Bug 1069591 (CVE-2017-16927)

Summary: VUL-0: CVE-2017-16927: xrdp: Buffer-overflow in scp_v0s_accept function in session manager
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Daike Yu <yu.daike>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: gabriele.sonnu, meissner, rfrohl, smash_bz, thomas.leroy, yfjiang, yu.daike
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/195607/
Whiteboard: CVSSv2:SUSE:CVE-2017-16927:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C) CVSSv3:SUSE:CVE-2017-16927:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) ibs:running:7071:important
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2017-11-23 11:46:50 UTC 
rh#1516759


The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session manager in xrdp through 0.9.4 uses an untrusted integer as a write length, which allows local users to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted input stream.

Upstream patch:

https://github.com/neutrinolabs/xrdp/pull/958/commits/ebd0510a7d4dab906b6e01570205dfa530d1f7bf

References:

https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1516759
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16927
http://seclists.org/oss-sec/2017/q4/317
Comment 1 Marcus Meissner 2017-11-23 11:59:27 UTC 
seems in all xrdp versions we have.
Comment 2 Johannes Segitz 2018-02-01 09:31:35 UTC 
Please submit for this to SUSE:SLE-12-SP2:Update. Thanks
Comment 15 Swamp Workflow Management 2019-07-15 16:12:03 UTC 
SUSE-SU-2019:1847-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1014524,1015567,1029912,1060644,1069591,1090174,1100453,1101506
CVE References: CVE-2013-1430,CVE-2017-16927,CVE-2017-6967
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    xrdp-0.9.0~git.1456906198.f422461-21.9.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    xrdp-0.9.0~git.1456906198.f422461-21.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Felix Zhang 2019-07-16 03:31:05 UTC 
Fixed
Comment 17 Swamp Workflow Management 2019-07-16 19:11:26 UTC 
SUSE-SU-2019:1860-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1014524,1015567,1022098,1023988,1029912,1060644,1069591,1090174,1100453,1101506
CVE References: CVE-2013-1430,CVE-2017-16927,CVE-2017-6967
Sources used:
SUSE OpenStack Cloud 7 (src):    xrdp-0.9.0~git.1456906198.f422461-16.9.3
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xrdp-0.9.0~git.1456906198.f422461-16.9.3
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xrdp-0.9.0~git.1456906198.f422461-16.9.3
SUSE Enterprise Storage 4 (src):    xrdp-0.9.0~git.1456906198.f422461-16.9.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Robert Frohl 2022-07-07 13:38:39 UTC 
this is actually needed for SUSE:SLE-11-SP3:Update instead of SUSE:SLE-11-SP4:Update. SUSE:SLE-11-SP4:Update is already EOL.
Comment 29 Marcus Meissner 2022-10-04 09:54:06 UTC 
done