Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package freerdp2 for openSUSE:Factory checked in at 2024-05-24 19:53:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/freerdp2 (Old) and /work/SRC/openSUSE:Factory/.freerdp2.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freerdp2" Fri May 24 19:53:00 2024 rev:3 rq:1176670 version:2.11.5 Changes: -------- --- /work/SRC/openSUSE:Factory/freerdp2/freerdp2.changes 2024-04-11 19:42:26.800631781 +0200 +++ /work/SRC/openSUSE:Factory/.freerdp2.new.24587/freerdp2.changes 2024-05-24 19:53:22.366407972 +0200 @@ -1,0 +2,13 @@ +Thu May 23 22:46:05 UTC 2024 - Daike Yu <[email protected]> + +- Multiple CVE fixes + + Add freerdp-CVE-2024-32659.patch (bsc#1223346, CVE-2024-32659) + - out-of-bounds read if `((nWidth == 0) and (nHeight == 0))` + + Add freerdp-CVE-2024-32660.patch (bsc#1223347, CVE-2024-32660) + - client crash via invalid huge allocation size + + Add freerdp-CVE-2024-32661.patch (bsc#1223348, CVE-2024-32661) + - client NULL pointer dereference + + Add freerdp-CVE-2024-32658.patch (bsc#1223353, CVE-2024-32658) + - out-of-bounds read in Interleaved RLE Bitmap Codec in FreeRDP based clients + +------------------------------------------------------------------- New: ---- freerdp-CVE-2024-32658.patch freerdp-CVE-2024-32659.patch freerdp-CVE-2024-32660.patch freerdp-CVE-2024-32661.patch BETA DEBUG BEGIN: New: - client NULL pointer dereference + Add freerdp-CVE-2024-32658.patch (bsc#1223353, CVE-2024-32658) - out-of-bounds read in Interleaved RLE Bitmap Codec in FreeRDP based clients New:- Multiple CVE fixes + Add freerdp-CVE-2024-32659.patch (bsc#1223346, CVE-2024-32659) - out-of-bounds read if `((nWidth == 0) and (nHeight == 0))` New: - out-of-bounds read if `((nWidth == 0) and (nHeight == 0))` + Add freerdp-CVE-2024-32660.patch (bsc#1223347, CVE-2024-32660) - client crash via invalid huge allocation size New: - client crash via invalid huge allocation size + Add freerdp-CVE-2024-32661.patch (bsc#1223348, CVE-2024-32661) - client NULL pointer dereference BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freerdp2.spec ++++++ --- /var/tmp/diff_new_pack.DBahmR/_old 2024-05-24 19:53:23.854462406 +0200 +++ /var/tmp/diff_new_pack.DBahmR/_new 2024-05-24 19:53:23.870462991 +0200 @@ -48,6 +48,14 @@ Patch1: freerdp-CVE-2023-40574-to-2023-40576.patch # PATCH-FIX-OPENSUSE -- Don't let 'cmake(WinPR)' require unneeded tools Patch2: 0001-Don-t-add-winpr-cli-tools-to-exported-CMake-targets.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2024-32659.patch CVE-2024-32659 bsc#1223346 [email protected] -- out-of-bounds read if `((nWidth == 0) and (nHeight == 0))` +Patch3: freerdp-CVE-2024-32659.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2024-32660.patch CVE-2024-32660 bsc#1223347 [email protected] -- client crash via invalid huge allocation size +Patch4: freerdp-CVE-2024-32660.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2024-32661.patch CVE-2024-32661 bsc#1223348 [email protected] -- client NULL pointer dereference +Patch5: freerdp-CVE-2024-32661.patch +# PATCH-FIX-UPSTREAM freerdp-CVE-2024-32658.patch CVE-2024-32658 bsc#1223353 [email protected] -- out-of-bounds read in Interleaved RLE Bitmap Codec in FreeRDP based clients +Patch6: freerdp-CVE-2024-32658.patch BuildRequires: cmake >= 2.8 BuildRequires: cups-devel BuildRequires: ed ++++++ freerdp-CVE-2024-32658.patch ++++++ ++++ 1046 lines (skipped) ++++++ freerdp-CVE-2024-32659.patch ++++++ >From a7f83e9e13addee21e6c3840d20fc467776fbb56 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Sun, 21 Apr 2024 10:18:43 +0200 Subject: [PATCH] [codec,color] fix out of bound read --- libfreerdp/codec/color.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libfreerdp/codec/color.c b/libfreerdp/codec/color.c index 00919983c..f8467c295 100644 --- a/libfreerdp/codec/color.c +++ b/libfreerdp/codec/color.c @@ -613,6 +613,9 @@ BOOL freerdp_image_copy(BYTE* pDstData, DWORD DstFormat, UINT32 nDstStep, UINT32 if (!pDstData || !pSrcData) return FALSE; + if ((nWidth == 0) || (nHeight == 0)) + return TRUE; + if (nDstStep == 0) nDstStep = nWidth * GetBytesPerPixel(DstFormat); -- 2.45.0 ++++++ freerdp-CVE-2024-32660.patch ++++++ >From 2ffa1fc095b2c6673e3581ef1bc7d8076edfd4a3 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Sat, 20 Apr 2024 19:59:48 +0200 Subject: [PATCH] [codec,zgfx] allocate in segment steps do not trust the uncompressedSize of a ZGFX_SEGMENTED_MULTIPART and allocate the output buffer in steps after decoding a segment. --- libfreerdp/codec/zgfx.c | 90 +++++++++++++++++++++++++---------------- 1 file changed, 56 insertions(+), 34 deletions(-) diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c index 841b50860..51fa87d15 100644 --- a/libfreerdp/codec/zgfx.c +++ b/libfreerdp/codec/zgfx.c @@ -23,6 +23,7 @@ #include "config.h" #endif +#include <winpr/assert.h> #include <winpr/crt.h> #include <winpr/print.h> #include <winpr/bitstream.h> @@ -381,16 +382,50 @@ static BYTE* aligned_zgfx_malloc(size_t size) return malloc(size + 64); } +static BOOL zgfx_append(ZGFX_CONTEXT* zgfx, BYTE** ppConcatenated, size_t uncompressedSize, + size_t* pUsed) +{ + WINPR_ASSERT(zgfx); + WINPR_ASSERT(ppConcatenated); + WINPR_ASSERT(pUsed); + + const size_t used = *pUsed; + if (zgfx->OutputCount > UINT32_MAX - used) + return FALSE; + + if (used + zgfx->OutputCount > uncompressedSize) + return FALSE; + + BYTE* tmp = realloc(*ppConcatenated, used + zgfx->OutputCount + 64ull); + if (!tmp) + return FALSE; + *ppConcatenated = tmp; + CopyMemory(&tmp[used], zgfx->OutputBuffer, zgfx->OutputCount); + *pUsed = used + zgfx->OutputCount; + return TRUE; +} + int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BYTE** ppDstData, UINT32* pDstSize, UINT32 flags) { int status = -1; - BYTE descriptor; + BYTE descriptor = 0; + wStream sbuffer = { 0 }; + size_t used = 0; + BYTE* pConcatenated = NULL; wStream* stream = Stream_New((BYTE*)pSrcData, SrcSize); if (!stream) return -1; + WINPR_ASSERT(zgfx); + WINPR_ASSERT(stream); + WINPR_ASSERT(ppDstData); + WINPR_ASSERT(pDstSize); + + *ppDstData = NULL; + *pDstSize = 0; + if (Stream_GetRemainingLength(stream) < 1) goto fail; @@ -401,25 +436,22 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY if (!zgfx_decompress_segment(zgfx, stream, Stream_GetRemainingLength(stream))) goto fail; - *ppDstData = NULL; - if (zgfx->OutputCount > 0) - *ppDstData = aligned_zgfx_malloc(zgfx->OutputCount); - - if (!*ppDstData) - goto fail; - - *pDstSize = zgfx->OutputCount; - CopyMemory(*ppDstData, zgfx->OutputBuffer, zgfx->OutputCount); + { + if (!zgfx_append(zgfx, &pConcatenated, zgfx->OutputCount, &used)) + goto fail; + if (used != zgfx->OutputCount) + goto fail; + *ppDstData = pConcatenated; + *pDstSize = zgfx->OutputCount; + } } else if (descriptor == ZGFX_SEGMENTED_MULTIPART) { - UINT32 segmentSize; - UINT16 segmentNumber; - UINT16 segmentCount; - UINT32 uncompressedSize; - BYTE* pConcatenated; - size_t used = 0; + UINT32 segmentSize = 0; + UINT16 segmentNumber = 0; + UINT16 segmentCount = 0; + UINT32 uncompressedSize = 0; if (Stream_GetRemainingLength(stream) < 6) goto fail; @@ -427,17 +459,6 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY Stream_Read_UINT16(stream, segmentCount); /* segmentCount (2 bytes) */ Stream_Read_UINT32(stream, uncompressedSize); /* uncompressedSize (4 bytes) */ - if (Stream_GetRemainingLength(stream) < segmentCount * sizeof(UINT32)) - goto fail; - - pConcatenated = aligned_zgfx_malloc(uncompressedSize); - - if (!pConcatenated) - goto fail; - - *ppDstData = pConcatenated; - *pDstSize = uncompressedSize; - for (segmentNumber = 0; segmentNumber < segmentCount; segmentNumber++) { if (Stream_GetRemainingLength(stream) < sizeof(UINT32)) @@ -448,16 +469,15 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY if (!zgfx_decompress_segment(zgfx, stream, segmentSize)) goto fail; - if (zgfx->OutputCount > UINT32_MAX - used) + if (!zgfx_append(zgfx, &pConcatenated, uncompressedSize, &used)) goto fail; + } - if (used + zgfx->OutputCount > uncompressedSize) - goto fail; + if (used != uncompressedSize) + goto fail; - CopyMemory(pConcatenated, zgfx->OutputBuffer, zgfx->OutputCount); - pConcatenated += zgfx->OutputCount; - used += zgfx->OutputCount; - } + *ppDstData = pConcatenated; + *pDstSize = uncompressedSize; } else { @@ -467,6 +487,8 @@ int zgfx_decompress(ZGFX_CONTEXT* zgfx, const BYTE* pSrcData, UINT32 SrcSize, BY status = 1; fail: Stream_Free(stream, FALSE); + if (status < 0) + free(pConcatenated); return status; } -- 2.45.0 ++++++ freerdp-CVE-2024-32661.patch ++++++ >From fd900a4ca1c14851f48b4a284882956fc3e727c7 Mon Sep 17 00:00:00 2001 From: akallabeth <[email protected]> Date: Sun, 21 Apr 2024 13:56:13 +0200 Subject: [PATCH] [core,info] fix missing check in rdp_write_logon_info_v1 --- libfreerdp/core/info.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libfreerdp/core/info.c b/libfreerdp/core/info.c index 9aaa6cff6..a0e147f31 100644 --- a/libfreerdp/core/info.c +++ b/libfreerdp/core/info.c @@ -23,6 +23,7 @@ #include "config.h" #endif +#include <winpr/assert.h> #include <winpr/crt.h> #include <freerdp/crypto/crypto.h> #include <freerdp/log.h> @@ -1322,6 +1323,10 @@ static BOOL rdp_write_logon_info_v1(wStream* s, logon_info* info) return FALSE; /* domain */ + WINPR_ASSERT(info); + if (!info->domain || !info->username) + return FALSE; + ilen = ConvertToUnicode(CP_UTF8, 0, info->domain, -1, &wString, 0); if (ilen < 0) -- 2.45.0
