Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 23 Nov 2017 09:54:05 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in
 session manager

Hi

MITRE has assigned CVE-2017-16927 for a buffer-overflow flaw in the
scp_v0s_accept function in xrdp's session manager (in default
configurations running as root and listening on the loopback address,
so potentially triggerable by any local user):

https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA

Quoting the reference:
> The code in question is sesman/libscp/libscp_v0.c, around lines 228
> and 240: a 16-bit unsigned int is read from the input stream to
> represent the string length (for username and password input), and
> used without validation to index/copy from the input stream into a
> 257-byte buffer.

There is a proposed patch/pull request:

https://github.com/neutrinolabs/xrdp/pull/958

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.