oss-sec mailing list archives
xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in session manager
From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 23 Nov 2017 09:54:05 +0100
Hi MITRE has assigned CVE-2017-16927 for a buffer-overflow flaw in the scp_v0s_accept function in xrdp's session manager (in default configurations running as root and listening on the loopback address, so potentially triggerable by any local user): https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA Quoting the reference:
The code in question is sesman/libscp/libscp_v0.c, around lines 228 and 240: a 16-bit unsigned int is read from the input stream to represent the string length (for username and password input), and used without validation to index/copy from the input stream into a 257-byte buffer.
There is a proposed patch/pull request: https://github.com/neutrinolabs/xrdp/pull/958 Regards, Salvatore
Current thread:
- xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in session manager Salvatore Bonaccorso (Nov 23)