{"id":"MGASA-2023-0334","summary":"Updated xrdp packages fix security vulnerability","details":"The updated packages fix a security vulnerability\n\nAccess to the font glyphs in xrdp_painter.c is not bounds-checked. Since\nsome of this data is controllable by the user, this can result in an\nout-of-bounds read within the xrdp executable. The vulnerability allows\nan out-of-bounds read within a potentially privileged process. On\nnon-Debian platforms, xrdp tends to run as root. Potentially an\nout-of-bounds write can follow the out-of-bounds read. There is no\ndenial-of-service impact, providing xrdp is running in forking mode.\n(CVE-2023-42822)\n","modified":"2026-04-16T00:11:27.384890921Z","published":"2023-12-01T11:54:47Z","upstream":["CVE-2023-42822"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0334.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=32575"},{"type":"WEB","url":"https://lwn.net/Articles/952920/"}],"affected":[{"package":{"name":"xrdp","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/xrdp?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.9.23.1-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0334.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}