Source: xrdp Version: 0.9.21.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for xrdp. CVE-2023-42822[0]: | xrdp is an open source remote desktop protocol server. Access to the | font glyphs in xrdp_painter.c is not bounds-checked . Since some of | this data is controllable by the user, this can result in an out-of- | bounds read within the xrdp executable. The vulnerability allows an | out-of-bounds read within a potentially privileged process. On non- | Debian platforms, xrdp tends to run as root. Potentially an out-of- | bounds write can follow the out-of-bounds read. There is no denial- | of-service impact, providing xrdp is running in forking mode. This | issue has been addressed in release 0.9.23.1. Users are advised to | upgrade. There are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-42822 https://www.cve.org/CVERecord?id=CVE-2023-42822 [1] https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2hjx-rm4f-r9hw [2] https://github.com/neutrinolabs/xrdp/commit/73acbe1f7957c65122b00de4d6f57a8d0d257c40 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
