'[oss-security] xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in session manager'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] xrdp: CVE-2017-16927: Buffer-overflow in scp_v0s_accept function in session manager
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2017-11-23 8:54:05
Message-ID: 20171123085405.GA25517 () eldamar
[Download RAW message or body]

Hi

MITRE has assigned CVE-2017-16927 for a buffer-overflow flaw in the
scp_v0s_accept function in xrdp's session manager (in default
configurations running as root and listening on the loopback address,
so potentially triggerable by any local user):

https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA

Quoting the reference:
> The code in question is sesman/libscp/libscp_v0.c, around lines 228
> and 240: a 16-bit unsigned int is read from the input stream to
> represent the string length (for username and password input), and
> used without validation to index/copy from the input stream into a
> 257-byte buffer.

There is a proposed patch/pull request:

https://github.com/neutrinolabs/xrdp/pull/958

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic