Hello community, here is the log from the commit of package rdesktop for openSUSE:11.3 checked in at Thu May 12 20:52:28 CEST 2011.
-------- --- old-versions/11.3/all/rdesktop/rdesktop.changes 2009-02-04 16:55:45.000000000 +0100 +++ 11.3/rdesktop/rdesktop.changes 2011-05-12 15:47:18.000000000 +0200 @@ -1,0 +2,12 @@ +Thu May 12 15:46:43 CEST 2011 - [email protected] + +- protect against arbitrary file access (CVE-2011-1595, bnc#689029) + +------------------------------------------------------------------- +Fri Feb 26 15:59:50 CST 2010 - [email protected] + +- Add a rdesktop.xpm icon which was from 48x48/yast-remote.png + (bnc#578859) + +------------------------------------------------------------------- + Package does not exist at destination yet. Using Fallback old-versions/11.3/all/rdesktop Destination is old-versions/11.3/UPDATES/all/rdesktop calling whatdependson for 11.3-i586 New: ---- rdesktop-add-icon.patch rdesktop.xpm remote-file-access.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rdesktop.spec ++++++ --- /var/tmp/diff_new_pack.dTCruv/_old 2011-05-12 20:45:11.000000000 +0200 +++ /var/tmp/diff_new_pack.dTCruv/_new 2011-05-12 20:45:11.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package rdesktop (Version 1.6.0) +# spec file for package rdesktop # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,14 +25,17 @@ Group: Productivity/Networking/Remote Desktop AutoReqProv: on Version: 1.6.0 -Release: 38 +Release: 43.<RELEASE2> Summary: A Remote Desktop Protocol client Source: %{name}-%{version}.tar.bz2 +Source2: rdesktop.xpm Patch0: rdesktop-1.4.0-lib64.dif Patch1: rdesktop-1.5.0-fs-fix-1.dif Patch2: rdesktop-1.5.0-fix-printer-strcmp.dif Patch3: rdesktop-1.6.0-fix-pkgconfig-check.dif Patch4: rdesktop-NOMAD.dif +Patch5: rdesktop-add-icon.patch +Patch6: remote-file-access.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -54,6 +57,8 @@ %patch2 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 %build %{suse_update_config} @@ -70,6 +75,8 @@ mkdir -p $RPM_BUILD_ROOT/usr/share/rdesktop cp -r keymaps $RPM_BUILD_ROOT/usr/share/rdesktop chmod -R a+r $RPM_BUILD_ROOT/usr/share/rdesktop/keymaps +mkdir $RPM_BUILD_ROOT/usr/share/rdesktop/pixmaps +install -m 644 $RPM_SOURCE_DIR/rdesktop.xpm $RPM_BUILD_ROOT/usr/share/rdesktop/pixmaps %clean rm -rf $RPM_BUILD_ROOT ++++++ rdesktop-add-icon.patch ++++++ diff -Npur rdesktop-1.6.0.old/Makefile.in rdesktop-1.6.0.new/Makefile.in --- rdesktop-1.6.0.old/Makefile.in 2010-02-26 14:47:06.000000000 +0800 +++ rdesktop-1.6.0.new/Makefile.in 2010-02-26 15:35:48.000000000 +0800 @@ -13,10 +13,11 @@ datadir = @datadir@ VERSION = @PACKAGE_VERSION@ KEYMAP_PATH = $(datadir)/rdesktop/keymaps/ +PIXMAPS_PATH = $(datadir)/rdesktop/pixmaps/ CC = @CC@ INSTALL = @INSTALL@ -CFLAGS = @CFLAGS@ @X_CFLAGS@ @DEFS@ -DKEYMAP_PATH=\"$(KEYMAP_PATH)\" +CFLAGS = @CFLAGS@ @X_CFLAGS@ @DEFS@ -DKEYMAP_PATH=\"$(KEYMAP_PATH)\" -DPIXMAPS_PATH=\"$(PIXMAPS_PATH)\" LDFLAGS = @LDFLAGS@ @LIBS@ @X_LIBS@ @X_EXTRA_LIBS@ STRIP = @STRIP@ @@ -35,7 +36,7 @@ VNCOBJ = vnc/rdp2vnc.o vnc/vnc.o vnc/x all: $(TARGETS) rdesktop: $(X11OBJ) $(SOUNDOBJ) $(RDPOBJ) $(SCARDOBJ) - $(CC) $(CFLAGS) -o rdesktop $(X11OBJ) $(SOUNDOBJ) $(RDPOBJ) $(SCARDOBJ) $(LDFLAGS) -lX11 -lXext + $(CC) $(CFLAGS) -o rdesktop $(X11OBJ) $(SOUNDOBJ) $(RDPOBJ) $(SCARDOBJ) $(LDFLAGS) -lX11 -lXext -lXpm rdp2vnc: $(VNCOBJ) $(SOUNDOBJ) $(RDPOBJ) $(SCARDOBJ) $(VNCLINK) $(CFLAGS) -o rdp2vnc $(VNCOBJ) $(SOUNDOBJ) $(RDPOBJ) $(SCARDOBJ) $(LDFLAGS) $(LDVNC) diff -Npur rdesktop-1.6.0.old/xwin.c rdesktop-1.6.0.new/xwin.c --- rdesktop-1.6.0.old/xwin.c 2010-02-26 14:47:06.000000000 +0800 +++ rdesktop-1.6.0.new/xwin.c 2010-02-26 15:41:48.000000000 +0800 @@ -24,6 +24,7 @@ #include <X11/Xproto.h> #include <X11/Xatom.h> #include <X11/extensions/shape.h> +#include <X11/xpm.h> #include <unistd.h> #include <sys/time.h> #include <time.h> @@ -2056,6 +2057,9 @@ ui_create_window(void) int wndx; int wndy; Atom protocols[2]; + XWMHints *win_icon_hints; + Pixmap icon_pixmap, icon_mask_pixmap; + char rdesktop_icon [256]; wndx = 0; wndy = 0; @@ -2102,6 +2106,17 @@ ui_create_window(void) XStoreName(g_display, g_wnd, g_title); ewmh_set_wm_name(g_wnd, g_title); + snprintf (rdesktop_icon, 256, "%s%s", PIXMAPS_PATH, "rdesktop.xpm"); + if (!XReadPixmapFile (g_display, g_wnd, rdesktop_icon, &icon_pixmap, &icon_mask_pixmap, NULL)) + { + win_icon_hints = XAllocWMHints(); + win_icon_hints->flags = IconPixmapHint | IconMaskHint; + win_icon_hints->icon_pixmap = icon_pixmap; + win_icon_hints->icon_mask = icon_mask_pixmap; + XSetWMHints(g_display, g_wnd, win_icon_hints); + XFree (win_icon_hints); + } + if (g_hide_decorations) mwm_hide_decorations(g_wnd); ++++++ rdesktop.xpm ++++++ ++++ 945 lines (skipped) ++++++ remote-file-access.patch ++++++ --- disk.c +++ disk.c @@ -356,6 +356,19 @@ filename[strlen(filename) - 1] = 0; sprintf(path, "%s%s", g_rdpdr_device[device_id].local_path, filename); + /* Protect against mailicous servers: + somelongpath/.. not allowed + somelongpath/../b not allowed + somelongpath/..b in principle ok, but currently not allowed + somelongpath/b.. ok + somelongpath/b..b ok + somelongpath/b../c ok + */ + if (strstr(path, "/..")) + { + return RD_STATUS_ACCESS_DENIED; + } + switch (create_disposition) { case CREATE_ALWAYS: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
