Bugzilla – Bug 1206313
VUL-0: CVE-2022-23493: xrdp: Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close()
Last modified: 2023-02-10 20:19:30 UTC
CVE-2022-23493 xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() function. There are no known workarounds for this issue. Users are advised to upgrade. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23493 https://www.cve.org/CVERecord?id=CVE-2022-23493 https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-59wp-3wq6-jh5v
Fix: https://github.com/neutrinolabs/xrdp/commit/030db5524be7616967ae9e7d26b3d4477cf6082d Not Affected: - SUSE:SLE-11-SP3:Update/xrdp 0.4.1 Affected: - SUSE:SLE-12-SP2:Update/xrdp 0.9.0 - SUSE:SLE-12-SP3:Update/xrdp 0.9.0 - SUSE:SLE-12-SP5:Update/xrdp 0.9.10 - SUSE:SLE-15-SP2:Update/xrdp 0.9.13.1 - SUSE:SLE-15:Update/xrdp 0.9.6 - openSUSE:Factory/xrdp 0.9.20
xrdp_mm_trans_process_drdynvc_channel_close() does not exist on v0.9.0. Is this version really affected?
Hi Daike, yes you are right, I will adjust the tracking. Thanks a lot! Not Affected: - SUSE:SLE-12-SP2:Update/xrdp 0.9.0 - SUSE:SLE-12-SP3:Update/xrdp 0.9.0 - SUSE:SLE-15:Update/xrdp 0.9.6 - SUSE:SLE-11-SP3:Update/xrdp 0.4.1 Affected: - SUSE:SLE-12-SP5:Update/xrdp 0.9.10 - SUSE:SLE-15-SP2:Update/xrdp 0.9.13.1 - openSUSE:Factory/xrdp 0.9.20
SUSE-SU-2023:0033-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1206300,1206302,1206303,1206306,1206307,1206310,1206311,1206312,1206313 CVE References: CVE-2022-23468,CVE-2022-23478,CVE-2022-23479,CVE-2022-23480,CVE-2022-23481,CVE-2022-23482,CVE-2022-23483,CVE-2022-23484,CVE-2022-23493 JIRA References: Sources used: openSUSE Leap 15.4 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Manager Server 4.2 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Manager Server 4.1 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Manager Retail Branch Server 4.2 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Manager Retail Branch Server 4.1 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Manager Proxy 4.2 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Manager Proxy 4.1 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Linux Enterprise Server for SAP 15-SP3 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Enterprise Storage 7.1 (src): xrdp-0.9.13.1-150200.4.15.1 SUSE Enterprise Storage 7 (src): xrdp-0.9.13.1-150200.4.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0374-1: An update that solves 9 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1206300,1206302,1206303,1206306,1206307,1206310,1206311,1206312,1206313,1206621 CVE References: CVE-2022-23468,CVE-2022-23478,CVE-2022-23479,CVE-2022-23480,CVE-2022-23481,CVE-2022-23482,CVE-2022-23483,CVE-2022-23484,CVE-2022-23493 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): xrdp-0.9.10-3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.