, struct 
SCP_SESSION *s)
+ }
+ 
+ sz = g_strlen(s->username);
++if (sz > STRING16_MAX_LEN)
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: username too long",
++__LINE__);
++return SCP_CLIENT_STATE_SIZE_ERR;
++}
+ out_uint16_be(c->out_s, sz);
+ out_uint8a(c->out_s, s->username, sz);
+ 
+ sz = g_strlen(s->password);
++if (sz > STRING16_MAX_LEN)
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: password too long",
++__LINE__);
++

Bug#964573: xrdp: CVE-2020-4044

2020-07-08 Thread Salvatore Bonaccorso 
Control: notfound -1 CVE-2020-4044
Control: found -1 0.9.12-1

On Wed, Jul 08, 2020 at 10:28:43PM +0200, Salvatore Bonaccorso wrote:
> Source: xrdp
> Version: CVE-2020-4044

Sorry for the broken report (not sure how I managed to do that broken
version using), fixing the metadata.

Regards,
Salvatore

Processed: Re: Bug#964573: xrdp: CVE-2020-4044

2020-07-08 Thread Debian Bug Tracking System 
Processing control commands:

> notfound -1 CVE-2020-4044
Bug #964573 [src:xrdp] xrdp: CVE-2020-4044
The source 'xrdp' and version 'CVE-2020-4044' do not appear to match any binary 
packages
No longer marked as found in versions xrdp/CVE-2020-4044.
> found -1 0.9.12-1
Bug #964573 [src:xrdp] xrdp: CVE-2020-4044
Marked as found in versions xrdp/0.9.12-1.

-- 
964573: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964573
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#964573: xrdp: CVE-2020-4044

2020-07-08 Thread Salvatore Bonaccorso 
Source: xrdp
Version: CVE-2020-4044
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for xrdp.

CVE-2020-4044[0]:
| The xrdp-sesman service before version 0.9.13.1 can be crashed by
| connecting over port 3350 and supplying a malicious payload. Once the
| xrdp-sesman process is dead, an unprivileged attacker on the server
| could then proceed to start their own imposter sesman service
| listening on port 3350. This will allow them to capture any user
| credentials that are submitted to XRDP and approve or reject arbitrary
| login credentials. For xorgxrdp sessions in particular, this allows an
| unauthorized user to hijack an existing session. This is a buffer
| overflow attack, so there may be a risk of arbitrary code execution as
| well.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-4044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4044
[1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4
[2] 
https://github.com/neutrinolabs/xrdp/commit/e593f58a82bf79b556601ae08e9e25e366a662fb

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore