xrdp: patch CVE-2025-68670

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68670 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Ankur Tyagi <ankur.tyagi85@gmail.com> 2026-02-25 12:59:31 +1300
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-03-06 10:09:10 +0530
commit: 9783e418db7697a5d9298fb2833d0494897e8782 (patch)
tree: 91e9f4c8028740af274c029e9521b9710b875636
parent: 24abd61c54b06df372fc8b825751fe17ce3a9410 (diff)
download: meta-openembedded-9783e418db7697a5d9298fb2833d0494897e8782.tar.gz
2 files changed, 79 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2025-68670.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2025-68670.patch
new file mode 100644
index 0000000000..f0aaaf6718
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2025-68670.patch
@@ -0,0 +1,78 @@
+From 2fbc0cde4383a13089ccaddfb7ec60b2f740aab2 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Thu, 18 Dec 2025 11:37:30 +0000
+Subject: [PATCH] CVE-2025-68670: Buffer overflow parsing domain
+A potential overflow in xrdp_wm_parse_domain_information() is
+addressed
+CVE: CVE-2025-68670
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/dd4b56c9873bd246ba3d815522b27d90c99fcc30]
+(cherry picked from commit dd4b56c9873bd246ba3d815522b27d90c99fcc30)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ xrdp/xrdp_login_wnd.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c
+index 28748676..1fe9ea50 100644
+--- a/xrdp/xrdp_login_wnd.c
+++ b/xrdp/xrdp_login_wnd.c
+@@ -277,7 +277,8 @@ xrdp_wm_ok_clicked(struct xrdp_bitmap *wnd)
+ */
+ static int
+ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+-                                 int decode, char *resultBuffer)
+                                 int decode,
+                                 char *resultBuffer, unsigned int resultSize)
+ {
+     int ret;
+     int pos;
+@@ -287,8 +288,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+     /* If the first char in the domain name is '_' we use the domain
+        name as IP*/
+     ret = 0; /* default return value */
+-    /* resultBuffer assumed to be 256 chars */
+-    g_memset(resultBuffer, 0, 256);
+    g_memset(resultBuffer, 0, resultSize);
+     if (originalDomainInfo[0] == '_')
+     {
+         /* we try to locate a number indicating what combobox index the user
+@@ -298,7 +298,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+          * Invalid chars are ignored in microsoft client therefore we use '_'
+          * again. this sec '__' contains the split for index.*/
+         pos = g_pos(&originalDomainInfo[1], "__");
+-        if (pos > 0)
+        if (pos > 0 && (unsigned int)pos < resultSize)
+         {
+             /* an index is found we try to use it */
+             LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
+@@ -325,7 +325,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+         else
+         {
+             LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
+-            g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
+            g_strncpy(resultBuffer, &originalDomainInfo[1], resultSize - 1);
+         }
+     }
+     return ret;
+@@ -450,7 +450,8 @@ xrdp_wm_show_edits(struct xrdp_wm *self, struct xrdp_bitmap *combo)
+                     {
+                         xrdp_wm_parse_domain_information(
+                             self->session->client_info->domain,
+-                            combo->data_list->count, 0, resultIP);
+                            combo->data_list->count, 0,
+                            resultIP, sizeof(resultIP));
+                         g_strncpy(b->caption1, resultIP, 255);
+                         b->edit_pos = g_mbstowcs(0, b->caption1, 0);
+                     }
+@@ -875,7 +876,8 @@ xrdp_login_wnd_create(struct xrdp_wm *self)
+     combo->item_index = xrdp_wm_parse_domain_information(
+                             self->session->client_info->domain,
+                             combo->data_list->count, 1,
+-                            resultIP /* just a dummy place holder, we ignore */ );
+                            resultIP,/* just a dummy place holder, we ignore */
+                            sizeof(resultIP));
+     xrdp_wm_show_edits(self, combo);
+ 
+     return 0;
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index bcadd03adf..ea63b932ae 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
           file://CVE-2022-23493.patch \
           file://CVE-2023-40184.patch \
           file://CVE-2023-42822.patch \
+           file://CVE-2025-68670.patch \
           "
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"
author	Ankur Tyagi <ankur.tyagi85@gmail.com>	2026-02-25 12:59:31 +1300
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-06 10:09:10 +0530
commit	9783e418db7697a5d9298fb2833d0494897e8782 (patch)
tree	91e9f4c8028740af274c029e9521b9710b875636
parent	24abd61c54b06df372fc8b825751fe17ce3a9410 (diff)
download	meta-openembedded-9783e418db7697a5d9298fb2833d0494897e8782.tar.gz

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2025-68670.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2025-68670.patch new file mode 100644 index 0000000000..f0aaaf6718 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2025-68670.patch
@@ -0,0 +1,78 @@
		1	From 2fbc0cde4383a13089ccaddfb7ec60b2f740aab2 Mon Sep 17 00:00:00 2001
		2	From: matt335672 <30179339+matt335672@users.noreply.github.com>
		3	Date: Thu, 18 Dec 2025 11:37:30 +0000
		4	Subject: [PATCH] CVE-2025-68670: Buffer overflow parsing domain
		5
		6	A potential overflow in xrdp_wm_parse_domain_information() is
		7	addressed
		8
		9	CVE: CVE-2025-68670
		10	Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/dd4b56c9873bd246ba3d815522b27d90c99fcc30]
		11	(cherry picked from commit dd4b56c9873bd246ba3d815522b27d90c99fcc30)
		12	Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
		13	---
		14	xrdp/xrdp_login_wnd.c \| 16 +++++++++-------
		15	1 file changed, 9 insertions(+), 7 deletions(-)
		16
		17	diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c
		18	index 28748676..1fe9ea50 100644
		19	--- a/xrdp/xrdp_login_wnd.c
		20	+++ b/xrdp/xrdp_login_wnd.c
		21	@@ -277,7 +277,8 @@ xrdp_wm_ok_clicked(struct xrdp_bitmap *wnd)
		22	*/
		23	static int
		24	xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
		25	- int decode, char *resultBuffer)
		26	+ int decode,
		27	+ char *resultBuffer, unsigned int resultSize)
		28	{
		29	int ret;
		30	int pos;
		31	@@ -287,8 +288,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
		32	/* If the first char in the domain name is '_' we use the domain
		33	name as IP*/
		34	ret = 0; /* default return value */
		35	- /* resultBuffer assumed to be 256 chars */
		36	- g_memset(resultBuffer, 0, 256);
		37	+ g_memset(resultBuffer, 0, resultSize);
		38	if (originalDomainInfo[0] == '_')
		39	{
		40	/* we try to locate a number indicating what combobox index the user
		41	@@ -298,7 +298,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
		42	* Invalid chars are ignored in microsoft client therefore we use '_'
		43	* again. this sec '__' contains the split for index.*/
		44	pos = g_pos(&originalDomainInfo[1], "__");
		45	- if (pos > 0)
		46	+ if (pos > 0 && (unsigned int)pos < resultSize)
		47	{
		48	/* an index is found we try to use it */
		49	LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
		50	@@ -325,7 +325,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
		51	else
		52	{
		53	LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
		54	- g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
		55	+ g_strncpy(resultBuffer, &originalDomainInfo[1], resultSize - 1);
		56	}
		57	}
		58	return ret;
		59	@@ -450,7 +450,8 @@ xrdp_wm_show_edits(struct xrdp_wm self, struct xrdp_bitmap combo)
		60	{
		61	xrdp_wm_parse_domain_information(
		62	self->session->client_info->domain,
		63	- combo->data_list->count, 0, resultIP);
		64	+ combo->data_list->count, 0,
		65	+ resultIP, sizeof(resultIP));
		66	g_strncpy(b->caption1, resultIP, 255);
		67	b->edit_pos = g_mbstowcs(0, b->caption1, 0);
		68	}
		69	@@ -875,7 +876,8 @@ xrdp_login_wnd_create(struct xrdp_wm *self)
		70	combo->item_index = xrdp_wm_parse_domain_information(
		71	self->session->client_info->domain,
		72	combo->data_list->count, 1,
		73	- resultIP /* just a dummy place holder, we ignore */ );
		74	+ resultIP,/* just a dummy place holder, we ignore */
		75	+ sizeof(resultIP));
		76	xrdp_wm_show_edits(self, combo);
		77
		78	return 0;


diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index bcadd03adf..ea63b932ae 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
29	file://CVE-2022-23493.patch \	29	file://CVE-2022-23493.patch \
30	file://CVE-2023-40184.patch \	30	file://CVE-2023-40184.patch \
31	file://CVE-2023-42822.patch \	31	file://CVE-2023-42822.patch \
		32	file://CVE-2025-68670.patch \
32	"	33	"
33		34
34	SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"	35	SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"