CVE-2017-16927

NameCVE-2017-16927
DescriptionThe scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session manager in xrdp through 0.9.4 uses an untrusted integer as a write length, which allows local users to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted input stream.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1203-1
NVD severityhigh (attack range: local)
Debian Bugs882463

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xrdp (PTS)jessie0.6.1-2vulnerable
stretch0.9.1-9+deb9u3fixed
sid0.9.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xrdpsource(unstable)0.9.4-3high882463
xrdpsourcestretch0.9.1-9+deb9u2high
xrdpsourcewheezy0.5.0-2+deb7u2highDLA-1203-1

Notes

[jessie] - xrdp <no-dsa> (Minor issue)
Proposed pull request: https://github.com/neutrinolabs/xrdp/pull/958
https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA
Originally fixed with upstream patch in 0.9.4-2 but which caused regression
thus marking it only as fixed in the followup version, cf. #884702

Search for package or bug name: Reporting problems