Bug 32276

The Fedora announcement indicates that the CVE is fixed by v0.9.23.

This pkg has no one maintainer, so assigning this update globally.

Assignee: bugsquad => pkg-bugs
Status comment: (none) => Looks to be fixed by xrdp v0.9.23

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. (CVE-2023-40184)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40184
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SOT237TIHTHPX5YNIWLVNINOEYC7WMG2/
========================

Updated packages in {8|9}/core/updates_testing:
========================
xrdp-0.9.23-1.mga{8|9}
xrdp-devel-0.9.23-1.mga{8|9}

from SRPM:
xrdp-0.9.23-1.mga{8|9}.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: pkg-bugs => nicolas.salguero
Status comment: Looks to be fixed by xrdp v0.9.23 => (none)
Version: Cauldron => 9

MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Ref bug 31309 Comment 8 for testing:
On this laptop:
# systemctl start xrdp
# systemctl start xrdp-sesman.service
# systemctl status xrdp
● xrdp.service - xrdp daemon
     Loaded: loaded (/usr/lib/systemd/system/xrdp.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2023-09-19 16:06:11 CEST; 33s ago
       Docs: man:xrdp(8)
             man:xrdp.ini(5)
   Main PID: 19141 (xrdp)
      Tasks: 1 (limit: 4364)
     Memory: 1.0M
        CPU: 26ms
     CGroup: /system.slice/xrdp.service
             └─19141 /usr/sbin/xrdp --nodaemon

Sep 19 16:06:11 mach7.hviaene.thuis systemd[1]: Started xrdp daemon.
Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] starting xrdp with pid 19141
Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] address [0.0.0.0] port [3389] mode 1
Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] listening to port 3389 on 0.0.0.0
Sep 19 16:06:13 mach7.hviaene.thuis xrdp[19141]: [INFO ] xrdp_listen_pp done

Then opened port tcp/3389 in MCC
On desktop PC (which already had freerdp installed) entered the command:
xfreerdp /v:mach7 /u:<userid> /p:<passwd>

Then after allowing the certificate, the desktop opened and was able to open caja and browse the files of the user on the laptop.
Looks OK to me.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
CC: (none) => herman.viaene

Mageia9, x86_64

Followed Herman's lead on this.  Checked that xrdp worked OK before updating - needed to install several things.

Updated via qarepo and ran the test again.
Two desktops side-by-side, sirius and antares.  Port 3389 open at both ends.  xrdp service restarted on one side.  On antares ran
$ xfreerdp /v:sirius /u:<user> /p:<password> /f
which brought up a fullscreen Plasma session with a user terminal.  Ran a local sirius calendar application from there.  It was very responsive.  Only thing to note was that the calendar background image looked washed out.
Could not figure out how to close down and not being familiar with Plasma hit the closedown button which actually closed down the remote host - oops.
Restarted everything and closed down the remote desktop window on antares by stopping the server on sirius.  That is a warning not to use fullscreen.
Anyway, it seems to be working on mga9.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
CC: (none) => tarazed25

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0276.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED