Security update for xrdp SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0012-1 Final 1 1 2023-01-02T10:46:01Z current 2023-01-02T10:46:01Z 2023-01-02T10:46:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xrdp This update for xrdp fixes the following issues: - CVE-2022-23468: Fixed a buffer overflow in xrdp_login_wnd_create() (bsc#1206300). - CVE-2022-23479: Fixed a buffer overflow in xrdp_mm_chan_data_in() (bsc#1206303). - CVE-2022-23480: Fixed a buffer overflow in devredir_proc_client_devlist_announce_req() (bsc#1206306). - CVE-2022-23481: Fixed an out of bound read in xrdp_caps_process_confirm_active() (bsc#1206307). - CVE-2022-23482: Fixed an out of bound read in xrdp_sec_process_mcs_data_CS_CORE() (bsc#1206310). - CVE-2022-23483: Fixed an out of bound read in libxrdp_send_to_channel() (bsc#1206311). - CVE-2022-23484: Fixed a integer overflow in xrdp_mm_process_rail_update_window_text() (bsc#1206312). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-12,SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-12,SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-12,SUSE-SLE-Product-SLES_SAP-15-SP1-2023-12,SUSE-Storage-6-2023-12 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230012-1/ Link for SUSE-SU-2023:0012-1 https://lists.suse.com/pipermail/sle-security-updates/2023-January/013412.html E-Mail link for SUSE-SU-2023:0012-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1206300 SUSE Bug 1206300 https://bugzilla.suse.com/1206303 SUSE Bug 1206303 https://bugzilla.suse.com/1206306 SUSE Bug 1206306 https://bugzilla.suse.com/1206307 SUSE Bug 1206307 https://bugzilla.suse.com/1206310 SUSE Bug 1206310 https://bugzilla.suse.com/1206311 SUSE Bug 1206311 https://bugzilla.suse.com/1206312 SUSE Bug 1206312 https://www.suse.com/security/cve/CVE-2022-23468/ SUSE CVE CVE-2022-23468 page https://www.suse.com/security/cve/CVE-2022-23479/ SUSE CVE CVE-2022-23479 page https://www.suse.com/security/cve/CVE-2022-23480/ SUSE CVE CVE-2022-23480 page https://www.suse.com/security/cve/CVE-2022-23481/ SUSE CVE CVE-2022-23481 page https://www.suse.com/security/cve/CVE-2022-23482/ SUSE CVE CVE-2022-23482 page https://www.suse.com/security/cve/CVE-2022-23483/ SUSE CVE CVE-2022-23483 page https://www.suse.com/security/cve/CVE-2022-23484/ SUSE CVE CVE-2022-23484 page SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS SUSE Linux Enterprise Server 15 SP1-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP1 libpainter0-0.9.6-150000.4.11.1 librfxencode0-0.9.6-150000.4.11.1 xrdp-0.9.6-150000.4.11.1 xrdp-devel-0.9.6-150000.4.11.1 libpainter0-0.9.6-150000.4.11.1 as a component of SUSE Enterprise Storage 6 librfxencode0-0.9.6-150000.4.11.1 as a component of SUSE Enterprise Storage 6 xrdp-0.9.6-150000.4.11.1 as a component of SUSE Enterprise Storage 6 xrdp-devel-0.9.6-150000.4.11.1 as a component of SUSE Enterprise Storage 6 libpainter0-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS librfxencode0-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS xrdp-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS xrdp-devel-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS libpainter0-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS librfxencode0-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS xrdp-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS xrdp-devel-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS libpainter0-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 librfxencode0-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 xrdp-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 xrdp-devel-0.9.6-150000.4.11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in xrdp_login_wnd_create() function. There are no known workarounds for this issue. Users are advised to upgrade. CVE-2022-23468 SUSE Enterprise Storage 6:libpainter0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:librfxencode0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-devel-0.9.6-150000.4.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230012-1/ https://www.suse.com/security/cve/CVE-2022-23468.html CVE-2022-23468 https://bugzilla.suse.com/1206300 SUSE Bug 1206300 xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in xrdp_mm_chan_data_in() function. There are no known workarounds for this issue. Users are advised to upgrade. CVE-2022-23479 SUSE Enterprise Storage 6:libpainter0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:librfxencode0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-devel-0.9.6-150000.4.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230012-1/ https://www.suse.com/security/cve/CVE-2022-23479.html CVE-2022-23479 https://bugzilla.suse.com/1206303 SUSE Bug 1206303 xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in devredir_proc_client_devlist_announce_req() function. There are no known workarounds for this issue. Users are advised to upgrade. CVE-2022-23480 SUSE Enterprise Storage 6:libpainter0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:librfxencode0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-devel-0.9.6-150000.4.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230012-1/ https://www.suse.com/security/cve/CVE-2022-23480.html CVE-2022-23480 https://bugzilla.suse.com/1206306 SUSE Bug 1206306 xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_caps_process_confirm_active() function. There are no known workarounds for this issue. Users are advised to upgrade. CVE-2022-23481 SUSE Enterprise Storage 6:libpainter0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:librfxencode0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-devel-0.9.6-150000.4.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230012-1/ https://www.suse.com/security/cve/CVE-2022-23481.html CVE-2022-23481 https://bugzilla.suse.com/1206307 SUSE Bug 1206307 xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() function. There are no known workarounds for this issue. Users are advised to upgrade. CVE-2022-23482 SUSE Enterprise Storage 6:libpainter0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:librfxencode0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-devel-0.9.6-150000.4.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230012-1/ https://www.suse.com/security/cve/CVE-2022-23482.html CVE-2022-23482 https://bugzilla.suse.com/1206310 SUSE Bug 1206310 xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in libxrdp_send_to_channel() function. There are no known workarounds for this issue. Users are advised to upgrade. CVE-2022-23483 SUSE Enterprise Storage 6:libpainter0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:librfxencode0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-devel-0.9.6-150000.4.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230012-1/ https://www.suse.com/security/cve/CVE-2022-23483.html CVE-2022-23483 https://bugzilla.suse.com/1206311 SUSE Bug 1206311 xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Integer Overflow in xrdp_mm_process_rail_update_window_text() function. There are no known workarounds for this issue. Users are advised to upgrade. CVE-2022-23484 SUSE Enterprise Storage 6:libpainter0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:librfxencode0-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-0.9.6-150000.4.11.1 SUSE Enterprise Storage 6:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server 15 SP1-LTSS:xrdp-devel-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpainter0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:librfxencode0-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-0.9.6-150000.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:xrdp-devel-0.9.6-150000.4.11.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230012-1/ https://www.suse.com/security/cve/CVE-2022-23484.html CVE-2022-23484 https://bugzilla.suse.com/1206312 SUSE Bug 1206312