Fedora has issued an advisory today (December 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/67CHZVOMSTH2Q7P3TYFUNZUA6J7ZYEBQ/ The issues are fixed upstream in 0.9.21.
CC: (none) => nicolas.salgueroStatus comment: (none) => Fixed upstream in 0.9.21
Unsure for assignment, so going global. Noting that NicolasS is already CC'd.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: xrdp < v0.9.21 contain a buffer over flow in xrdp_login_wnd_create() function. (CVE-2022-23468) xrdp < v0.9.21 contain a buffer over flow in audin_send_open() function. (CVE-2022-23477) xrdp < v0.9.21 contain a Out of Bound Write in xrdp_mm_trans_process_drdynvc_channel_open() function. (CVE-2022-23478) xrdp < v0.9.21 contain a buffer over flow in xrdp_mm_chan_data_in() function. (CVE-2022-23479) xrdp < v0.9.21 contain a buffer over flow in devredir_proc_client_devlist_announce_req() function. (CVE-2022-23480) xrdp < v0.9.21 contain a Out of Bound Read in xrdp_caps_process_confirm_active() function. (CVE-2022-23481) xrdp < v0.9.21 contain a Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() function. (CVE-2022-23482) xrdp < v0.9.21 contain a Out of Bound Read in libxrdp_send_to_channel() function. (CVE-2022-23483) xrdp < v0.9.21 contain a Integer Overflow in xrdp_mm_process_rail_update_window_text() function. (CVE-2022-23484) xrdp < v0.9.21 contain a Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() function. (CVE-2022-23493) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23468 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23478 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23479 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23480 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23481 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23482 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23483 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23484 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23493 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/67CHZVOMSTH2Q7P3TYFUNZUA6J7ZYEBQ/ ======================== Updated packages in core/updates_testing: ======================== xrdp-0.9.21-1.mga8 xrdp-devel-0.9.21-1.mga8 from SRPM: xrdp-0.9.21-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 0.9.21 => (none)Status: NEW => ASSIGNED
mga8, x64 Installing this pulled in tigervnc-server vnc-server-common tigervnc-server Generating a RSA private key .............+++++ .............+++++ writing new private key to '/etc/pki/tls/private/xrdp.pem' ----- Updated via qarepo and drakrpm-update. # systemctl start xrdp # systemctl start xrdp-sesman.service # systemctl status xrdp ● xrdp.service - xrdp daemon Loaded: loaded (/usr/lib/systemd/system/xrdp.service; disabled; vendor pre> Active: active (running) since Wed 2022-12-28 20:36:05 GMT; 1min 6s ago .... Dec 28 20:36:05 rutilicus xrdp[824766]: [INFO ] starting xrdp with pid 824766 Dec 28 20:36:05 rutilicus xrdp[824766]: [INFO ] address [0.0.0.0] port [3389] m> Dec 28 20:36:05 rutilicus xrdp[824766]: [INFO ] listening to port 3389 on 0.0.0> Dec 28 20:36:05 rutilicus xrdp[824766]: [INFO ] xrdp_listen_pp done $ sudo xrdp $ sudo xrdp-sesman There is a change here from an earlier test: the previous two commands are silent whereas they output configuration information before. $ sudo xrdp --dump-config logging configuration: LogFile: /var/log/xrdp.log LogLevel: [INFO ] ConsoleLevel: <disabled> SyslogLevel: [INFO ] $ sudo cat /var/log/xrdp.log [20221228-20:36:05] [INFO ] starting xrdp with pid 824766 [20221228-20:36:05] [INFO ] address [0.0.0.0] port [3389] mode 1 [20221228-20:36:05] [INFO ] listening to port 3389 on 0.0.0.0 [20221228-20:36:05] [INFO ] xrdp_listen_pp done [20221228-20:41:05] [INFO ] address [0.0.0.0] port [3389] mode 1 [20221228-20:41:05] [INFO ] listening to port 3389 on 0.0.0.0 [20221228-20:41:05] [ERROR] g_tcp_bind(7, 3389) failed bind IPv6 (errno=98) and IPv4 (errno=22). That looks OK. I guess the session manager needs something to work with. Enabled vncserver and rebooted. $ sudo systemctl status vncserver ● vncserver.service - LSB: Start TigerVNC server at boot time Loaded: loaded (/etc/rc.d/init.d/vncserver; generated) Active: active (exited) since Wed 2022-12-28 21:04:23 GMT; 39s ago Docs: man:systemd-sysv-generator(8) Process: 7428 ExecStart=/etc/rc.d/init.d/vncserver start (code=exited, stat> CPU: 21ms Dec 28 21:04:23 rutilicus systemd[1]: Starting LSB: Start TigerVNC server at bo> Dec 28 21:04:23 rutilicus vncserver[7428]: Starting vncserver: [ OK ] Dec 28 21:04:23 rutilicus systemd[1]: Started LSB: Start TigerVNC server at boo> $ sudo xrdp $ sudo xrdp-sesman Cannot find anything in the wiki regarding VNC. Installed and enabled tiger-vnc on an adjacent PC - active (exited). No idea at this point how to configure tigervnc. These are the choices: # securitytypes=vncauth,tlsvnc # desktop=sandbox # geometry=2000x1200 # localhost # alwaysshared
CC: (none) => tarazed25
The default choices that is.
Right. Found bug 22076. Shall use that as a basis, tomorrow.
freerdp is installed but $ freerdp bash: freerdp: command not found $ rdesktop -n canopus -u lcl -g 1920x1200 -server:3389 -p - That was rejected. Tried Remote Desktop Viewer from the Internet menu and that worked fine but implied that Vinaigre was being used. Connected to the remote desktop and ran a graphical calendar application. Shall check Vinaigre later to see if it uses xrdp.
xfreerdp is the freerdp command.
MGA8-64 MATE on Acer Aspire. The following 4 packages are going to be installed: - tigervnc-server-1.11.0-4.mga8.x86_64 - vnc-server-common-1.0-9.mga8.noarch - xrdp-0.9.21-1.mga8.x86_64 - xrdp-devel-0.9.21-1.mga8.x86_64 Following Len's lead: # systemctl start xrdp # systemctl start xrdp-sesman.service # systemctl status xrdp ● xrdp.service - xrdp daemon Loaded: loaded (/usr/lib/systemd/system/xrdp.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-12-29 10:24:23 CET; 33s ago Docs: man:xrdp(8) man:xrdp.ini(5) Main PID: 12414 (xrdp) Tasks: 1 (limit: 4364) Memory: 1.0M CPU: 27ms CGroup: /system.slice/xrdp.service └─12414 /usr/sbin/xrdp --nodaemon Dec 29 10:24:23 mach7.hviaene.thuis systemd[1]: Started xrdp daemon. Dec 29 10:24:24 mach7.hviaene.thuis xrdp[12414]: [INFO ] starting xrdp with pid 12414 Dec 29 10:24:24 mach7.hviaene.thuis xrdp[12414]: [INFO ] address [0.0.0.0] port [3389] mode 1 Dec 29 10:24:24 mach7.hviaene.thuis xrdp[12414]: [INFO ] listening to port 3389 on 0.0.0.0 Dec 29 10:24:24 mach7.hviaene.thuis xrdp[12414]: [INFO ] xrdp_listen_pp done Then opened port tcp/3389 in MCC On desktop PC (which already had freerdp installed) entered the command: xfreerdp /v:mach7 /u:<userid> /p:<passwd> Exercising some patience as this a slow laptop, but Mageia wallpaper and panel showed up (had to give twice the root password for some configuration of colour device???), and was able to open caja and browse the files of the user on the laptop. Looks OK to me.
CC: (none) => herman.viaene
Apparently everybody is happy, so I give the OK.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm
Oops. Forgot the Keyword field.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0002.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED