| Summary: | rdesktop security issues | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Stig-Ørjan Smelror <smelror> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK | ||
| Source RPM: | CVE: | ||
| Status comment: | Version 1.8.5 pushed to Cauldron | ||
|
Description
Stig-Ørjan Smelror
2019-05-10 10:18:22 CEST
Stig-Ørjan Smelror
2019-05-10 10:18:47 CEST
Status comment:
(none) =>
Fixed upstream in 1.8.5 Advisory ======== This is a security release to address various buffer overflow and overrun issues in the rdesktop protocol handling identified by Kaspersky Lab and National Cyber Security Centre. rdesktop will now detect any attempts to access invalid areas and refuse to continue. References ========== https://github.com/rdesktop/rdesktop/releases/tag/v1.8.5 Files ===== Uploaded to core/updates_testing rdesktop-1.8.5-1.mga6 from rdesktop-1.8.5-1.mga6.src.rpm Assignee:
smelror =>
qa-bugs Had endless problems with getting this to run properly in a previous update. Trying the program before updating.
Selected a target machine - canopus:
Installed xrdp on canopus.
# urpmi xrdp
1/3: vnc-server-common #############################################
2/3: tigervnc-server #############################################
3/3: xrdp #############################################
Generating a RSA private key
.....................................................................................................................................................................+++++
.................................................................................+++++
writing new private key to '/etc/pki/tls/private/xrdp.pem'
# systemctl start xrdp
# systemctl enable xrdp
# systemctl status xrdp
● xrdp.service - xrdp daemon
Loaded: loaded (/usr/lib/systemd/system/xrdp.service; enabled; vendor preset:
Active: active (running) since Sun 2019-05-12 16:26:26 BST; 18s ago
Docs: man:xrdp(8)
man:xrdp.ini(5)
Main PID: 9843 (xrdp)
CGroup: /system.slice/xrdp.service
└─9843 /usr/sbin/xrdp --nodaemon
May 12 16:26:26 canopus systemd[1]: Started xrdp daemon.
May 12 16:26:26 canopus xrdp[9843]: (9843)(140305489258624)[INFO ] starting xrdp with pid 9843
May 12 16:26:26 canopus xrdp[9843]: (9843)(140305489258624)[INFO ] listening to port 3389 on 0.0.0.0
Back on local machine:
$ rdesktop -u lcl -d localhost.localdomain -n canopus server
Autoselected keyboard map en-gb
ERROR: server: unable to connect
Earlier this had been tried:
$ rdesktop server
and a gui popped up. Clicking connect allowed the target host to be specified, with a username and password for ssh. That produced a terminal screen for canopus - just like logging in over ssh. No sign of X. Exited from that. Any subsequent attempts to use rdesktop server resulted in "unable to connect".
What we really need is a guide for muffins. How for instance do you get back to square one? There is probably a way to select RDP - I imagined that the ssh part was just for authentication but maybe not.CC:
(none) =>
tarazed25 Tried removing rdesktop and reinstalling but that had no effect. 'rdesktop server' would not raise the gui. Started xrdp service on local machine, modified sesman.ini and started xrdp-sesman service. $ rdesktop server No gui... From an older bug: $ rdesktop -u lcl canopus:3389 Autoselected keyboard map en-gb Connection established using SSL. That brought up a blank cyan panel which failed to respond to mouse-clicks or keyboard events. Tried again but chose Xvnc instead of Xorg. That showed a remote desktop with a konsole and a couple of messages about firefox and Plasma unable to start because of OpenGL 2 problem. Tried again with the -f fullscreen option, which worked for the gui but failed to show the target desktop at full size. There was no way to exit - required a remote login from the target machine to kill it. Investigating the xrdp configuration files.... Updated rdesktop for mga6, x86_64. Tried this command: $ rdesktop -u lcl -g 2560x1440 canopus:3389 Autoselected keyboard map en-gb Connection established using SSL. WARNING: Remote desktop changed from 2560x1440 to 800x600. /dev/dsp: No such file or directory NOT IMPLEMENTED: data PDU 40 NOT IMPLEMENTED: RDPDR pakid 0x554c of component 0x4472 It worked perfectly for the gui but snapped back to 800x600 for the desktop. Maybe something needs to be configured at the remote end? Xvnc maybe - unknown territory again. MGA6-32 MATE on IBM-Thinkpad R50e No installation issues. Made sure that xrdp is installed and runs on desktop on LAN and port 3389 is opened. At CLI: $ rdesktop mach1 Autoselected keyboard map nl-be Connection established using SSL. /dev/dsp: Bestand of map bestaat niet NOT IMPLEMENTED: RDPDR pakid 0x554c of component 0x4472 I get the login screen for the desktop PC, but then a message appears that Plasma (is the default on the desktop PC) needs OpenGL2, but this laptop only supports OpenGL1.3. If I find some time, I'll try to run Xfce on the desktop PC and check if that makes any difference. CC:
(none) =>
herman.viaene Running Xfce on the remote desktop PC. After logging in, all I get is a black screen with a mouse pointer. No reaction on mouse or keyboard operations. If you don't have a Windows machine to test this against, unless the behavior you're seeing is a regression, please validate this. @David, I get the same black screen with vncviewer, so that might be another problem alltogether, so OK-ing. Whiteboard:
(none) =>
MGA6-32-OK
Thomas Backlund
2019-07-21 13:57:20 CEST
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0209.html Status:
NEW =>
RESOLVED |