2 files changed, 149 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch
new file mode 100644
index 0000000000..4c93647f67
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch
@@ -0,0 +1,148 @@
+Subject: [PATCH] Fix CVE-2017-16927
+sesman: scpv0, accept variable length data fields
+Upstream-Status: Backport 
+---
+ sesman/libscp/libscp_v0.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c
+index 5a0c8bf..5693407 100644
+--- a/sesman/libscp/libscp_v0.c
+++ b/sesman/libscp/libscp_v0.c
+@@ -161,7 +161,7 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+     struct SCP_SESSION *session = 0;
+     tui16 sz;
+     tui32 code = 0;
+-    char buf[257];
+    char *buf = 0;
+ 
+     if (!skipVchk)
+     {
+@@ -226,27 +226,31 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+         /* reading username */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
+        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+-
+        buf[sz] = '\0';
+         if (0 != scp_session_set_username(session, buf))
+         {
+             scp_session_destroy(session);
+             log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
+            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
+        g_free(buf);
+ 
+         /* reading password */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
+        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+-
+        buf[sz] = '\0';
+         if (0 != scp_session_set_password(session, buf))
+         {
+             scp_session_destroy(session);
+             log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
+            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
+        g_free(buf);
+ 
+         /* width */
+         in_uint16_be(c->in_s, sz);
+@@ -272,9 +276,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+             if (sz > 0)
+             {
+                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_domain(session, buf);
+                g_free(buf);
+             }
+         }
+ 
+@@ -285,9 +291,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+             if (sz > 0)
+             {
+                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_program(session, buf);
+                g_free(buf);
+             }
+         }
+ 
+@@ -298,9 +306,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+             if (sz > 0)
+             {
+                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_directory(session, buf);
+                g_free(buf);
+             }
+         }
+ 
+@@ -311,9 +321,11 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+ 
+             if (sz > 0)
+             {
+                buf = g_new0(char, sz);
+                 in_uint8a(c->in_s, buf, sz);
+                 buf[sz] = '\0';
+                 scp_session_set_client_ip(session, buf);
+                g_free(buf);
+             }
+         }
+     }
+@@ -332,29 +344,35 @@ scp_v0s_accept(struct SCP_CONNECTION *c, struct SCP_SESSION **s, int skipVchk)
+         scp_session_set_type(session, SCP_GW_AUTHENTICATION);
+         /* reading username */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
+        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+        buf[sz] = '\0';
+ 
+         /* g_writeln("Received user name: %s",buf); */
+         if (0 != scp_session_set_username(session, buf))
+         {
+             scp_session_destroy(session);
+             /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting        username", __LINE__);*/
+            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
+        g_free(buf);
+ 
+         /* reading password */
+         in_uint16_be(c->in_s, sz);
+-        buf[sz] = '\0';
+        buf = g_new0(char, sz);
+         in_uint8a(c->in_s, buf, sz);
+        buf[sz] = '\0';
+ 
+         /* g_writeln("Received password: %s",buf); */
+         if (0 != scp_session_set_password(session, buf))
+         {
+             scp_session_destroy(session);
+             /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
+            g_free(buf);
+             return SCP_SERVER_STATE_INTERNAL_ERR;
+         }
+        g_free(buf);
+     }
+     else
+     {
+-- 
+2.7.4
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb
index e7a77e4493..ccc8e359a7 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/neutrinolabs/xrdp.git \
           file://0001-Fix-sesman.ini-and-xrdp.ini.patch \
           file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \
           file://0001-Fix-the-compile-error.patch \
+           file://0001-Fix-of-CVE-2017-16927.patch \
           "
 SRCREV = "c295dd61b882e8b56677cf12791f43634f9190b5"

diff --git a/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch new file mode 100644 index 0000000000..4c93647f67 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/0001-Fix-of-CVE-2017-16927.patch
@@ -0,0 +1,148 @@
		1	Subject: [PATCH] Fix CVE-2017-16927
		2
		3	sesman: scpv0, accept variable length data fields
		4
		5	Upstream-Status: Backport
		6
		7	---
		8	sesman/libscp/libscp_v0.c \| 32 +++++++++++++++++++++++++-------
		9	1 file changed, 25 insertions(+), 7 deletions(-)
		10
		11	diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c
		12	index 5a0c8bf..5693407 100644
		13	--- a/sesman/libscp/libscp_v0.c
		14	+++ b/sesman/libscp/libscp_v0.c
		15	@@ -161,7 +161,7 @@ scp_v0s_accept(struct SCP_CONNECTION c, struct SCP_SESSION *s, int skipVchk)
		16	struct SCP_SESSION *session = 0;
		17	tui16 sz;
		18	tui32 code = 0;
		19	- char buf[257];
		20	+ char *buf = 0;
		21
		22	if (!skipVchk)
		23	{
		24	@@ -226,27 +226,31 @@ scp_v0s_accept(struct SCP_CONNECTION c, struct SCP_SESSION *s, int skipVchk)
		25
		26	/* reading username */
		27	in_uint16_be(c->in_s, sz);
		28	- buf[sz] = '\0';
		29	+ buf = g_new0(char, sz);
		30	in_uint8a(c->in_s, buf, sz);
		31	-
		32	+ buf[sz] = '\0';
		33	if (0 != scp_session_set_username(session, buf))
		34	{
		35	scp_session_destroy(session);
		36	log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);
		37	+ g_free(buf);
		38	return SCP_SERVER_STATE_INTERNAL_ERR;
		39	}
		40	+ g_free(buf);
		41
		42	/* reading password */
		43	in_uint16_be(c->in_s, sz);
		44	- buf[sz] = '\0';
		45	+ buf = g_new0(char, sz);
		46	in_uint8a(c->in_s, buf, sz);
		47	-
		48	+ buf[sz] = '\0';
		49	if (0 != scp_session_set_password(session, buf))
		50	{
		51	scp_session_destroy(session);
		52	log_message(LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__);
		53	+ g_free(buf);
		54	return SCP_SERVER_STATE_INTERNAL_ERR;
		55	}
		56	+ g_free(buf);
		57
		58	/* width */
		59	in_uint16_be(c->in_s, sz);
		60	@@ -272,9 +276,11 @@ scp_v0s_accept(struct SCP_CONNECTION c, struct SCP_SESSION *s, int skipVchk)
		61
		62	if (sz > 0)
		63	{
		64	+ buf = g_new0(char, sz);
		65	in_uint8a(c->in_s, buf, sz);
		66	buf[sz] = '\0';
		67	scp_session_set_domain(session, buf);
		68	+ g_free(buf);
		69	}
		70	}
		71
		72	@@ -285,9 +291,11 @@ scp_v0s_accept(struct SCP_CONNECTION c, struct SCP_SESSION *s, int skipVchk)
		73
		74	if (sz > 0)
		75	{
		76	+ buf = g_new0(char, sz);
		77	in_uint8a(c->in_s, buf, sz);
		78	buf[sz] = '\0';
		79	scp_session_set_program(session, buf);
		80	+ g_free(buf);
		81	}
		82	}
		83
		84	@@ -298,9 +306,11 @@ scp_v0s_accept(struct SCP_CONNECTION c, struct SCP_SESSION *s, int skipVchk)
		85
		86	if (sz > 0)
		87	{
		88	+ buf = g_new0(char, sz);
		89	in_uint8a(c->in_s, buf, sz);
		90	buf[sz] = '\0';
		91	scp_session_set_directory(session, buf);
		92	+ g_free(buf);
		93	}
		94	}
		95
		96	@@ -311,9 +321,11 @@ scp_v0s_accept(struct SCP_CONNECTION c, struct SCP_SESSION *s, int skipVchk)
		97
		98	if (sz > 0)
		99	{
		100	+ buf = g_new0(char, sz);
		101	in_uint8a(c->in_s, buf, sz);
		102	buf[sz] = '\0';
		103	scp_session_set_client_ip(session, buf);
		104	+ g_free(buf);
		105	}
		106	}
		107	}
		108	@@ -332,29 +344,35 @@ scp_v0s_accept(struct SCP_CONNECTION c, struct SCP_SESSION *s, int skipVchk)
		109	scp_session_set_type(session, SCP_GW_AUTHENTICATION);
		110	/* reading username */
		111	in_uint16_be(c->in_s, sz);
		112	- buf[sz] = '\0';
		113	+ buf = g_new0(char, sz);
		114	in_uint8a(c->in_s, buf, sz);
		115	+ buf[sz] = '\0';
		116
		117	/* g_writeln("Received user name: %s",buf); */
		118	if (0 != scp_session_set_username(session, buf))
		119	{
		120	scp_session_destroy(session);
		121	/* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/
		122	+ g_free(buf);
		123	return SCP_SERVER_STATE_INTERNAL_ERR;
		124	}
		125	+ g_free(buf);
		126
		127	/* reading password */
		128	in_uint16_be(c->in_s, sz);
		129	- buf[sz] = '\0';
		130	+ buf = g_new0(char, sz);
		131	in_uint8a(c->in_s, buf, sz);
		132	+ buf[sz] = '\0';
		133
		134	/* g_writeln("Received password: %s",buf); */
		135	if (0 != scp_session_set_password(session, buf))
		136	{
		137	scp_session_destroy(session);
		138	/* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */
		139	+ g_free(buf);
		140	return SCP_SERVER_STATE_INTERNAL_ERR;
		141	}
		142	+ g_free(buf);
		143	}
		144	else
		145	{
		146	--
		147	2.7.4
		148


diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb index e7a77e4493..ccc8e359a7 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/neutrinolabs/xrdp.git \
15	file://0001-Fix-sesman.ini-and-xrdp.ini.patch \	15	file://0001-Fix-sesman.ini-and-xrdp.ini.patch \
16	file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \	16	file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \
17	file://0001-Fix-the-compile-error.patch \	17	file://0001-Fix-the-compile-error.patch \
		18	file://0001-Fix-of-CVE-2017-16927.patch \
18	"	19	"
19		20
20	SRCREV = "c295dd61b882e8b56677cf12791f43634f9190b5"	21	SRCREV = "c295dd61b882e8b56677cf12791f43634f9190b5"