Merge pull request #2139 from metalefty/release

Release v0.9.18.1
neutrinolabs · Feb 7, 2022 · 7e61945 · 7e61945
2 parents cb1d034 + b160f84
commit 7e61945
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 5 deletions.
diff --git a/NEWS.md b/NEWS.md
@@ -1,3 +1,17 @@
+# Release notes for xrdp v0.9.18.1 (2022/02/08)
+
+This is a security fix release that includes fixes for the following privilege escalation vulnerability.
+
+* [CVE-2022-23613: Privilege escalation on xrdp-sesman](https://www.cve.org/CVERecord?id=CVE-2022-23613)
+
+Users who uses xrdp v0.9.17 or v0.9.18 are recommended to update to this version.
+
+## Special thanks
+
+Thanks to [Gilad Kleinman](https://github.com/giladkl) reporting the vulnerability and reviewing fix.
+
+-----------------------
+
 # Release notes for xrdp v0.9.18 (2022/01/10)
 
 ## General announcements

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/neutrinolabs/xrdp-questions)
 ![Apache-License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)
 
-*Current Version:* 0.9.17
+*Current Version:* 0.9.18.1
 
 # xrdp - an open source RDP server
 

diff --git a/configure.ac b/configure.ac
@@ -1,7 +1,7 @@
 # Process this file with autoconf to produce a configure script
 
 AC_PREREQ(2.65)
-AC_INIT([xrdp], [0.9.18], [[email protected]])
+AC_INIT([xrdp], [0.9.18.1], [[email protected]])
 AC_CONFIG_HEADERS(config_ac.h:config_ac-h.in)
 AM_INIT_AUTOMAKE([1.7.2 foreign])
 AC_CONFIG_MACRO_DIR([m4])

diff --git a/sesman/sesman.c b/sesman/sesman.c
@@ -276,16 +276,17 @@ sesman_close_all(void)
 static int
 sesman_data_in(struct trans *self)
 {
+#define HEADER_SIZE 8
     int version;
     int size;
 
     if (self->extra_flags == 0)
     {
         in_uint32_be(self->in_s, version);
         in_uint32_be(self->in_s, size);
-        if (size > self->in_s->size)
+        if (size < HEADER_SIZE || size > self->in_s->size)
         {
-            LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size");
+            LOG(LOG_LEVEL_ERROR, "sesman_data_in: bad message size %d", size);
             return 1;
         }
         self->header_size = size;
@@ -302,11 +303,12 @@ sesman_data_in(struct trans *self)
             return 1;
         }
         /* reset for next message */
-        self->header_size = 8;
+        self->header_size = HEADER_SIZE;
         self->extra_flags = 0;
         init_stream(self->in_s, 0); /* Reset input stream pointers */
     }
     return 0;
+#undef HEADER_SIZE
 }
 
 /******************************************************************************/