libpainter0-0.9.23.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13399-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libpainter0-0.9.23.1-1.1 on GA media These are all security issues fixed in the libpainter0-0.9.23.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13399 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-40184/ SUSE CVE CVE-2023-40184 page https://www.suse.com/security/cve/CVE-2023-42822/ SUSE CVE CVE-2023-42822 page openSUSE Tumbleweed libpainter0-0.9.23.1-1.1 librfxencode0-0.9.23.1-1.1 xrdp-0.9.23.1-1.1 xrdp-devel-0.9.23.1-1.1 libpainter0-0.9.23.1-1.1 as a component of openSUSE Tumbleweed librfxencode0-0.9.23.1-1.1 as a component of openSUSE Tumbleweed xrdp-0.9.23.1-1.1 as a component of openSUSE Tumbleweed xrdp-devel-0.9.23.1-1.1 as a component of openSUSE Tumbleweed xrdp is an open source remote desktop protocol (RDP) server. In versions prior to 0.9.23 improper handling of session establishment errors allows bypassing OS-level session restrictions. The `auth_start_session` function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) to be bypassed. Users (administrators) don't use restrictions by PAM are not affected. This issue has been addressed in release version 0.9.23. Users are advised to upgrade. There are no known workarounds for this issue. CVE-2023-40184 openSUSE Tumbleweed:libpainter0-0.9.23.1-1.1 openSUSE Tumbleweed:librfxencode0-0.9.23.1-1.1 openSUSE Tumbleweed:xrdp-0.9.23.1-1.1 openSUSE Tumbleweed:xrdp-devel-0.9.23.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-40184.html CVE-2023-40184 https://bugzilla.suse.com/1214805 SUSE Bug 1214805 xrdp is an open source remote desktop protocol server. Access to the font glyphs in xrdp_painter.c is not bounds-checked . Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, providing xrdp is running in forking mode. This issue has been addressed in release 0.9.23.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2023-42822 openSUSE Tumbleweed:libpainter0-0.9.23.1-1.1 openSUSE Tumbleweed:librfxencode0-0.9.23.1-1.1 openSUSE Tumbleweed:xrdp-0.9.23.1-1.1 openSUSE Tumbleweed:xrdp-devel-0.9.23.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-42822.html CVE-2023-42822 https://bugzilla.suse.com/1215803 SUSE Bug 1215803