File xrdp-CVE-2024-39917.patch of Package xrdp.37241

From 8ac2f6db34649a93d3c9c4fe8fda61203702e615 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Thu, 27 Jun 2024 11:39:21 +0100
Subject: [PATCH] Enforce no login screen if require_credentials is set

If the setting require_credentials is true, there should be no way
for the user to get to a login screen.

This commit makes the following changes if this flag is active:-
- Makes the checks around TS_INFO_PACKET more explicit.
- Closes the connection if the first login attempt fails.
---
 docs/man/xrdp.ini.5.in |  9 ++++++---
 libxrdp/xrdp_sec.c     | 27 ++++++++++++++++++++-------
 xrdp/xrdp.ini.in       |  3 ++-
 xrdp/xrdp_mm.c         |  8 ++++++++
 4 files changed, 36 insertions(+), 11 deletions(-)

Index: xrdp-0.9.13.1/docs/man/xrdp.ini.5.in
===================================================================
--- xrdp-0.9.13.1.orig/docs/man/xrdp.ini.5.in
+++ xrdp-0.9.13.1/docs/man/xrdp.ini.5.in
@@ -120,9 +120,12 @@ The default for RDP is \fB3389\fP.
 
 .TP
 \fBrequire_credentials\fP=\fI[true|false]\fP
-If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP requires clients to include username and
-password initial connection phase. In other words, xrdp doesn't allow clients to show login
-screen if set to true. If not specified, defaults to \fBfalse\fP.
+If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP requires clients
+to include username and password initial connection phase. In other
+words, xrdp doesn't allow clients to show login screen if set to true.
+It follows that an incorrect password will cause the login to immediately
+fail without displaying the login screen.  If not specified, defaults
+to \fBfalse\fP.
 
 .TP
 \fBsecurity_layer\fP=\fI[tls|rdp|negotiate]\fP
Index: xrdp-0.9.13.1/libxrdp/xrdp_sec.c
===================================================================
--- xrdp-0.9.13.1.orig/libxrdp/xrdp_sec.c
+++ xrdp-0.9.13.1/libxrdp/xrdp_sec.c
@@ -810,6 +810,25 @@ xrdp_sec_process_logon_info(struct xrdp_
     }
     DEBUG(("username %s", self->rdp_layer->client_info.username));
 
+    // If we require credentials, don't continue if they're not provided
+    if (self->rdp_layer->client_info.require_credentials)
+    {
+        if ((flags & RDP_LOGON_AUTO) == 0)
+        {
+            log_message(LOG_LEVEL_ERROR, "Server is configured to require that the "
+                "client enable auto logon with credentials, but the client did "
+                "not request auto logon.");
+            return 1;
+        }
+        if (len_user == 0 || len_password == 0)
+        {
+            log_message(LOG_LEVEL_ERROR, "Server is configured to require that the "
+                "client enable auto logon with credentials, but the client did "
+                "not supply both a username and password.");
+            return 1;
+        }
+    }
+
     if (flags & RDP_LOGON_AUTO)
     {
         if (unicode_utf16_in(s, len_password, self->rdp_layer->client_info.password, sizeof(self->rdp_layer->client_info.password) - 1) != 0)
@@ -820,16 +839,12 @@ xrdp_sec_process_logon_info(struct xrdp_
     }
     else
     {
+        // Skip the password
         if (!s_check_rem(s, len_password + 2))
         {
             return 1;
         }
         in_uint8s(s, len_password + 2);
-        if (self->rdp_layer->client_info.require_credentials)
-        {
-            g_writeln("xrdp_sec_process_logon_info: credentials on cmd line is mandatory");
-            return 1; /* credentials on cmd line is mandatory */
-        }
     }
 
     if (unicode_utf16_in(s, len_program, self->rdp_layer->client_info.program, sizeof(self->rdp_layer->client_info.program) - 1) != 0)
Index: xrdp-0.9.13.1/xrdp/xrdp_mm.c
===================================================================
--- xrdp-0.9.13.1.orig/xrdp/xrdp_mm.c
+++ xrdp-0.9.13.1/xrdp/xrdp_mm.c
@@ -1615,6 +1615,14 @@ xrdp_mm_process_login_response(struct xr
     }
     else
     {
+        if (self->wm->client_info->require_credentials)
+            {
+                //                cleanup_sesman_connection(self);
+                /* Credentials had to be specified, but were invalid */
+                g_set_wait_obj(self->wm->pro_layer->self_term_event);
+                log_message(LOG_LEVEL_ERROR, "require_credentials is set, "
+                            "but the user could not be logged in");
+            }
         xrdp_wm_log_msg(self->wm, LOG_LEVEL_INFO,
                         "login failed for display %d", display);
         xrdp_wm_show_log(self->wm);
openSUSE Build Service is sponsored by