Bug 1069591 (CVE-2017-16927) - VUL-0: CVE-2017-16927: xrdp: Buffer-overflow in scp_v0s_accept function in session manager
Summary: VUL-0: CVE-2017-16927: xrdp: Buffer-overflow in scp_v0s_accept function in se...
Status: RESOLVED FIXED
Alias: CVE-2017-16927
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Daike Yu
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/195607/
Whiteboard: CVSSv2:SUSE:CVE-2017-16927:4.9:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-23 11:46 UTC by Marcus Meissner
Modified: 2022-10-04 09:54 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-11-23 11:46:50 UTC 
rh#1516759


The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session manager in xrdp through 0.9.4 uses an untrusted integer as a write length, which allows local users to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted input stream.

Upstream patch:

https://github.com/neutrinolabs/xrdp/pull/958/commits/ebd0510a7d4dab906b6e01570205dfa530d1f7bf

References:

https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1516759
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16927
http://seclists.org/oss-sec/2017/q4/317
Comment 1 Marcus Meissner 2017-11-23 11:59:27 UTC 
seems in all xrdp versions we have.
Comment 2 Johannes Segitz 2018-02-01 09:31:35 UTC 
Please submit for this to SUSE:SLE-12-SP2:Update. Thanks
Comment 15 Swamp Workflow Management 2019-07-15 16:12:03 UTC 
SUSE-SU-2019:1847-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1014524,1015567,1029912,1060644,1069591,1090174,1100453,1101506
CVE References: CVE-2013-1430,CVE-2017-16927,CVE-2017-6967
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    xrdp-0.9.0~git.1456906198.f422461-21.9.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    xrdp-0.9.0~git.1456906198.f422461-21.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Felix Zhang 2019-07-16 03:31:05 UTC 
Fixed
Comment 17 Swamp Workflow Management 2019-07-16 19:11:26 UTC 
SUSE-SU-2019:1860-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1014524,1015567,1022098,1023988,1029912,1060644,1069591,1090174,1100453,1101506
CVE References: CVE-2013-1430,CVE-2017-16927,CVE-2017-6967
Sources used:
SUSE OpenStack Cloud 7 (src):    xrdp-0.9.0~git.1456906198.f422461-16.9.3
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    xrdp-0.9.0~git.1456906198.f422461-16.9.3
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    xrdp-0.9.0~git.1456906198.f422461-16.9.3
SUSE Enterprise Storage 4 (src):    xrdp-0.9.0~git.1456906198.f422461-16.9.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Robert Frohl 2022-07-07 13:38:39 UTC 
this is actually needed for SUSE:SLE-11-SP3:Update instead of SUSE:SLE-11-SP4:Update. SUSE:SLE-11-SP4:Update is already EOL.
Comment 29 Marcus Meissner 2022-10-04 09:54:06 UTC 
done