Merge pull request #2139 from metalefty/releasev0.9.18.1

Release v0.9.18.1
author: metalefty <meta@vmeta.jp> 2022-02-07 16:23:56 +0300
committer: GitHub <noreply@github.com> 2022-02-07 16:23:56 +0300
commit: 7e6194504e2b3c9708f28b30a890b498c22b3091 (patch)
tree: b7ebbc7f66fb914b42cc75c5e991a4bc616ed9dd
parent: cb1d034fde95e2d7c9196bf997645066c125953c (diff)
parent: b160f84062915d0552d8381c88376f127013cf98 (diff)
4 files changed, 21 insertions, 5 deletions
diff --git a/NEWS.md b/NEWS.md
index 8c959801..a27d2c3b 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -1,3 +1,17 @@
+# Release notes for xrdp v0.9.18.1 (2022/02/08)
+
+This is a security fix release that includes fixes for the following privilege escalation vulnerability.
+
+* [CVE-2022-23613: Privilege escalation on xrdp-sesman](https://www.cve.org/CVERecord?id=CVE-2022-23613)
+
+Users who uses xrdp v0.9.17 or v0.9.18 are recommended to update to this version.
+
+## Special thanks
+
+Thanks to [Gilad Kleinman](https://github.com/giladkl) reporting the vulnerability and reviewing fix.
+
+-----------------------
+
 # Release notes for xrdp v0.9.18 (2022/01/10)
 
 ## General announcements
diff --git a/README.md b/README.md
index 1baa2a76..85eeba85 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/neutrinolabs/xrdp-questions)
 ![Apache-License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)
 
-*Current Version:* 0.9.17
+*Current Version:* 0.9.18.1
 
 # xrdp - an open source RDP server
 
diff --git a/configure.ac b/configure.ac
index 44ac95a6..bd0fc77c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
 # Process this file with autoconf to produce a configure script
 
 AC_PREREQ(2.65)
-AC_INIT([xrdp], [0.9.18], [xrdp-devel@googlegroups.com])
+AC_INIT([xrdp], [0.9.18.1], [xrdp-devel@googlegroups.com])
 AC_CONFIG_HEADERS(config_ac.h:config_ac-h.in)
 AM_INIT_AUTOMAKE([1.7.2 foreign])
 AC_CONFIG_MACRO_DIR([m4])
diff --git a/sesman/sesman.c b/sesman/sesman.c
index a8576905..e2b057e6 100644
--- a/sesman/sesman.c
+++ b/sesman/sesman.c
@@ -276,6 +276,7 @@ sesman_close_all(void)
 static int
 sesman_data_in(struct trans *self)
 {
+#define HEADER_SIZE 8
     int version;
     int size;
 
@@ -283,9 +284,9 @@ sesman_data_in(struct trans *self)
     {
         in_uint32_be(self->in_s, version);
         in_uint32_be(self->in_s, size);
-        if (size > self->in_s->size)
+        if (size < HEADER_SIZE || size > self->in_s->size)
         {
-            LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size");
+            LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size %d", size);
             return 1;
         }
         self->header_size = size;
@@ -302,11 +303,12 @@ sesman_data_in(struct trans *self)
             return 1;
         }
         /* reset for next message */
-        self->header_size = 8;
+        self->header_size = HEADER_SIZE;
         self->extra_flags = 0;
         init_stream(self->in_s, 0); /* Reset input stream pointers */
     }
     return 0;
+#undef HEADER_SIZE
 }
 
 /******************************************************************************/
author	metalefty <meta@vmeta.jp>	2022-02-07 16:23:56 +0300
committer	GitHub <noreply@github.com>	2022-02-07 16:23:56 +0300
commit	7e6194504e2b3c9708f28b30a890b498c22b3091 (patch)
tree	b7ebbc7f66fb914b42cc75c5e991a4bc616ed9dd
parent	cb1d034fde95e2d7c9196bf997645066c125953c (diff)
parent	b160f84062915d0552d8381c88376f127013cf98 (diff)