Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Sep 2023 18:44:23 GMT
From:      Koichiro Iwao <meta@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 4bed8aa9242e - main - security/vuxml: document multiple xrdp vulnerabilities
Message-ID:  <202309271844.38RIiNnA009037@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by meta:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4bed8aa9242e98d3a170d530de04af33f3a74295

commit 4bed8aa9242e98d3a170d530de04af33f3a74295
Author:     Koichiro Iwao <meta@FreeBSD.org>
AuthorDate: 2023-09-27 18:43:41 +0000
Commit:     Koichiro Iwao <meta@FreeBSD.org>
CommitDate: 2023-09-27 18:43:41 +0000

    security/vuxml: document multiple xrdp vulnerabilities
---
 security/vuxml/vuln/2023.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 1c78e1b8212a..be12b98c8e0a 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,72 @@
+  <vuln vid="af065e47-5d62-11ee-bbae-1c61b4739ac9">
+    <topic>xrdp -- unchecked access to font glyph info</topic>
+    <affects>
+      <package>
+	<name>xrdp</name>
+	<range><lt>0.9.23.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>xrdp team reports:</p>
+	<blockquote cite="https://www.cve.org/CVERecord?id=CVE-2023-42822">;
+	<p>Access to the font glyphs in xrdp_painter.c is not bounds-checked.
+	Since some of this data is controllable by the user, this can result
+	in an out-of-bounds read within the xrdp executable. The vulnerability
+	allows an out-of-bounds read within a potentially privileged process.
+	On non-Debian platforms, xrdp tends to run as root. Potentially an
+	out-of-bounds write can follow the out-of-bounds read. There is no
+	denial-of-service impact, providing xrdp is running in forking mode. This
+	issue has been addressed in release 0.9.23.1. Users are advised to upgrade.
+	There are no known workarounds for this vulnerability.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2023-42822</cvename>
+      <url>https://www.cve.org/CVERecord?id=CVE-2023-42822</url>;
+      <url>https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw</url>;
+    </references>
+    <dates>
+      <discovery>2023-09-27</discovery>
+      <entry>2023-09-27</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="c9ff1150-5d63-11ee-bbae-1c61b4739ac9">
+    <topic>xrdp -- Improper handling of session establishment errors allows bypassing OS-level session restrictions</topic>
+    <affects>
+      <package>
+	<name>xrdp</name>
+	<range><lt>0.9.23</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>xrdp team reports:</p>
+	<blockquote cite="https://www.cve.org/CVERecord?id=CVE-2023-40184">;
+	<p>In versions prior to 0.9.23 improper handling of session establishment
+	errors allows bypassing OS-level session restrictions. The `auth_start_session`
+	function can return non-zero (1) value on, e.g., PAM error which may result
+	in session restrictions such as max concurrent sessions per user by PAM
+	(ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't
+	use restrictions by PAM are not affected. This issue has been addressed in
+	release version 0.9.23. Users are advised to upgrade. There are no known
+	workarounds for this issue.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2023-40184</cvename>
+      <url>https://www.cve.org/CVERecord?id=CVE-2023-40184</url>;
+      <url>https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq</url>;
+    </references>
+    <dates>
+      <discovery>2023-08-30</discovery>
+      <entry>2023-09-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="ea9d1fd2-5d24-11ee-8507-b42e991fc52e">
     <topic>routinator -- Possible path traversal when storing RRDP responses</topic>
     <affects>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202309271844.38RIiNnA009037>