| Summary: | xrdp new security issue CVE-2023-42822 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, marja11, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | xrdp-0.9.23-1.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Nicolas Salguero
2023-11-27 17:29:42 CET
Nicolas Salguero
2023-11-27 17:30:15 CET
Source RPM:
(none) =>
xrdp-0.9.23-1.mga10.src.rpm Version 0.9.23.1 also contains the fix for that problem. Careful with the trailing '1'! https://github.com/neutrinolabs/xrdp/releases "xrdp v0.9.23.1 Latest Release notes for xrdp v0.9.23.1 (2023/09/27) This is a security fix release for CVE-2023-42822. This update is recommended for all xrdp users. Security fixes CVE-2023-42822: Unchecked access to font glyph info" So it looks like rather than messing about patching, update to the latest version fixes it. Assigning globally, no one packager in evidence. Status comment:
Patch available from upstream =>
Patch available from upstream; fixed in v0.9.23.1 Suggested advisory: ======================== The updated packages fix a security vulnerability: Access to the font glyphs in xrdp_painter.c is not bounds-checked. Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. (CVE-2023-42822) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42822 https://lwn.net/Articles/952920/ ======================== Updated packages in core/updates_testing: ======================== xrdp-0.9.23.1-1.mga9 xrdp-devel-0.9.23.1-1.mga9 from SRPM: xrdp-0.9.23.1-1.mga9.src.rpm Version:
Cauldron =>
9 Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete" Keywords:
(none) =>
advisory
Marja Van Waes
2023-11-30 16:45:24 CET
Keywords:
advisory =>
(none) (In reply to Marja Van Waes from comment #4) > Advisory from comment 3 added to SVN. Please remove the "advisory" keyword > if it needs to be changed. It also helps when obsolete advisories are tagged > as "obsolete" Had to redo that one, but it is in SVN now. Keywords:
(none) =>
advisory mga9-x86, xfce installed, turned off firewall, and started services. I was able to connect using xfreerdp without any issues. Working as designed. Whiteboard:
(none) =>
MGA9-64-OK Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0334.html Resolution:
(none) =>
FIXED (In reply to Mageia Robot from comment #8) > An update for this issue has been pushed to the Mageia Updates repository. > > https://advisories.mageia.org/MGASA-2023-0334.html https://tiny-fishing.com Thanks for sharing this. CC:
(none) =>
reyna1081us
Dave Hodgins
2024-03-21 15:28:23 CET
CC:
reyna1081us =>
davidwhodgins |