Version in base suite: 0.9.21.1-1+deb12u1

Base version: xrdp_0.9.21.1-1+deb12u1
Target version: xrdp_0.9.21.1-1+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xrdp/xrdp_0.9.21.1-1+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xrdp/xrdp_0.9.21.1-1+deb12u2.dsc

 changelog                                                   |    7 +
 patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch |   75 ++++++++++++
 patches/series                                              |    1 
 3 files changed, 83 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpez2trgn2/xrdp_0.9.21.1-1+deb12u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpez2trgn2/xrdp_0.9.21.1-1+deb12u2.dsc: no acceptable signature found
diff -Nru xrdp-0.9.21.1/debian/changelog xrdp-0.9.21.1/debian/changelog
--- xrdp-0.9.21.1/debian/changelog	2025-05-25 09:46:34.000000000 +0000
+++ xrdp-0.9.21.1/debian/changelog	2026-02-03 12:27:53.000000000 +0000
@@ -1,3 +1,10 @@
+xrdp (0.9.21.1-1+deb12u2) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2025-68670: Buffer overflow parsing domain (Closes: #1126537)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 03 Feb 2026 13:27:53 +0100
+
 xrdp (0.9.21.1-1+deb12u1) bookworm; urgency=high
 
   * Non-maintainer upload
diff -Nru xrdp-0.9.21.1/debian/patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch xrdp-0.9.21.1/debian/patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch
--- xrdp-0.9.21.1/debian/patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch	1970-01-01 00:00:00.000000000 +0000
+++ xrdp-0.9.21.1/debian/patches/CVE-2025-68670-Buffer-overflow-parsing-domain.patch	2026-02-03 12:27:28.000000000 +0000
@@ -0,0 +1,75 @@
+From: matt335672 <30179339+matt335672@users.noreply.github.com>
+Date: Thu, 18 Dec 2025 11:37:30 +0000
+Subject: CVE-2025-68670: Buffer overflow parsing domain
+Origin: https://github.com/neutrinolabs/xrdp/commit/5cfd4817888c9a46e74db74e0e011182d04fa771
+Bug-Debian: https://bugs.debian.org/1126537
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-68670
+
+A potential overflow in xrdp_wm_parse_domain_information() is
+addressed
+
+(cherry picked from commit dd4b56c9873bd246ba3d815522b27d90c99fcc30)
+---
+ xrdp/xrdp_login_wnd.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/xrdp/xrdp_login_wnd.c
++++ b/xrdp/xrdp_login_wnd.c
+@@ -277,7 +277,8 @@ xrdp_wm_ok_clicked(struct xrdp_bitmap *w
+ */
+ static int
+ xrdp_wm_parse_domain_information(char *originalDomainInfo, int comboMax,
+-                                 int decode, char *resultBuffer)
++                                 int decode,
++                                 char *resultBuffer, unsigned int resultSize)
+ {
+     int ret;
+     int pos;
+@@ -287,8 +288,7 @@ xrdp_wm_parse_domain_information(char *o
+     /* If the first char in the domain name is '_' we use the domain
+        name as IP*/
+     ret = 0; /* default return value */
+-    /* resultBuffer assumed to be 256 chars */
+-    g_memset(resultBuffer, 0, 256);
++    g_memset(resultBuffer, 0, resultSize);
+     if (originalDomainInfo[0] == '_')
+     {
+         /* we try to locate a number indicating what combobox index the user
+@@ -298,7 +298,7 @@ xrdp_wm_parse_domain_information(char *o
+          * Invalid chars are ignored in microsoft client therefore we use '_'
+          * again. this sec '__' contains the split for index.*/
+         pos = g_pos(&originalDomainInfo[1], "__");
+-        if (pos > 0)
++        if (pos > 0 && (unsigned int)pos < resultSize)
+         {
+             /* an index is found we try to use it */
+             LOG(LOG_LEVEL_DEBUG, "domain contains index char __");
+@@ -325,7 +325,7 @@ xrdp_wm_parse_domain_information(char *o
+         else
+         {
+             LOG(LOG_LEVEL_DEBUG, "domain does not contain _");
+-            g_strncpy(resultBuffer, &originalDomainInfo[1], 255);
++            g_strncpy(resultBuffer, &originalDomainInfo[1], resultSize - 1);
+         }
+     }
+     return ret;
+@@ -450,7 +450,8 @@ xrdp_wm_show_edits(struct xrdp_wm *self,
+                     {
+                         xrdp_wm_parse_domain_information(
+                             self->session->client_info->domain,
+-                            combo->data_list->count, 0, resultIP);
++                            combo->data_list->count, 0,
++                            resultIP, sizeof(resultIP));
+                         g_strncpy(b->caption1, resultIP, 255);
+                         b->edit_pos = g_mbstowcs(0, b->caption1, 0);
+                     }
+@@ -875,7 +876,8 @@ xrdp_login_wnd_create(struct xrdp_wm *se
+     combo->item_index = xrdp_wm_parse_domain_information(
+                             self->session->client_info->domain,
+                             combo->data_list->count, 1,
+-                            resultIP /* just a dummy place holder, we ignore */ );
++                            resultIP,/* just a dummy place holder, we ignore */
++                            sizeof(resultIP));
+     xrdp_wm_show_edits(self, combo);
+ 
+     return 0;
diff -Nru xrdp-0.9.21.1/debian/patches/series xrdp-0.9.21.1/debian/patches/series
--- xrdp-0.9.21.1/debian/patches/series	2025-05-25 09:46:34.000000000 +0000
+++ xrdp-0.9.21.1/debian/patches/series	2026-02-03 12:27:08.000000000 +0000
@@ -10,3 +10,4 @@
 CVE-2023-40184.patch
 CVE-2023-42822.patch
 CVE-2024-39917.patch
+CVE-2025-68670-Buffer-overflow-parsing-domain.patch