diff options
-rw-r--r-- | system/xrdp/xrdp-v0.6.1_cleanup-state.diff | 51 | ||||
-rw-r--r-- | system/xrdp/xrdp-v0.6.1_crypt.diff | 116 | ||||
-rw-r--r-- | system/xrdp/xrdp-v0.6.1_disabled.diff | 26 | ||||
-rw-r--r-- | system/xrdp/xrdp.SlackBuild | 7 |
4 files changed, 199 insertions, 1 deletions
diff --git a/system/xrdp/xrdp-v0.6.1_cleanup-state.diff b/system/xrdp/xrdp-v0.6.1_cleanup-state.diff new file mode 100644 index 0000000000..32d8cb59ef --- /dev/null +++ b/system/xrdp/xrdp-v0.6.1_cleanup-state.diff @@ -0,0 +1,51 @@ +From fca088da8caab209534db2c6ff9dcda277a529a7 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Wed, 18 Feb 2015 +Subject: Clean our state + +Make sure our state is clean when we're at the login window. This +code, adapted from upstream's development branch, ensures settings +from previous connections are cleared. + +--- + xrdp/xrdp_mm.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/xrdp/xrdp_mm.c ++++ b/xrdp/xrdp_mm.c +@@ -899,6 +899,25 @@ xrdp_mm_sesman_data_in(struct trans* tra + } + + /*****************************************************************************/ ++static void APP_CC ++cleanup_states(struct xrdp_mm *self) ++{ ++ if (self != NULL) ++ { ++ self-> connected_state = 0; /* true if connected to sesman else false */ ++ self-> sesman_trans = NULL; /* connection to sesman */ ++ self-> sesman_trans_up = 0; /* true once connected to sesman */ ++ self-> delete_sesman_trans = 0; /* boolean set when done with sesman connection */ ++ self-> display = 0; /* 10 for :10.0, 11 for :11.0, etc */ ++ self-> code = 0; /* 0 Xvnc session, 10 X11rdp session, 20 Xorg session */ ++ self-> sesman_controlled = 0; /* true if this is a sesman session */ ++ self-> chan_trans = NULL; /* connection to chansrv */ ++ self-> chan_trans_up = 0; /* true once connected to chansrv */ ++ self-> delete_chan_trans = 0; /* boolean set when done with channel connection */ ++ } ++} ++ ++/*****************************************************************************/ + int APP_CC + xrdp_mm_connect(struct xrdp_mm* self) + { +@@ -916,6 +939,9 @@ xrdp_mm_connect(struct xrdp_mm* self) + char text[256]; + char port[8]; + ++ /* make sure we start in correct state */ ++ cleanup_states(self); ++ + g_memset(ip,0,sizeof(char) * 256); + g_memset(errstr,0,sizeof(char) * 256); + g_memset(text,0,sizeof(char) * 256); diff --git a/system/xrdp/xrdp-v0.6.1_crypt.diff b/system/xrdp/xrdp-v0.6.1_crypt.diff new file mode 100644 index 0000000000..1e6948a914 --- /dev/null +++ b/system/xrdp/xrdp-v0.6.1_crypt.diff @@ -0,0 +1,116 @@ +From 33feceb1573cbb6ba7fb326bb7872de75bca6b9e Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Wed, 18 Feb 2015 +Subject: Fix account validation with glibc crypt + +Starting with glibc 2.17, crypt() can return NULL which can cause +xrdp-sesman to segfault. This patch backports upstream's fix for +this as well as changes auth_userpass so it can validate SHA-256 +and SHA-512 hashed passwords. + +--- + sesman/verify_user.c | 87 ++++++++++++++++------------------------- + 1 file changed, 35 insertions(+), 52 deletions(-) + +--- a/sesman/verify_user.c ++++ b/sesman/verify_user.c +@@ -51,64 +51,47 @@ auth_account_disabled(struct spwd* stp); + long DEFAULT_CC + auth_userpass(char* user, char* pass) + { +- char salt[13] = "$1$"; +- char hash[35] = ""; +- char* encr = 0; +- struct passwd* spw; +- struct spwd* stp; +- int saltcnt = 0; +- +- spw = getpwnam(user); +- if (spw == 0) +- { +- return 0; +- } +- if (g_strncmp(spw->pw_passwd, "x", 3) == 0) +- { +- /* the system is using shadow */ +- stp = getspnam(user); +- if (stp == 0) ++ const char *encr; ++ const char *epass; ++ struct passwd *spw; ++ struct spwd *stp; ++ ++ spw = getpwnam(user); ++ ++ if (spw == 0) ++ { ++ return 0; ++ } ++ ++ if (g_strncmp(spw->pw_passwd, "x", 3) == 0) + { +- return 0; ++ /* the system is using shadow */ ++ stp = getspnam(user); ++ ++ if (stp == 0) ++ { ++ return 0; ++ } ++ ++ if (1 == auth_account_disabled(stp)) ++ { ++ log_message(&(g_cfg->log), LOG_LEVEL_INFO, "account %s is disabled", user); ++ return 0; ++ } ++ ++ encr = stp->sp_pwdp; + } +- if (1==auth_account_disabled(stp)) ++ else + { +- log_message(&(g_cfg->log), LOG_LEVEL_INFO, "account %s is disabled", user); +- return 0; ++ /* old system with only passwd */ ++ encr = spw->pw_passwd; + } +- g_strncpy(hash, stp->sp_pwdp, 34); +- } +- else +- { +- /* old system with only passwd */ +- g_strncpy(hash, spw->pw_passwd, 34); +- } +- hash[34] = '\0'; +- if (g_strncmp(hash, "$1$", 3) == 0) +- { +- /* gnu style crypt(); */ +- saltcnt = 3; +- while ((hash[saltcnt] != '$') && (saltcnt < 11)) ++ epass = crypt(pass, encr); ++ if (epass == 0) + { +- salt[saltcnt] = hash[saltcnt]; +- saltcnt++; ++ return 0; + } +- salt[saltcnt] = '$'; +- salt[saltcnt + 1] = '\0'; +- } +- else +- { +- /* classic two char salt */ +- salt[0] = hash[0]; +- salt[1] = hash[1]; +- salt[2] = '\0'; +- } +- encr = crypt(pass,salt); +- if (g_strncmp(encr, hash, 34) != 0) +- { +- return 0; +- } +- return 1; ++ return (strcmp(encr, epass) == 0); + } + + /******************************************************************************/ diff --git a/system/xrdp/xrdp-v0.6.1_disabled.diff b/system/xrdp/xrdp-v0.6.1_disabled.diff new file mode 100644 index 0000000000..42855c89d3 --- /dev/null +++ b/system/xrdp/xrdp-v0.6.1_disabled.diff @@ -0,0 +1,26 @@ +From 6f195b64890e08d3fbbbb792f45a7d94d641c914 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Wed, 18 Feb 2015 +Subject: Fix inactive account determination + +sesman: fix so shadow accounts aren't incorrectly classified "inactive" +as might happen if sp_max/sp_inact fields are empty or sp_lstchg=0. + +--- + sesman/verify_user.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/sesman/verify_user.c ++++ b/sesman/verify_user.c +@@ -323,7 +323,10 @@ auth_account_disabled(struct spwd* stp) + return 1; + } + +- if (today >= (stp->sp_lstchg+stp->sp_max+stp->sp_inact)) ++ if ((stp->sp_max >= 0) && ++ (stp->sp_inact >= 0) && ++ (stp->sp_lstchg > 0) && ++ (today >= (stp->sp_lstchg + stp->sp_max + stp->sp_inact))) + { + return 1; + } diff --git a/system/xrdp/xrdp.SlackBuild b/system/xrdp/xrdp.SlackBuild index 8ac44d6ad9..0a18e3aada 100644 --- a/system/xrdp/xrdp.SlackBuild +++ b/system/xrdp/xrdp.SlackBuild @@ -5,7 +5,7 @@ PRGNAM=xrdp VERSION=${VERSION:-0.6.1} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} if [ -z "$ARCH" ]; then @@ -63,6 +63,11 @@ else NOPAM_OPT="" fi +# patches from Mancha +patch -p1 < $CWD/xrdp-v0.6.1_disabled.diff +patch -p1 < $CWD/xrdp-v0.6.1_crypt.diff +patch -p1 < $CWD/xrdp-v0.6.1_cleanup-state.diff + # Optional config options if built with FreeRDP: # --enable-freerdp Build freerdp module (default: no) # --enable-freerdp1 Build freerdp1 module (default: no) |