File xrdp-CVE-2017-6967.patch of Package xrdp.7006
diff --git a/sesman/scp_v0.c b/sesman/scp_v0.c
index 3fc788f..73dd51b 100644
--- a/sesman/scp_v0.c
+++ b/sesman/scp_v0.c
@@ -36,6 +36,7 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
tbus data;
struct session_item *s_item;
int errorcode = 0 ;
+ int do_auth_end = 1;
data = auth_userpass(s->username, s->password,&errorcode);
@@ -146,6 +147,9 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
s->domain, s->program, s->directory,
s->client_ip);
}
+ /* if the session started up ok, auth_end will be called on
+ sig child */
+ do_auth_end = display == 0;
}
else
{
@@ -155,7 +159,6 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
if (display == 0)
{
- auth_end(data);
scp_v0s_deny_connection(c);
}
else
@@ -167,4 +170,8 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
{
scp_v0s_deny_connection(c);
}
+ if (do_auth_end)
+ {
+ auth_end(data);
+ }
}
diff --git a/sesman/scp_v1.c b/sesman/scp_v1.c
index 2324b75..21924e1 100644
--- a/sesman/scp_v1.c
+++ b/sesman/scp_v1.c
@@ -38,7 +38,7 @@ void DEFAULT_CC
scp_v1_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
{
long data;
- int display;
+ int display = 0;
int retries;
int current_try;
enum SCP_SERVER_STATES_E e;
@@ -46,6 +46,7 @@ scp_v1_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
struct session_item *sitem;
int scount;
SCP_SID sid;
+ int do_auth_end = 1;
retries = g_cfg->sec.login_retry;
current_try = retries;
@@ -129,13 +129,23 @@ scp_v1_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
s->password, data, SESMAN_SESSION_TYPE_XVNC,
s->domain, s->program, s->directory, s->client_ip);
}
- else
+ else if (SCP_SESSION_TYPE_XRDP == s->type)
{
log_message(LOG_LEVEL_INFO, "starting X11rdp session...");
display = session_start(s->width, s->height, s->bpp, s->username,
s->password, data, SESMAN_SESSION_TYPE_XRDP,
s->domain, s->program, s->directory, s->client_ip);
}
+ else if (SCP_SESSION_TYPE_XORG == s->type)
+ {
+ log_message(LOG_LEVEL_INFO, "starting Xorg session...");
+ display = session_start(s->width, s->height, s->bpp, s->username,
+ s->password, data, SESMAN_SESSION_TYPE_XORG,
+ s->domain, s->program, s->directory, s->client_ip);
+ }
+ /* if the session started up ok, auth_end will be called on
+ sig child */
+ do_auth_end = display == 0;
e = scp_v1s_connect_new_session(c, display);
@@ -205,7 +214,10 @@ scp_v1_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
/* cleanup */
scp_session_destroy(s);
- auth_end(data);
+ if (do_auth_end)
+ {
+ auth_end(data);
+ }
g_free(slist);
}
diff --git a/sesman/session.c b/sesman/session.c
index 4ea48d3..efc97e5 100644
--- a/sesman/session.c
+++ b/sesman/session.c
@@ -513,6 +513,7 @@ session_start_fork(int width, int height, int bpp, char *username,
return 0;
}
+ auth_start_session(data, display);
pid = g_fork();
if (pid == -1)
@@ -532,7 +533,6 @@ session_start_fork(int width, int height, int bpp, char *username,
else if (wmpid == 0) /* child (child sesman) xserver */
{
wait_for_xserver(display);
- auth_start_session(data, display);
pampid = g_fork();
if (pampid == -1)
{
@@ -620,7 +620,6 @@ session_start_fork(int width, int height, int bpp, char *username,
else
{
g_waitpid(pampid);
- auth_stop_session(data);
g_deinit();
g_exit(0);
}
@@ -958,6 +957,8 @@ session_kill(int pid)
if (tmp->item->pid == pid)
{
+ auth_stop_session(tmp->item->data);
+ auth_end(tmp->item->data);
/* deleting the session */
log_message(LOG_LEVEL_INFO, "++ terminated session: username %s, display :%d.0, session_pid %d, ip %s", tmp->item->name, tmp->item->display, tmp->item->pid, tmp->item->client_ip);
g_free(tmp->item);
