Bug 13346

Summary:	[CVE 21] xrdp 0.9.20 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal	CC:	a.proklov, pastordidi, s.matveev, v.potapov, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified+ a.proklov: published+
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2022-23468, CVE-2022-23477, CVE-2022-23478, CVE-2022-23479, CVE-2022-23480, CVE-2022-23481, CVE-2022-23482, CVE-2022-23483, CVE-2022-23484, CVE-2022-23493,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-05-03 18:22:07 MSK

Please patch CVEs for package xrdp version 0.9.20

INFO (CVEs are): xrdp 0.9.20
cves found
CVE-2022-23468
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in xrdp_login_wnd_create() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23468
Severity: CRITICAL
CVE-2022-23477
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in audin_send_open() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23477
Severity: CRITICAL
CVE-2022-23478
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Write in xrdp_mm_trans_process_drdynvc_channel_open() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23478
Severity: CRITICAL
CVE-2022-23479
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in xrdp_mm_chan_data_in() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23479
Severity: CRITICAL
CVE-2022-23480
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in devredir_proc_client_devlist_announce_req() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23480
Severity: CRITICAL
CVE-2022-23481
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_caps_process_confirm_active() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23481
Severity: CRITICAL
CVE-2022-23482
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23482
Severity: CRITICAL
CVE-2022-23483
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in libxrdp_send_to_channel() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23483
Severity: CRITICAL
CVE-2022-23484
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Integer Overflow in xrdp_mm_process_rail_update_window_text() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23484
Severity: CRITICAL
CVE-2022-23493
Desc: xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() function. There are no known workarounds for this issue. Users are advised to upgrade.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-23493
Severity: CRITICAL

Comment 1 Aleksandr Proklov 2023-05-27 08:24:46 MSK

CVE закрыты обновлением xrdp-0.9.22.1

https://abf.io/build_lists/4446139
https://abf.io/build_lists/4446140
https://abf.io/build_lists/4446141
https://abf.io/build_lists/4446142
https://abf.io/build_lists/4446143

Comment 2 Dmitry Postnikov 2023-06-01 09:40:02 MSK

***************************
The update sent to testings

Comment 3 Vladimir Potapov 2023-06-06 11:36:41 MSK

xrdp-0.9.22.1-1
https://abf.io/build_lists/4446139
https://abf.io/build_lists/4446140
https://abf.io/build_lists/4446141
https://abf.io/build_lists/4446142
https://abf.io/build_lists/4446143
***************************** Advisory ***************************
Up to 0.9.22.1 for CVE fixing
******************************************************************
QA Verified

Comment 4 Yury 2023-07-05 11:12:53 MSK

Secteam approved