Hello community, here is the log from the commit of package freerdp for openSUSE:Factory checked in at 2014-06-19 13:19:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/freerdp (Old) and /work/SRC/openSUSE:Factory/.freerdp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freerdp" Changes: -------- --- /work/SRC/openSUSE:Factory/freerdp/freerdp.changes 2013-11-04 14:52:50.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.freerdp.new/freerdp.changes 2014-06-19 13:19:54.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Jun 12 20:50:36 UTC 2014 - [email protected] + +- Add freerdp-CVE-2014-0250.patch to fix bnc#880317 + solves CVE-2014-0250, backport from upstream + +------------------------------------------------------------------- New: ---- freerdp-CVE-2014-0250.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freerdp.spec ++++++ --- /var/tmp/diff_new_pack.dze6sP/_old 2014-06-19 13:19:55.000000000 +0200 +++ /var/tmp/diff_new_pack.dze6sP/_new 2014-06-19 13:19:55.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package freerdp # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,16 +33,18 @@ Patch4: freerdp-handle-null-device-name.patch # PATCH-FIX-UPSTREAM (wip) fix handle of kpdivide on keypad - issue #831 Patch5: freerdp_branch-1.0.x_fix-kpdivide-issue831.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2014-0250.patch bnc#880317 [email protected] - backport from upstream +Patch6: freerdp-CVE-2014-0250.patch +BuildRequires: alsa-devel BuildRequires: cmake BuildRequires: cups-devel BuildRequires: ed +BuildRequires: libopenssl-devel +BuildRequires: libpulse-devel +BuildRequires: pcsc-lite-devel BuildRequires: xmlto BuildRequires: xorg-x11-devel BuildRequires: zlib-devel -BuildRequires: alsa-devel -BuildRequires: pcsc-lite-devel -BuildRequires: libpulse-devel -BuildRequires: libopenssl-devel Recommends: libfreerdp-plugins BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -83,6 +85,7 @@ %patch1 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 # use a versioned subdirectory for plugins in order to comply with the shared # library policy ed -s CMakeLists.txt 2>/dev/null <<'EOF' ++++++ freerdp-CVE-2014-0250.patch ++++++ diff -Npur FreeRDP-1.0.2/libfreerdp-core/fastpath.c FreeRDP-1.0.2-new/libfreerdp-core/fastpath.c --- FreeRDP-1.0.2/libfreerdp-core/fastpath.c 2013-01-03 05:46:59.000000000 +0800 +++ FreeRDP-1.0.2-new/libfreerdp-core/fastpath.c 2014-06-13 04:46:30.293159988 +0800 @@ -203,8 +203,10 @@ static void fastpath_recv_update(rdpFast break; case FASTPATH_UPDATETYPE_COLOR: - update_read_pointer_color(s, &pointer->pointer_color); - IFCALL(pointer->PointerColor, context, &pointer->pointer_color); + if (update_read_pointer_color(s, &pointer->pointer_color)) + IFCALL(pointer->PointerColor, context, &pointer->pointer_color); + else + DEBUG_WARN("update color failed"); break; case FASTPATH_UPDATETYPE_CACHED: @@ -213,8 +215,10 @@ static void fastpath_recv_update(rdpFast break; case FASTPATH_UPDATETYPE_POINTER: - update_read_pointer_new(s, &pointer->pointer_new); - IFCALL(pointer->PointerNew, context, &pointer->pointer_new); + if (update_read_pointer_new(s, &pointer->pointer_new)) + IFCALL(pointer->PointerNew, context, &pointer->pointer_new); + else + DEBUG_WARN("update pointer error"); break; default: diff -Npur FreeRDP-1.0.2/libfreerdp-core/rdp.c FreeRDP-1.0.2-new/libfreerdp-core/rdp.c --- FreeRDP-1.0.2/libfreerdp-core/rdp.c 2013-01-03 05:46:59.000000000 +0800 +++ FreeRDP-1.0.2-new/libfreerdp-core/rdp.c 2014-06-13 04:37:01.317162752 +0800 @@ -471,7 +471,7 @@ void rdp_recv_set_error_info_data_pdu(rd rdp_print_errinfo(rdp->errorInfo); } -void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s) +boolean rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s) { uint8 type; uint16 length; @@ -497,7 +497,8 @@ void rdp_recv_data_pdu(rdpRdp* rdp, STRE break; case DATA_PDU_TYPE_POINTER: - update_recv_pointer(rdp->update, s); + if (!update_recv_pointer(rdp->update, s)) + return false; break; case DATA_PDU_TYPE_INPUT: @@ -571,6 +572,7 @@ void rdp_recv_data_pdu(rdpRdp* rdp, STRE default: break; } + return true; } boolean rdp_recv_out_of_sequence_pdu(rdpRdp* rdp, STREAM* s) @@ -583,8 +585,10 @@ boolean rdp_recv_out_of_sequence_pdu(rdp if (type == PDU_TYPE_DATA) { - rdp_recv_data_pdu(rdp, s); - return true; + if (rdp_recv_data_pdu(rdp, s)) + return true; + else + return false; } else if (type == PDU_TYPE_SERVER_REDIRECTION) { @@ -719,7 +723,8 @@ static boolean rdp_recv_tpkt_pdu(rdpRdp* switch (pduType) { case PDU_TYPE_DATA: - rdp_recv_data_pdu(rdp, s); + if (!rdp_recv_data_pdu(rdp, s)) + return false; break; case PDU_TYPE_DEACTIVATE_ALL: diff -Npur FreeRDP-1.0.2/libfreerdp-core/rdp.h FreeRDP-1.0.2-new/libfreerdp-core/rdp.h --- FreeRDP-1.0.2/libfreerdp-core/rdp.h 2013-01-03 05:46:59.000000000 +0800 +++ FreeRDP-1.0.2-new/libfreerdp-core/rdp.h 2014-06-13 04:37:01.317162752 +0800 @@ -181,7 +181,7 @@ boolean rdp_send_pdu(rdpRdp* rdp, STREAM STREAM* rdp_data_pdu_init(rdpRdp* rdp); boolean rdp_send_data_pdu(rdpRdp* rdp, STREAM* s, uint8 type, uint16 channel_id); -void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s); +boolean rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s); boolean rdp_send(rdpRdp* rdp, STREAM* s, uint16 channel_id); void rdp_recv(rdpRdp* rdp); diff -Npur FreeRDP-1.0.2/libfreerdp-core/update.c FreeRDP-1.0.2-new/libfreerdp-core/update.c --- FreeRDP-1.0.2/libfreerdp-core/update.c 2013-01-03 05:46:59.000000000 +0800 +++ FreeRDP-1.0.2-new/libfreerdp-core/update.c 2014-06-13 04:37:01.317162752 +0800 @@ -165,13 +165,27 @@ void update_read_pointer_system(STREAM* stream_read_uint32(s, pointer_system->type); /* systemPointerType (4 bytes) */ } -void update_read_pointer_color(STREAM* s, POINTER_COLOR_UPDATE* pointer_color) +boolean update_read_pointer_color(STREAM* s, POINTER_COLOR_UPDATE* pointer_color) { stream_read_uint16(s, pointer_color->cacheIndex); /* cacheIndex (2 bytes) */ stream_read_uint16(s, pointer_color->xPos); /* xPos (2 bytes) */ stream_read_uint16(s, pointer_color->yPos); /* yPos (2 bytes) */ + + /** + * As stated in 2.2.9.1.1.4.4 Color Pointer Update: + * The maximum allowed pointer width/height is 96 pixels if the client indicated support + * for large pointers by setting the LARGE_POINTER_FLAG (0x00000001) in the Large + * Pointer Capability Set (section 2.2.7.2.7). If the LARGE_POINTER_FLAG was not + * set, the maximum allowed pointer width/height is 32 pixels. + * + * So we check for a maximum of 96 for CVE-2014-0250. + */ stream_read_uint16(s, pointer_color->width); /* width (2 bytes) */ stream_read_uint16(s, pointer_color->height); /* height (2 bytes) */ + if ((pointer_color->width > 96) || (pointer_color->height > 96)) + return false; + + stream_read_uint16(s, pointer_color->lengthAndMask); /* lengthAndMask (2 bytes) */ stream_read_uint16(s, pointer_color->lengthXorMask); /* lengthXorMask (2 bytes) */ @@ -200,12 +214,13 @@ void update_read_pointer_color(STREAM* s if (stream_get_left(s) > 0) stream_seek_uint8(s); /* pad (1 byte) */ + return true; } -void update_read_pointer_new(STREAM* s, POINTER_NEW_UPDATE* pointer_new) +boolean update_read_pointer_new(STREAM* s, POINTER_NEW_UPDATE* pointer_new) { stream_read_uint16(s, pointer_new->xorBpp); /* xorBpp (2 bytes) */ - update_read_pointer_color(s, &pointer_new->colorPtrAttr); /* colorPtrAttr */ + return update_read_pointer_color(s, &pointer_new->colorPtrAttr); /* colorPtrAttr */ } void update_read_pointer_cached(STREAM* s, POINTER_CACHED_UPDATE* pointer_cached) @@ -213,7 +228,7 @@ void update_read_pointer_cached(STREAM* stream_read_uint16(s, pointer_cached->cacheIndex); /* cacheIndex (2 bytes) */ } -void update_recv_pointer(rdpUpdate* update, STREAM* s) +boolean update_recv_pointer(rdpUpdate* update, STREAM* s) { uint16 messageType; rdpContext* context = update->context; @@ -235,8 +250,10 @@ void update_recv_pointer(rdpUpdate* upda break; case PTR_MSG_TYPE_COLOR: - update_read_pointer_color(s, &pointer->pointer_color); - IFCALL(pointer->PointerColor, context, &pointer->pointer_color); + if (update_read_pointer_color(s, &pointer->pointer_color)) + IFCALL(pointer->PointerColor, context, &pointer->pointer_color); + else + return false; break; case PTR_MSG_TYPE_POINTER: @@ -252,6 +269,7 @@ void update_recv_pointer(rdpUpdate* upda default: break; } + return true; } void update_recv(rdpUpdate* update, STREAM* s) diff -Npur FreeRDP-1.0.2/libfreerdp-core/update.h FreeRDP-1.0.2-new/libfreerdp-core/update.h --- FreeRDP-1.0.2/libfreerdp-core/update.h 2013-01-03 05:46:59.000000000 +0800 +++ FreeRDP-1.0.2-new/libfreerdp-core/update.h 2014-06-13 04:45:52.981160169 +0800 @@ -43,13 +43,13 @@ void update_reset_state(rdpUpdate* updat void update_read_bitmap(rdpUpdate* update, STREAM* s, BITMAP_UPDATE* bitmap_update); void update_read_palette(rdpUpdate* update, STREAM* s, PALETTE_UPDATE* palette_update); void update_recv_play_sound(rdpUpdate* update, STREAM* s); -void update_recv_pointer(rdpUpdate* update, STREAM* s); +boolean update_recv_pointer(rdpUpdate* update, STREAM* s); void update_recv(rdpUpdate* update, STREAM* s); void update_read_pointer_position(STREAM* s, POINTER_POSITION_UPDATE* pointer_position); void update_read_pointer_system(STREAM* s, POINTER_SYSTEM_UPDATE* pointer_system); -void update_read_pointer_color(STREAM* s, POINTER_COLOR_UPDATE* pointer_color); -void update_read_pointer_new(STREAM* s, POINTER_NEW_UPDATE* pointer_new); +boolean update_read_pointer_color(STREAM* s, POINTER_COLOR_UPDATE* pointer_color); +boolean update_read_pointer_new(STREAM* s, POINTER_NEW_UPDATE* pointer_new); void update_read_pointer_cached(STREAM* s, POINTER_CACHED_UPDATE* pointer_cached); void update_register_server_callbacks(rdpUpdate* update); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
