Mageia Advisory: MGASA-2023-0334 - Updated xrdp packages fix security vulnerability

Updated xrdp packages fix security vulnerability

Publication date: 01 Dec 2023
Modification date: 01 Dec 2023
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-42822

Description

The updated packages fix a security vulnerability

Access to the font glyphs in xrdp_painter.c is not bounds-checked. Since
some of this data is controllable by the user, this can result in an
out-of-bounds read within the xrdp executable. The vulnerability allows
an out-of-bounds read within a potentially privileged process. On
non-Debian platforms, xrdp tends to run as root. Potentially an
out-of-bounds write can follow the out-of-bounds read. There is no
denial-of-service impact, providing xrdp is running in forking mode.
(CVE-2023-42822)

References

https://bugs.mageia.org/show_bug.cgi?id=32575
https://lwn.net/Articles/952920/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42822

SRPMS

9/core

xrdp-0.9.23.1-1.mga9

Advisories » MGASA-2023-0334

Updated xrdp packages fix security vulnerability

Description

References

SRPMS

9/core