From 7c54c935cb6c3b5d96554d9fd3de72e5240f72aa Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Mon, 2 Feb 2026 17:37:14 +0100 Subject: xrdp: upgrade 0.10.4.1 -> 0.10.5 Contains fix for CVE-2025-68670. Drop patch that is included in this release. Changelog: Security fixes: - CVE-2025-68670 New features: - It is now possible to start the xrdp daemon entirely unprivileged from the service manager. If you do this certain restrictions will apply. See https://github.com/neutrinolabs/xrdp/wiki/Running-the-xrdp-process-as-non-root for details. - TLS pre-master secrets can now be recorded for packet captures - Add a FuseRootReportMaxFree to work around 'no free space' issues with some file managers - Alternate shell names can now be passed to startwm.sh in an environment variable for more system management control - Updated Xorg paths in sesman.ini to include more recent distros - Add Slovenian keyboard - xrdpapi: Add a way to monitor connect/disconnect events Bug fixes: - Allow an empty X11 UTF8_STRING to be pasted to the clipboard - Fix a regression introduced in v0.10.x, where it became impossible to connect to a VNC server which did not support the ExtendedDesktopSize encoding - Fix a regression introduced in v0.10.x related to PAM groups handling - Inconsistencies with [MS-RDPBCGR] have been addressed - A reference to uninitialised data within the verify_user_pam_userpass.c module has been fixed - Prevent some possible crashes when the RFX encoder is resized - Fixes a regression introduced by GFX development which prevented the JPEG encoder from working correctly - Fixes a regression introduced by #2974 which resulted in the xrdp PID file being deleted unexpectedly - Do not overwrite a VNC port set by the user when not using sesman - Fix regression from 0.9.x when freerdp client uses /workarea - Fixes a crash where a resize is attempted with drdynvc disabled - getgrouplist() now compiles on MacOS - Various Coverity warnings have been addressed - Documentation improvements Internal changes: - An unnecessary include of sys/signal.h causing a compile warning on MUSL-C has been removed Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj --- .../xrdp/xrdp/fix-compiling-with-musl.patch | 27 ----- meta-oe/recipes-support/xrdp/xrdp_0.10.4.1.bb | 131 --------------------- meta-oe/recipes-support/xrdp/xrdp_0.10.5.bb | 129 ++++++++++++++++++++ 3 files changed, 129 insertions(+), 158 deletions(-) delete mode 100644 meta-oe/recipes-support/xrdp/xrdp/fix-compiling-with-musl.patch delete mode 100644 meta-oe/recipes-support/xrdp/xrdp_0.10.4.1.bb create mode 100644 meta-oe/recipes-support/xrdp/xrdp_0.10.5.bb diff --git a/meta-oe/recipes-support/xrdp/xrdp/fix-compiling-with-musl.patch b/meta-oe/recipes-support/xrdp/xrdp/fix-compiling-with-musl.patch deleted file mode 100644 index c716229ab6..0000000000 --- a/meta-oe/recipes-support/xrdp/xrdp/fix-compiling-with-musl.patch +++ /dev/null @@ -1,27 +0,0 @@ - -sys/signal.h does almost the same in both glibc and musl: it includes "signal.h" - -However with musl there is also a warning macro about this, which is interpreted as -an error during building. - -Fixes error: - -| In file included from ../../sources/xrdp-0.10.4.1/waitforx/waitforx.c:5: -| <...>/usr/include/sys/signal.h:1:2: error: #warning redirecting incorrect #include to [-Werror=cpp] -| 1 | #warning redirecting incorrect #include to -| | ^~~~~~~ -| cc1: all warnings being treated as errors - -Upstream-Status: Submitted [https://github.com/neutrinolabs/xrdp/pull/3678] -Signed-off-by: Gyorgy Sarvari - ---- ./waitforx/waitforx.c.orig 2025-11-25 14:38:46.464337398 +0100 -+++ ./waitforx/waitforx.c 2025-11-25 14:38:52.007441093 +0100 -@@ -2,7 +2,6 @@ - #include - #include - #include --#include - #include - - #include "config_ac.h" diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.10.4.1.bb b/meta-oe/recipes-support/xrdp/xrdp_0.10.4.1.bb deleted file mode 100644 index 8203ada8e5..0000000000 --- a/meta-oe/recipes-support/xrdp/xrdp_0.10.4.1.bb +++ /dev/null @@ -1,131 +0,0 @@ -SUMMARY = "An open source remote desktop protocol(rdp) server." - -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=72cfbe4e7bd33a0a1de9630c91195c21 \ -" - -inherit features_check autotools pkgconfig useradd systemd ptest - -DEPENDS = "openssl virtual/libx11 libxfixes libxrandr libpam nasm-native imlib2 pixman libsm" - -REQUIRED_DISTRO_FEATURES = "x11 pam" - -SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ - file://xrdp.sysconfig \ - file://run-ptest \ - file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \ - file://0001-arch-Define-NO_NEED_ALIGN-on-ppc64.patch \ - file://0001-mark-count-with-unused-attribute.patch \ - " -SRC_URI:append:libc-musl = " file://fix-compiling-with-musl.patch" - -SRC_URI[sha256sum] = "52eadf3e86c57be0de0b9d5c184b52a7946a070746d3eb04b5089dd6d42f8f5f" - -UPSTREAM_CHECK_URI = "https://github.com/neutrinolabs/xrdp/releases" -UPSTREAM_CHECK_REGEX = "releases/tag/v(?P\d+(\.\d+)+)" - -CFLAGS += " -Wno-deprecated-declarations" - -PACKAGECONFIG ??= "fuse ${@bb.utils.contains('PTEST_ENABLED', '1', 'test', '', d)}" -PACKAGECONFIG[fuse] = " --enable-fuse, --disable-fuse, fuse3" -PACKAGECONFIG[test] = " --enable-tests, , libcheck cmocka" - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system xrdp" -USERADD_PARAM:${PN} = "--system --home /var/run/xrdp -g xrdp \ - --no-create-home --shell /bin/false xrdp" - -FILES:${PN} += "${datadir}/dbus-1/services/*.service \ - ${datadir}/dbus-1/accessibility-services/*.service " - -FILES:${PN}-dev += " \ - ${libdir}/xrdp/libcommon.so \ - ${libdir}/xrdp/libxrdp.so \ - ${libdir}/xrdp/libxrdpapi.so \ - ${libdir}/xrdp/libtoml.so \ - ${libdir}/xrdp/libsesman.so \ - ${libdir}/xrdp/libipm.so \ - " - -EXTRA_OECONF = "--enable-pam-config=suse --enable-fuse \ - --enable-pixman --enable-painter --enable-vsock \ - --enable-ipv6 --with-imlib2 --with-socketdir=${localstatedir}/run/${PN}" - -do_configure:prepend() { - cd ${S} - ./bootstrap - cd - -} - -do_compile:prepend() { - sed -i 's/(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am/(MAKE) $(AM_MAKEFLAGS) install-exec-am/g' ${S}/keygen/Makefile.in - echo "" > ${B}/xrdp_configure_options.h -} - -do_install:append() { - - # deal with systemd unit files - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${S}/instfiles/xrdp.service.in ${D}${systemd_unitdir}/system/xrdp.service - install -m 0644 ${S}/instfiles/xrdp-sesman.service.in ${D}${systemd_unitdir}/system/xrdp-sesman.service - sed -i -e 's,@localstatedir@,${localstatedir},g' ${D}${systemd_unitdir}/system/xrdp.service ${D}${systemd_unitdir}/system/xrdp-sesman.service - sed -i -e 's,@sysconfdir@,${sysconfdir},g' ${D}${systemd_unitdir}/system/xrdp.service ${D}${systemd_unitdir}/system/xrdp-sesman.service - sed -i -e 's,@sbindir@,${sbindir},g' ${D}${systemd_unitdir}/system/xrdp.service ${D}${systemd_unitdir}/system/xrdp-sesman.service - - install -d ${D}${sysconfdir}/sysconfig/xrdp - install -m 0644 ${S}/instfiles/*.ini ${D}${sysconfdir}/xrdp/ - install -m 0644 ${S}/keygen/openssl.conf ${D}${sysconfdir}/xrdp/ - install -m 0644 ${UNPACKDIR}/xrdp.sysconfig ${D}${sysconfdir}/sysconfig/xrdp/ - chown xrdp:xrdp ${D}${sysconfdir}/xrdp -} - -do_compile_ptest() { - for testdir in $(find ./tests -type d -mindepth 1); do - cd $testdir - echo 'buildtest-TESTS: $(check_PROGRAMS)' >> Makefile - # change the test-data folder to ./data instead of ${S} - sed -i 's|-D TOP_SRCDIR=[^ ]*|-D TOP_SRCDIR=\\"./data\\"|' Makefile - # another test data folder redirection - sed -i 's|-D IMAGEDIR=[^ ]*|-D IMAGEDIR=\\"./data\\"|' Makefile - # and another - sed -i 's|-DXRDP_TOP_SRCDIR=[^ ]*|-DXRDP_TOP_SRCDIR=\\"..\\"|' Makefile - oe_runmake buildtest-TESTS - cd - - done -} - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests/xrdp/gfx - install -d ${D}${PTEST_PATH}/tests/data/xrdp - for testbin in $(find ./tests -type f -executable -mindepth 3); do - install $testbin ${D}${PTEST_PATH}/tests/ - done - install -m 666 ${S}/xrdp/xrdp256.bmp ${D}${PTEST_PATH}/tests/data/xrdp/ - install -m 666 ${S}/xrdp/ad256.bmp ${D}${PTEST_PATH}/tests/data/xrdp/ - install -m 666 ${S}/tests/xrdp/*.bmp ${D}${PTEST_PATH}/tests/data/ - install -m 666 ${S}/tests/xrdp/test1.jpg ${D}${PTEST_PATH}/tests/data/ - install -m 666 ${S}/tests/xrdp/test_alpha_blend.png ${D}${PTEST_PATH}/tests/data/ - install -m 666 ${S}/tests/xrdp/gfx/* ${D}${PTEST_PATH}/tests/xrdp/gfx/ -} - -RDEPENDS:${PN}-ptest += "imlib2-loaders" - -SYSTEMD_SERVICE:${PN} = "xrdp.service xrdp-sesman.service" - -pkg_postinst:${PN}() { - if test -z "$D" - then - if test -x ${bindir}/xrdp-keygen - then - ${bindir}/xrdp-keygen xrdp ${sysconfdir}/xrdp/rsakeys.ini >/dev/null - fi - if test ! -s ${sysconfdir}/xrdp/cert.pem - then - openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \ - -keyout ${sysconfdir}/xrdp/key.pem \ - -out ${sysconfdir}/xrdp/cert.pem \ - -config ${sysconfdir}/xrdp/openssl.conf >/dev/null 2>&1 - chmod 400 ${sysconfdir}/xrdp/key.pem - fi - fi -} diff --git a/meta-oe/recipes-support/xrdp/xrdp_0.10.5.bb b/meta-oe/recipes-support/xrdp/xrdp_0.10.5.bb new file mode 100644 index 0000000000..8d7c5807f2 --- /dev/null +++ b/meta-oe/recipes-support/xrdp/xrdp_0.10.5.bb @@ -0,0 +1,129 @@ +SUMMARY = "An open source remote desktop protocol(rdp) server." + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=72cfbe4e7bd33a0a1de9630c91195c21 \ +" + +inherit features_check autotools pkgconfig useradd systemd ptest + +DEPENDS = "openssl virtual/libx11 libxfixes libxrandr libpam nasm-native imlib2 pixman libsm" + +REQUIRED_DISTRO_FEATURES = "x11 pam" + +SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ + file://xrdp.sysconfig \ + file://run-ptest \ + file://0001-Added-req_distinguished_name-in-etc-xrdp-openssl.con.patch \ + file://0001-arch-Define-NO_NEED_ALIGN-on-ppc64.patch \ + file://0001-mark-count-with-unused-attribute.patch \ + " +SRC_URI[sha256sum] = "9abc96d164de4b1c40e2f3f537d0593d052a640cf3388978c133715ea69fb123" + +UPSTREAM_CHECK_URI = "https://github.com/neutrinolabs/xrdp/releases" +UPSTREAM_CHECK_REGEX = "releases/tag/v(?P\d+(\.\d+)+)" + +CFLAGS += " -Wno-deprecated-declarations" + +PACKAGECONFIG ??= "fuse ${@bb.utils.contains('PTEST_ENABLED', '1', 'test', '', d)}" +PACKAGECONFIG[fuse] = " --enable-fuse, --disable-fuse, fuse3" +PACKAGECONFIG[test] = " --enable-tests, , libcheck cmocka" + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system xrdp" +USERADD_PARAM:${PN} = "--system --home /var/run/xrdp -g xrdp \ + --no-create-home --shell /bin/false xrdp" + +FILES:${PN} += "${datadir}/dbus-1/services/*.service \ + ${datadir}/dbus-1/accessibility-services/*.service " + +FILES:${PN}-dev += " \ + ${libdir}/xrdp/libcommon.so \ + ${libdir}/xrdp/libxrdp.so \ + ${libdir}/xrdp/libxrdpapi.so \ + ${libdir}/xrdp/libtoml.so \ + ${libdir}/xrdp/libsesman.so \ + ${libdir}/xrdp/libipm.so \ + " + +EXTRA_OECONF = "--enable-pam-config=suse --enable-fuse \ + --enable-pixman --enable-painter --enable-vsock \ + --enable-ipv6 --with-imlib2 --with-socketdir=${localstatedir}/run/${PN}" + +do_configure:prepend() { + cd ${S} + ./bootstrap + cd - +} + +do_compile:prepend() { + sed -i 's/(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am/(MAKE) $(AM_MAKEFLAGS) install-exec-am/g' ${S}/keygen/Makefile.in + echo "" > ${B}/xrdp_configure_options.h +} + +do_install:append() { + + # deal with systemd unit files + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${S}/instfiles/xrdp.service.in ${D}${systemd_unitdir}/system/xrdp.service + install -m 0644 ${S}/instfiles/xrdp-sesman.service.in ${D}${systemd_unitdir}/system/xrdp-sesman.service + sed -i -e 's,@localstatedir@,${localstatedir},g' ${D}${systemd_unitdir}/system/xrdp.service ${D}${systemd_unitdir}/system/xrdp-sesman.service + sed -i -e 's,@sysconfdir@,${sysconfdir},g' ${D}${systemd_unitdir}/system/xrdp.service ${D}${systemd_unitdir}/system/xrdp-sesman.service + sed -i -e 's,@sbindir@,${sbindir},g' ${D}${systemd_unitdir}/system/xrdp.service ${D}${systemd_unitdir}/system/xrdp-sesman.service + + install -d ${D}${sysconfdir}/sysconfig/xrdp + install -m 0644 ${S}/instfiles/*.ini ${D}${sysconfdir}/xrdp/ + install -m 0644 ${S}/keygen/openssl.conf ${D}${sysconfdir}/xrdp/ + install -m 0644 ${UNPACKDIR}/xrdp.sysconfig ${D}${sysconfdir}/sysconfig/xrdp/ + chown xrdp:xrdp ${D}${sysconfdir}/xrdp +} + +do_compile_ptest() { + for testdir in $(find ./tests -type d -mindepth 1); do + cd $testdir + echo 'buildtest-TESTS: $(check_PROGRAMS)' >> Makefile + # change the test-data folder to ./data instead of ${S} + sed -i 's|-D TOP_SRCDIR=[^ ]*|-D TOP_SRCDIR=\\"./data\\"|' Makefile + # another test data folder redirection + sed -i 's|-D IMAGEDIR=[^ ]*|-D IMAGEDIR=\\"./data\\"|' Makefile + # and another + sed -i 's|-DXRDP_TOP_SRCDIR=[^ ]*|-DXRDP_TOP_SRCDIR=\\"..\\"|' Makefile + oe_runmake buildtest-TESTS + cd - + done +} + +do_install_ptest() { + install -d ${D}${PTEST_PATH}/tests/xrdp/gfx + install -d ${D}${PTEST_PATH}/tests/data/xrdp + for testbin in $(find ./tests -type f -executable -mindepth 3); do + install $testbin ${D}${PTEST_PATH}/tests/ + done + install -m 666 ${S}/xrdp/xrdp256.bmp ${D}${PTEST_PATH}/tests/data/xrdp/ + install -m 666 ${S}/xrdp/ad256.bmp ${D}${PTEST_PATH}/tests/data/xrdp/ + install -m 666 ${S}/tests/xrdp/*.bmp ${D}${PTEST_PATH}/tests/data/ + install -m 666 ${S}/tests/xrdp/test1.jpg ${D}${PTEST_PATH}/tests/data/ + install -m 666 ${S}/tests/xrdp/test_alpha_blend.png ${D}${PTEST_PATH}/tests/data/ + install -m 666 ${S}/tests/xrdp/gfx/* ${D}${PTEST_PATH}/tests/xrdp/gfx/ +} + +RDEPENDS:${PN}-ptest += "imlib2-loaders" + +SYSTEMD_SERVICE:${PN} = "xrdp.service xrdp-sesman.service" + +pkg_postinst:${PN}() { + if test -z "$D" + then + if test -x ${bindir}/xrdp-keygen + then + ${bindir}/xrdp-keygen xrdp ${sysconfdir}/xrdp/rsakeys.ini >/dev/null + fi + if test ! -s ${sysconfdir}/xrdp/cert.pem + then + openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \ + -keyout ${sysconfdir}/xrdp/key.pem \ + -out ${sysconfdir}/xrdp/cert.pem \ + -config ${sysconfdir}/xrdp/openssl.conf >/dev/null 2>&1 + chmod 400 ${sysconfdir}/xrdp/key.pem + fi + fi +} -- cgit v1.2.3-54-g00ecf