xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in session manager

[Salvatore Bonaccorso <carnil () debian org>]

Hi

MITRE has assigned CVE-2017-16927 for a buffer-overflow flaw in the
scp_v0s_accept function in xrdp's session manager (in default
configurations running as root and listening on the loopback address,
so potentially triggerable by any local user):

https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA

Quoting the reference:
> The code in question is sesman/libscp/libscp_v0.c, around lines 228
> and 240: a 16-bit unsigned int is read from the input stream to
> represent the string length (for username and password input), and
> used without validation to index/copy from the input stream into a
> 257-byte buffer.

There is a proposed patch/pull request:

https://github.com/neutrinolabs/xrdp/pull/958

Regards,
Salvatore