4 files changed, 199 insertions, 1 deletions

diff --git a/system/xrdp/xrdp-v0.6.1_cleanup-state.diff b/system/xrdp/xrdp-v0.6.1_cleanup-state.diff
new file mode 100644
index 0000000000..32d8cb59ef
--- /dev/null
+++ b/system/xrdp/xrdp-v0.6.1_cleanup-state.diff
@@ -0,0 +1,51 @@
+From fca088da8caab209534db2c6ff9dcda277a529a7 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Wed, 18 Feb 2015
+Subject: Clean our state
+
+Make sure our state is clean when we're at the login window. This 
+code, adapted from upstream's development branch, ensures settings
+from previous connections are cleared.
+
+---
+ xrdp/xrdp_mm.c |   22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/xrdp/xrdp_mm.c
++++ b/xrdp/xrdp_mm.c
+@@ -899,6 +899,25 @@ xrdp_mm_sesman_data_in(struct trans* tra
+ }
+ 
+ /*****************************************************************************/
++static void APP_CC
++cleanup_states(struct xrdp_mm *self)
++{
++    if (self != NULL)
++    {
++        self-> connected_state = 0; /* true if connected to sesman else false */
++        self-> sesman_trans = NULL; /* connection to sesman */
++        self-> sesman_trans_up = 0; /* true once connected to sesman */
++        self-> delete_sesman_trans = 0; /* boolean set when done with sesman connection */
++        self-> display = 0; /* 10 for :10.0, 11 for :11.0, etc */
++        self-> code = 0; /* 0 Xvnc session, 10 X11rdp session, 20 Xorg session */
++        self-> sesman_controlled = 0; /* true if this is a sesman session */
++        self-> chan_trans = NULL; /* connection to chansrv */
++        self-> chan_trans_up = 0; /* true once connected to chansrv */
++        self-> delete_chan_trans = 0; /* boolean set when done with channel connection */
++    }
++}
++
++/*****************************************************************************/
+ int APP_CC
+ xrdp_mm_connect(struct xrdp_mm* self)
+ {
+@@ -916,6 +939,9 @@ xrdp_mm_connect(struct xrdp_mm* self)
+   char text[256];
+   char port[8];
+ 
++  /* make sure we start in correct state */
++  cleanup_states(self);
++
+   g_memset(ip,0,sizeof(char) * 256);
+   g_memset(errstr,0,sizeof(char) * 256);
+   g_memset(text,0,sizeof(char) * 256);
diff --git a/system/xrdp/xrdp-v0.6.1_crypt.diff b/system/xrdp/xrdp-v0.6.1_crypt.diff
new file mode 100644
index 0000000000..1e6948a914
--- /dev/null
+++ b/system/xrdp/xrdp-v0.6.1_crypt.diff
@@ -0,0 +1,116 @@
+From 33feceb1573cbb6ba7fb326bb7872de75bca6b9e Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Wed, 18 Feb 2015
+Subject: Fix account validation with glibc crypt
+
+Starting with glibc 2.17, crypt() can return NULL which can cause
+xrdp-sesman to segfault. This patch backports upstream's fix for
+this as well as changes auth_userpass so it can validate SHA-256
+and SHA-512 hashed passwords.
+
+---
+ sesman/verify_user.c |   87 ++++++++++++++++-------------------------
+ 1 file changed, 35 insertions(+), 52 deletions(-)
+
+--- a/sesman/verify_user.c
++++ b/sesman/verify_user.c
+@@ -51,64 +51,47 @@ auth_account_disabled(struct spwd* stp);
+ long DEFAULT_CC
+ auth_userpass(char* user, char* pass)
+ {
+-  char salt[13] = "$1$";
+-  char hash[35] = "";
+-  char* encr = 0;
+-  struct passwd* spw;
+-  struct spwd* stp;
+-  int saltcnt = 0;
+-
+-  spw = getpwnam(user);
+-  if (spw == 0)
+-  {
+-    return 0;
+-  }
+-  if (g_strncmp(spw->pw_passwd, "x", 3) == 0)
+-  {
+-    /* the system is using shadow */
+-    stp = getspnam(user);
+-    if (stp == 0)
++    const char *encr;
++    const char *epass;
++    struct passwd *spw;
++    struct spwd *stp;
++
++    spw = getpwnam(user);
++
++    if (spw == 0)
++    {
++        return 0;
++    }
++
++    if (g_strncmp(spw->pw_passwd, "x", 3) == 0)
+     {
+-      return 0;
++        /* the system is using shadow */
++        stp = getspnam(user);
++
++        if (stp == 0)
++        {
++            return 0;
++        }
++
++        if (1 == auth_account_disabled(stp))
++        {
++            log_message(&(g_cfg->log), LOG_LEVEL_INFO, "account %s is disabled", user);
++            return 0;
++        }
++
++        encr = stp->sp_pwdp;
+     }
+-    if (1==auth_account_disabled(stp))
++    else
+     {
+-      log_message(&(g_cfg->log), LOG_LEVEL_INFO, "account %s is disabled", user);
+-      return 0;
++        /* old system with only passwd */
++        encr = spw->pw_passwd;
+     }
+-    g_strncpy(hash, stp->sp_pwdp, 34);
+-  }
+-  else
+-  {
+-    /* old system with only passwd */
+-    g_strncpy(hash, spw->pw_passwd, 34);
+-  }
+-  hash[34] = '\0';
+-  if (g_strncmp(hash, "$1$", 3) == 0)
+-  {
+-    /* gnu style crypt(); */
+-    saltcnt = 3;
+-    while ((hash[saltcnt] != '$') && (saltcnt < 11))
++    epass = crypt(pass, encr);
++    if (epass == 0)
+     {
+-      salt[saltcnt] = hash[saltcnt];
+-      saltcnt++;
++        return 0;
+     }
+-    salt[saltcnt] = '$';
+-    salt[saltcnt + 1] = '\0';
+-  }
+-  else
+-  {
+-    /* classic two char salt */
+-    salt[0] = hash[0];
+-    salt[1] = hash[1];
+-    salt[2] = '\0';
+-  }
+-  encr = crypt(pass,salt);
+-  if (g_strncmp(encr, hash, 34) != 0)
+-  {
+-    return 0;
+-  }
+-  return 1;
++    return (strcmp(encr, epass) == 0);
+ }
+ 
+ /******************************************************************************/
diff --git a/system/xrdp/xrdp-v0.6.1_disabled.diff b/system/xrdp/xrdp-v0.6.1_disabled.diff
new file mode 100644
index 0000000000..42855c89d3
--- /dev/null
+++ b/system/xrdp/xrdp-v0.6.1_disabled.diff
@@ -0,0 +1,26 @@
+From 6f195b64890e08d3fbbbb792f45a7d94d641c914 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Wed, 18 Feb 2015
+Subject: Fix inactive account determination
+
+sesman: fix so shadow accounts aren't incorrectly classified "inactive"
+as might happen if sp_max/sp_inact fields are empty or sp_lstchg=0.
+
+---
+ sesman/verify_user.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/sesman/verify_user.c
++++ b/sesman/verify_user.c
+@@ -323,7 +323,10 @@ auth_account_disabled(struct spwd* stp)
+     return 1;
+   }
+ 
+-  if (today >= (stp->sp_lstchg+stp->sp_max+stp->sp_inact))
++  if ((stp->sp_max >= 0) &&
++      (stp->sp_inact >= 0) &&
++      (stp->sp_lstchg > 0) &&
++      (today >= (stp->sp_lstchg + stp->sp_max + stp->sp_inact)))
+   {
+     return 1;
+   }
diff --git a/system/xrdp/xrdp.SlackBuild b/system/xrdp/xrdp.SlackBuild
index 8ac44d6ad9..0a18e3aada 100644
--- a/system/xrdp/xrdp.SlackBuild
+++ b/system/xrdp/xrdp.SlackBuild
@@ -5,7 +5,7 @@
 
 PRGNAM=xrdp
 VERSION=${VERSION:-0.6.1}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 TAG=${TAG:-_SBo}
 
 if [ -z "$ARCH" ]; then
@@ -63,6 +63,11 @@ else
     NOPAM_OPT=""
 fi
 
+# patches from Mancha
+patch -p1 < $CWD/xrdp-v0.6.1_disabled.diff
+patch -p1 < $CWD/xrdp-v0.6.1_crypt.diff
+patch -p1 < $CWD/xrdp-v0.6.1_cleanup-state.diff
+
 # Optional config options if built with FreeRDP:
 #  --enable-freerdp        Build freerdp module (default: no)
 #  --enable-freerdp1       Build freerdp1 module (default: no)