CVE-2017-16927

NameCVE-2017-16927
DescriptionThe scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session manager in xrdp through 0.9.4 uses an untrusted integer as a write length, which allows local users to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted input stream.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1203-1
NVD severityhigh
Debian Bugs882463

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xrdp (PTS)stretch0.9.1-9+deb9u3fixed
stretch (security)0.9.1-9+deb9u4fixed
buster, buster (security)0.9.9-1+deb10u1fixed
bullseye0.9.12-1.1fixed
bookworm, sid0.9.17-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xrdpsourcewheezy0.5.0-2+deb7u2DLA-1203-1
xrdpsourcestretch0.9.1-9+deb9u2
xrdpsource(unstable)0.9.4-3882463

Notes

[jessie] - xrdp <no-dsa> (Minor issue)
Proposed pull request: https://github.com/neutrinolabs/xrdp/pull/958
https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA
Originally fixed with upstream patch in 0.9.4-2 but which caused regression
thus marking it only as fixed in the followup version, cf. #884702

Search for package or bug name: Reporting problems