Hi
Attached ist the debdiff as prepared for buster-security, will send
shortly as well the one for unstable.
Regards,
Salvatore
diff -Nru xrdp-0.9.9/debian/changelog xrdp-0.9.9/debian/changelog
--- xrdp-0.9.9/debian/changelog 2019-01-13 13:49:36.0 +0100
+++ xrdp-0.9.9/debian/changelog 2020-07-19 17:02:11.0 +0200
@@ -1,3 +1,13 @@
+xrdp (0.9.9-1+deb10u1) buster-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * libscp v1 server set height twice, and not set width
+ * xrdp-sesman can be crashed remotely over port 3350 (CVE-2020-4044)
+(Closes: #964573)
+ * Fixed CVE-2020-4044 CI errors
+
+ -- Salvatore Bonaccorso Sun, 19 Jul 2020 17:02:11 +0200
+
xrdp (0.9.9-1) unstable; urgency=medium
[ Thorsten Glaser ]
diff -Nru xrdp-0.9.9/debian/patches/Fix-for-CVE-2020-4044.patch
xrdp-0.9.9/debian/patches/Fix-for-CVE-2020-4044.patch
--- xrdp-0.9.9/debian/patches/Fix-for-CVE-2020-4044.patch 1970-01-01
01:00:00.0 +0100
+++ xrdp-0.9.9/debian/patches/Fix-for-CVE-2020-4044.patch 2020-07-19
17:02:11.0 +0200
@@ -0,0 +1,1270 @@
+From: matt335672 <30179339+matt335...@users.noreply.github.com>
+Date: Fri, 12 Jun 2020 09:56:47 +0100
+Subject: Fix for CVE-2020-4044
+Origin:
https://github.com/neutrinolabs/xrdp/commit/ba2f727c9a2acbee59c27b5883b36b43b022ea9c
+Bug-Debian: https://bugs.debian.org/964573
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-4044
+
+Reported by: Ashley Newson
+---
+ sesman/libscp/libscp_types.h | 4 +
+ sesman/libscp/libscp_v0.c | 335
+ sesman/libscp/libscp_v1s.c | 336 +++--
+ sesman/libscp/libscp_v1s_mng.c | 164 +---
+ sesman/scp.c | 12 +-
+ 5 files changed, 592 insertions(+), 259 deletions(-)
+
+diff --git a/sesman/libscp/libscp_types.h b/sesman/libscp/libscp_types.h
+index 8cb9166c515f..84e6c4651e7e 100644
+--- a/sesman/libscp/libscp_types.h
b/sesman/libscp/libscp_types.h
+@@ -59,6 +59,10 @@
+
+ #include "libscp_types_mng.h"
+
++/* Max server incoming and outgoing message size, used to stop memory
++ exhaustion attempts (CVE-2020-4044) */
++#define SCP_MAX_MESSAGE_SIZE 8192
++
+ struct SCP_CONNECTION
+ {
+ int in_sck;
+diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c
+index 61bf4fdae43a..55168b4f515f 100644
+--- a/sesman/libscp/libscp_v0.c
b/sesman/libscp/libscp_v0.c
+@@ -34,6 +34,65 @@
+
+ extern struct log_config *s_log;
+
++/** Maximum length of a string (two bytes + len), excluding the terminator
++ *
++ * Practially this is limited by [MS-RDPBCGR] TS_INFO_PACKET
++ * */
++#define STRING16_MAX_LEN 512
++
++/**
++ * Reads a big-endian uint16 followed by a string into a buffer
++ *
++ * Buffer is null-terminated on success
++ *
++ * @param s Input stream
++ * @param [out] Output buffer (must be >= (STRING16_MAX_LEN+1) chars)
++ * @param param Parameter we're reading
++ * @param line Line number reference
++ * @return != 0 if string read OK
++ */
++static
++int in_string16(struct stream *s, char str[], const char *param, int line)
++{
++int result;
++
++if (!s_check_rem(s, 2))
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: %s len missing",
++line, param);
++result = 0;
++}
++else
++{
++unsigned int sz;
++
++in_uint16_be(s, sz);
++if (sz > STRING16_MAX_LEN)
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: %s too long (%u chars)",
++line, param, sz);
++result = 0;
++}
++else
++{
++result = s_check_rem(s, sz);
++if (!result)
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: %s data missing",
++line, param);
++}
++else
++{
++in_uint8a(s, str, sz);
++str[sz] = '\0';
++}
++}
++}
++return result;
++}
+ /* client API */
+
/**/
+ enum SCP_CLIENT_STATES_E
+@@ -71,10 +130,24 @@ scp_v0c_connect(struct SCP_CONNECTION *c, struct
SCP_SESSION *s)
+ }
+
+ sz = g_strlen(s->username);
++if (sz > STRING16_MAX_LEN)
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: username too long",
++__LINE__);
++return SCP_CLIENT_STATE_SIZE_ERR;
++}
+ out_uint16_be(c->out_s, sz);
+ out_uint8a(c->out_s, s->username, sz);
+
+ sz = g_strlen(s->password);
++if (sz > STRING16_MAX_LEN)
++{
++log_message(LOG_LEVEL_WARNING,
++"[v0:%d] connection aborted: password too long",
++__LINE__);
++