Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 23 Nov 2017 09:54:05 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in
 session manager

Hi

MITRE has assigned CVE-2017-16927 for a buffer-overflow flaw in the
scp_v0s_accept function in xrdp's session manager (in default
configurations running as root and listening on the loopback address,
so potentially triggerable by any local user):

https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA

Quoting the reference:
> The code in question is sesman/libscp/libscp_v0.c, around lines 228
> and 240: a 16-bit unsigned int is read from the input stream to
> represent the string length (for username and password input), and
> used without validation to index/copy from the input stream into a
> 257-byte buffer.

There is a proposed patch/pull request:

https://github.com/neutrinolabs/xrdp/pull/958

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ