Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 540630

Summary: net-misc/xrdp: denial of service
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: mgorny
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/02/18/10
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-02-19 09:26:28 UTC 
From ${URL} :

Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).

It was discovered by Ken Milnore that xrdp 0.6.1 and earlier, when
validating user accounts against plain passwd files or via shadow-utils,
does not check for NULL returns from crypt(). [1]

--- sesman/verify_user.c ---
  encr = crypt(pass,salt);
  if (g_strncmp(encr, hash, 34) != 0)
  {
    return 0;
  }
  return 1;
----------------------------

A NULL return crashes the xrdp-sesman daemon resulting in an xrdp server
denial of service (for all modules that use xrdp's session manager for
user authentication via old-style passwd files or via shadow passwords).

This has been fixed by upstream in its development branch. [2]

======
[1] http://sourceforge.net/p/xrdp/mailman/message/32985523/
[2] https://github.com/neutrinolabs/xrdp/commit/851c762ee722




@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2015-02-19 16:58:51 UTC 
+*xrdp-0.8.0-r1 (19 Feb 2015)
+
+  19 Feb 2015; Michał Górny <mgorny@gentoo.org>
+  +files/xrdp-0.8.0-crypt-null-return.patch, +xrdp-0.8.0-r1.ebuild,
+  -xrdp-0.6.1.ebuild, -xrdp-0.8.0.ebuild:
+  Patch out crypt() NULL return check vulnerability, bug #540630. Remove old.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-19 18:16:24 UTC 
(In reply to Michał Górny from comment #1)
> +*xrdp-0.8.0-r1 (19 Feb 2015)
> +
> +  19 Feb 2015; Michał Górny <mgorny@gentoo.org>
> +  +files/xrdp-0.8.0-crypt-null-return.patch, +xrdp-0.8.0-r1.ebuild,
> +  -xrdp-0.6.1.ebuild, -xrdp-0.8.0.ebuild:
> +  Patch out crypt() NULL return check vulnerability, bug #540630. Remove
> old.

Thanks