mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
xrdp: patch CVE-2025-68670
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68670 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,78 @@
|
|||||||
|
From 2fbc0cde4383a13089ccaddfb7ec60b2f740aab2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: matt335672 <30179339+matt335672@users.noreply.github.com>
|
||||||
|
Date: Thu, 18 Dec 2025 11:37:30 +0000
|
||||||
|
Subject: [PATCH] CVE-2025-68670: Buffer overflow parsing domain
|
||||||
|
|
||||||
|
A potential overflow in xrdp_wm_parse_domain_information() is
|
||||||
|
addressed
|
||||||
|
|
||||||
|
CVE: CVE-2025-68670
|
||||||
|
Upstream-Status: Backport [https://github.com/neutrinolabs/xrdp/commit/dd4b56c9873bd246ba3d815522b27d90c99fcc30]
|
||||||
|
(cherry picked from commit dd4b56c9873bd246ba3d815522b27d90c99fcc30)
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
xrdp/xrdp_login_wnd.c | 16 +++++++++-------
|
||||||
|
1 file changed, 9 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c
|
||||||
|
index 28748676..1fe9ea50 100644
|
||||||
|
--- a/xrdp/xrdp_login_wnd.c
|
||||||
|
+++ b/xrdp/xrdp_login_wnd.c
|
||||||
|
@@ -277,7 +277,8 @@ xrdp_wm_ok_clicked(struct xrdp_bitmap *wnd)
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
|
||||||
|
- int decode, char *resultBuffer)
|
||||||
|
+ int decode,
|
||||||
|
+ char *resultBuffer, unsigned int resultSize)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
int pos;
|
||||||
|
@@ -287,8 +288,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
|
||||||
|
/* If the first char in the domain name is '_' we use the domain
|
||||||
|
name as IP*/
|
||||||
|
ret = 0; /* default return value */
|
||||||
|
- /* resultBuffer assumed to be 256 chars */
|
||||||
|
- g_memset(resultBuffer, 0, 256);
|
||||||
|
+ g_memset(resultBuffer, 0, resultSize);
|
||||||
|
if (originalDomainInfo[0] == '_')
|
||||||
|
{
|
||||||
|
/* we try to locate a number indicating what combobox index the user
|
||||||
|
@@ -298,7 +298,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
|
||||||
|
* Invalid chars are ignored in microsoft client therefore we use '_'
|
||||||
|
* again. this sec '__' contains the split for index.*/
|
||||||
|
pos = g_pos(&originalDomainInfo[1], "__");
|
||||||
|
- if (pos > 0)
|
||||||
|
+ if (pos > 0 && (unsigned int)pos < resultSize)
|
||||||
|
{
|
||||||
|
/* an index is found we try to use it */
|
||||||
|
LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
|
||||||
|
@@ -325,7 +325,7 @@ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
|
||||||
|
else
|
||||||
|
{
|
||||||
|
LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
|
||||||
|
- g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
|
||||||
|
+ g_strncpy(resultBuffer, &originalDomainInfo[1], resultSize - 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return ret;
|
||||||
|
@@ -450,7 +450,8 @@ xrdp_wm_show_edits(struct xrdp_wm *self, struct xrdp_bitmap *combo)
|
||||||
|
{
|
||||||
|
xrdp_wm_parse_domain_information(
|
||||||
|
self->session->client_info->domain,
|
||||||
|
- combo->data_list->count, 0, resultIP);
|
||||||
|
+ combo->data_list->count, 0,
|
||||||
|
+ resultIP, sizeof(resultIP));
|
||||||
|
g_strncpy(b->caption1, resultIP, 255);
|
||||||
|
b->edit_pos = g_mbstowcs(0, b->caption1, 0);
|
||||||
|
}
|
||||||
|
@@ -875,7 +876,8 @@ xrdp_login_wnd_create(struct xrdp_wm *self)
|
||||||
|
combo->item_index = xrdp_wm_parse_domain_information(
|
||||||
|
self->session->client_info->domain,
|
||||||
|
combo->data_list->count, 1,
|
||||||
|
- resultIP /* just a dummy place holder, we ignore */ );
|
||||||
|
+ resultIP,/* just a dummy place holder, we ignore */
|
||||||
|
+ sizeof(resultIP));
|
||||||
|
xrdp_wm_show_edits(self, combo);
|
||||||
|
|
||||||
|
return 0;
|
||||||
@@ -29,6 +29,7 @@ SRC_URI = "https://github.com/neutrinolabs/${BPN}/releases/download/v${PV}/${BPN
|
|||||||
file://CVE-2022-23493.patch \
|
file://CVE-2022-23493.patch \
|
||||||
file://CVE-2023-40184.patch \
|
file://CVE-2023-40184.patch \
|
||||||
file://CVE-2023-42822.patch \
|
file://CVE-2023-42822.patch \
|
||||||
|
file://CVE-2025-68670.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"
|
SRC_URI[sha256sum] = "db693401da95b71b4d4e4c99aeb569a546dbdbde343f6d3302b0c47653277abb"
|
||||||
|
|||||||
Reference in New Issue
Block a user