diff options
author | metalefty <meta@vmeta.jp> | 2022-02-07 16:23:56 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-07 16:23:56 +0300 |
commit | 7e6194504e2b3c9708f28b30a890b498c22b3091 (patch) | |
tree | b7ebbc7f66fb914b42cc75c5e991a4bc616ed9dd | |
parent | cb1d034fde95e2d7c9196bf997645066c125953c (diff) | |
parent | b160f84062915d0552d8381c88376f127013cf98 (diff) |
Merge pull request #2139 from metalefty/releasev0.9.18.1
Release v0.9.18.1
-rw-r--r-- | NEWS.md | 14 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | sesman/sesman.c | 8 |
4 files changed, 21 insertions, 5 deletions
@@ -1,3 +1,17 @@ +# Release notes for xrdp v0.9.18.1 (2022/02/08) + +This is a security fix release that includes fixes for the following privilege escalation vulnerability. + +* [CVE-2022-23613: Privilege escalation on xrdp-sesman](https://www.cve.org/CVERecord?id=CVE-2022-23613) + +Users who uses xrdp v0.9.17 or v0.9.18 are recommended to update to this version. + +## Special thanks + +Thanks to [Gilad Kleinman](https://github.com/giladkl) reporting the vulnerability and reviewing fix. + +----------------------- + # Release notes for xrdp v0.9.18 (2022/01/10) ## General announcements @@ -2,7 +2,7 @@ [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/neutrinolabs/xrdp-questions) ![Apache-License](https://img.shields.io/badge/License-Apache%202.0-blue.svg) -*Current Version:* 0.9.17 +*Current Version:* 0.9.18.1 # xrdp - an open source RDP server diff --git a/configure.ac b/configure.ac index 44ac95a6..bd0fc77c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ # Process this file with autoconf to produce a configure script AC_PREREQ(2.65) -AC_INIT([xrdp], [0.9.18], [xrdp-devel@googlegroups.com]) +AC_INIT([xrdp], [0.9.18.1], [xrdp-devel@googlegroups.com]) AC_CONFIG_HEADERS(config_ac.h:config_ac-h.in) AM_INIT_AUTOMAKE([1.7.2 foreign]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/sesman/sesman.c b/sesman/sesman.c index a8576905..e2b057e6 100644 --- a/sesman/sesman.c +++ b/sesman/sesman.c @@ -276,6 +276,7 @@ sesman_close_all(void) static int sesman_data_in(struct trans *self) { +#define HEADER_SIZE 8 int version; int size; @@ -283,9 +284,9 @@ sesman_data_in(struct trans *self) { in_uint32_be(self->in_s, version); in_uint32_be(self->in_s, size); - if (size > self->in_s->size) + if (size < HEADER_SIZE || size > self->in_s->size) { - LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size"); + LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size %d", size); return 1; } self->header_size = size; @@ -302,11 +303,12 @@ sesman_data_in(struct trans *self) return 1; } /* reset for next message */ - self->header_size = 8; + self->header_size = HEADER_SIZE; self->extra_flags = 0; init_stream(self->in_s, 0); /* Reset input stream pointers */ } return 0; +#undef HEADER_SIZE } /******************************************************************************/ |