2 files changed, 66 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch
new file mode 100644
index 0000000000..7172a8264c
--- /dev/null
+++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch
@@ -0,0 +1,65 @@
+From 35cca701c753db65d3c05b7ea4fff9bd09e76661 Mon Sep 17 00:00:00 2001
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Wed, 7 Dec 2022 10:21:41 +0000
+Subject: [PATCH] CVE-2022-23483
+Sanitise channel data being passed from application
+Avoids OOB read if the size field is incorrect.
+CVE: CVE-2022-23483
+Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/35cca701c753db65d3c05b7ea4fff9bd09e76661]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ xrdp/xrdp_mm.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
+index 74b0516afa..64ae229e01 100644
+--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
+@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm *self, struct trans *trans)
+ static int
+ xrdp_mm_trans_process_channel_data(struct xrdp_mm *self, struct stream *s)
+ {
+-    int size;
+-    int total_size;
+    unsigned int size;
+    unsigned int total_size;
+     int chan_id;
+     int chan_flags;
+-    int rv;
+-
+-    in_uint16_le(s, chan_id);
+-    in_uint16_le(s, chan_flags);
+-    in_uint16_le(s, size);
+-    in_uint32_le(s, total_size);
+-    rv = 0;
+    int rv = 0;
+ 
+-    if (rv == 0)
+    if (!s_check_rem_and_log(s, 10, "Reading channel data header"))
+    {
+        rv = 1;
+    }
+    else
+     {
+-        rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size,
+-                                     chan_flags);
+        in_uint16_le(s, chan_id);
+        in_uint16_le(s, chan_flags);
+        in_uint16_le(s, size);
+        in_uint32_le(s, total_size);
+        if (!s_check_rem_and_log(s, size, "Reading channel data data"))
+        {
+            rv = 1;
+        }
+        else
+        {
+            rv = libxrdp_send_to_channel(self->wm->session, chan_id,
+                                         s->p, size, total_size, chan_flags);
+        }
+     }
+ 
+     return rv;
diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
index 0faf664f61..f8fd052e7f 100644
--- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
+++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
           file://CVE-2022-23480-2.patch \
           file://CVE-2022-23481.patch \
           file://CVE-2022-23482.patch \
+           file://CVE-2022-23483.patch \
           "
 SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"

diff --git a/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch new file mode 100644 index 0000000000..7172a8264c --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp/CVE-2022-23483.patch
@@ -0,0 +1,65 @@
		1	From 35cca701c753db65d3c05b7ea4fff9bd09e76661 Mon Sep 17 00:00:00 2001
		2	From: matt335672 <30179339+matt335672@users.noreply.github.com>
		3	Date: Wed, 7 Dec 2022 10:21:41 +0000
		4	Subject: [PATCH] CVE-2022-23483
		5
		6	Sanitise channel data being passed from application
		7
		8	Avoids OOB read if the size field is incorrect.
		9
		10	CVE: CVE-2022-23483
		11	Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/35cca701c753db65d3c05b7ea4fff9bd09e76661]
		12	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		13
		14	---
		15	xrdp/xrdp_mm.c \| 33 +++++++++++++++++++++------------
		16	1 file changed, 21 insertions(+), 12 deletions(-)
		17
		18	diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
		19	index 74b0516afa..64ae229e01 100644
		20	--- a/xrdp/xrdp_mm.c
		21	+++ b/xrdp/xrdp_mm.c
		22	@@ -676,22 +676,31 @@ xrdp_mm_trans_send_channel_setup(struct xrdp_mm self, struct trans trans)
		23	static int
		24	xrdp_mm_trans_process_channel_data(struct xrdp_mm self, struct stream s)
		25	{
		26	- int size;
		27	- int total_size;
		28	+ unsigned int size;
		29	+ unsigned int total_size;
		30	int chan_id;
		31	int chan_flags;
		32	- int rv;
		33	-
		34	- in_uint16_le(s, chan_id);
		35	- in_uint16_le(s, chan_flags);
		36	- in_uint16_le(s, size);
		37	- in_uint32_le(s, total_size);
		38	- rv = 0;
		39	+ int rv = 0;
		40
		41	- if (rv == 0)
		42	+ if (!s_check_rem_and_log(s, 10, "Reading channel data header"))
		43	+ {
		44	+ rv = 1;
		45	+ }
		46	+ else
		47	{
		48	- rv = libxrdp_send_to_channel(self->wm->session, chan_id, s->p, size, total_size,
		49	- chan_flags);
		50	+ in_uint16_le(s, chan_id);
		51	+ in_uint16_le(s, chan_flags);
		52	+ in_uint16_le(s, size);
		53	+ in_uint32_le(s, total_size);
		54	+ if (!s_check_rem_and_log(s, size, "Reading channel data data"))
		55	+ {
		56	+ rv = 1;
		57	+ }
		58	+ else
		59	+ {
		60	+ rv = libxrdp_send_to_channel(self->wm->session, chan_id,
		61	+ s->p, size, total_size, chan_flags);
		62	+ }
		63	}
		64
		65	return rv;


diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb index 0faf664f61..f8fd052e7f 100644 --- a/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb +++ b/meta-oe/recipes-support/xrdp/xrdp_0.9.20.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
24	file://CVE-2022-23480-2.patch \	24	file://CVE-2022-23480-2.patch \
25	file://CVE-2022-23481.patch \	25	file://CVE-2022-23481.patch \
26	file://CVE-2022-23482.patch \	26	file://CVE-2022-23482.patch \
		27	file://CVE-2022-23483.patch \
27	"	28	"
28		29
29	SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"	30	SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"