diff --git a/SOURCES/Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch b/SOURCES/Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch new file mode 100644 index 0000000..af2b802 --- /dev/null +++ b/SOURCES/Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch @@ -0,0 +1,69 @@ +From bda8e5ebfb772c0de3832d77b49749538c61eb14 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Mon, 30 Mar 2020 17:32:04 +0200 +Subject: [PATCH] Fix CVE-2020-11523: clamp invalid rectangles to size 0 + +Thanks to Sunglin and HuanGMz from Knownsec 404 +--- + libfreerdp/gdi/region.c | 36 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +diff --git a/libfreerdp/gdi/region.c b/libfreerdp/gdi/region.c +index d3b28b562..1ffbf79bf 100644 +--- a/libfreerdp/gdi/region.c ++++ b/libfreerdp/gdi/region.c +@@ -37,6 +37,19 @@ + + #define TAG FREERDP_TAG("gdi.region") + ++static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect) ++{ ++ if (!buffer || (size < 1) || !rect) ++ return NULL; ++ ++ _snprintf(buffer, size - 1, ++ "[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top, ++ rect->left, rect->bottom, rect->right); ++ buffer[size - 1] = '\0'; ++ ++ return buffer; ++} ++ + /** + * Create a region from rectangular coordinates.\n + * @msdn{dd183514} +@@ -134,10 +147,29 @@ INLINE void gdi_RectToCRgn(const HGDI_RECT rect, + INT32* x, INT32* y, + INT32* w, INT32* h) + { ++ INT64 tmp; + *x = rect->left; + *y = rect->top; +- *w = rect->right - rect->left + 1; +- *h = rect->bottom - rect->top + 1; ++ tmp = rect->right - rect->left + 1; ++ if ((tmp < 0) || (tmp > INT32_MAX)) ++ { ++ char buffer[256]; ++ WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__, ++ gdi_rect_str(buffer, sizeof(buffer), rect)); ++ *w = 0; ++ } ++ else ++ *w = tmp; ++ tmp = rect->bottom - rect->top + 1; ++ if ((tmp < 0) || (tmp > INT32_MAX)) ++ { ++ char buffer[256]; ++ WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__, ++ gdi_rect_str(buffer, sizeof(buffer), rect)); ++ *h = 0; ++ } ++ else ++ *h = tmp; + } + + /** +-- +2.26.2 + diff --git a/SOURCES/Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch b/SOURCES/Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch new file mode 100644 index 0000000..c117ff1 --- /dev/null +++ b/SOURCES/Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch @@ -0,0 +1,42 @@ +From b62b942e805cdfdfd1e71ec752c08091d4c3229f Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Mon, 30 Mar 2020 18:05:17 +0200 +Subject: [PATCH] Fix CVE-2020-11524: out of bounds access in interleaved + +Thanks to Sunglin and HuanGMz from Knownsec 404 +--- + libfreerdp/codec/include/bitmap.c | 4 ++++ + libfreerdp/codec/interleaved.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c +index 602d1b333..734ed136d 100644 +--- a/libfreerdp/codec/include/bitmap.c ++++ b/libfreerdp/codec/include/bitmap.c +@@ -338,6 +338,10 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer, + case MEGA_MEGA_COLOR_IMAGE: + runLength = ExtractRunLength(code, pbSrc, &advance); + pbSrc = pbSrc + advance; ++ ++ if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength)) ++ return FALSE; ++ + UNROLL(runLength, + { + SRCREADPIXEL(temp, pbSrc); +diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c +index a3fe7dd3f..0d36e9b9f 100644 +--- a/libfreerdp/codec/interleaved.c ++++ b/libfreerdp/codec/interleaved.c +@@ -215,7 +215,7 @@ static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t si + { + const size_t available = (uintptr_t)end - (uintptr_t)start; + const BOOL rc = available >= size * base; +- return rc; ++ return rc && (start <= end); + } + + static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix) +-- +2.26.2 + diff --git a/SOURCES/Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch b/SOURCES/Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch new file mode 100644 index 0000000..46bc238 --- /dev/null +++ b/SOURCES/Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch @@ -0,0 +1,92 @@ +From d9f3c98918912de94af033fbab9578188ad46cf7 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Mon, 30 Mar 2020 18:18:12 +0200 +Subject: [PATCH] Fixed CVE-2020-11521: Out of bounds write in planar codec. + +Thanks to Sunglin and HuanGMz from Knownsec 404 +--- + libfreerdp/codec/planar.c | 15 ++++++++------- + libfreerdp/core/orders.c | 6 ++++++ + 2 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c +index 98f2495e2..34c48d786 100644 +--- a/libfreerdp/codec/planar.c ++++ b/libfreerdp/codec/planar.c +@@ -42,10 +42,9 @@ static INLINE BYTE* freerdp_bitmap_planar_delta_encode_plane( + static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize, + UINT32 nWidth, UINT32 nHeight) + { ++ UINT32 used = 0; + UINT32 x, y; + BYTE controlByte; +- const BYTE* pRLE = pSrcData; +- const BYTE* pEnd = &pSrcData[SrcSize]; + + for (y = 0; y < nHeight; y++) + { +@@ -54,10 +53,10 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize, + int cRawBytes; + int nRunLength; + +- if (pRLE >= pEnd) ++ if (used >= SrcSize) + return -1; + +- controlByte = *pRLE++; ++ controlByte = pSrcData[used++]; + nRunLength = PLANAR_CONTROL_BYTE_RUN_LENGTH(controlByte); + cRawBytes = PLANAR_CONTROL_BYTE_RAW_BYTES(controlByte); + +@@ -72,19 +71,21 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize, + cRawBytes = 0; + } + +- pRLE += cRawBytes; ++ used += cRawBytes; + x += cRawBytes; + x += nRunLength; + + if (x > nWidth) + return -1; + +- if (pRLE > pEnd) ++ if (used > SrcSize) + return -1; + } + } + +- return (INT32)(pRLE - pSrcData); ++ if (used > INT32_MAX) ++ return -1; ++ return (INT32)used; + } + + static INLINE INT32 planar_decompress_plane_rle(const BYTE* pSrcData, UINT32 SrcSize, +diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c +index 9f3489f17..e44f0dead 100644 +--- a/libfreerdp/core/orders.c ++++ b/libfreerdp/core/orders.c +@@ -1961,6 +1961,9 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt + } + } + ++ if (cache_bitmap->bitmapLength == 0) ++ goto fail; ++ + if (Stream_GetRemainingLength(s) < cache_bitmap->bitmapLength) + goto fail; + +@@ -2095,6 +2098,9 @@ static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* updat + } + } + ++ if (cache_bitmap_v2->bitmapLength == 0) ++ goto fail; ++ + if (Stream_GetRemainingLength(s) < cache_bitmap_v2->bitmapLength) + goto fail; + +-- +2.26.2 + diff --git a/SOURCES/Fixed-GHSL-2020-102-heap-overflow.patch b/SOURCES/Fixed-GHSL-2020-102-heap-overflow.patch new file mode 100644 index 0000000..62c5a2b --- /dev/null +++ b/SOURCES/Fixed-GHSL-2020-102-heap-overflow.patch @@ -0,0 +1,78 @@ +From 0d468aacfc2c14b904896d9d7ee2cd07bf7c6004 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Tue, 19 May 2020 07:41:14 +0200 +Subject: [PATCH] Fixed GHSL-2020-102 heap overflow + +(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581) +--- + libfreerdp/crypto/crypto.c | 41 ++++++++++++++++++++++++++++---------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c +index 39875f74d..10d430a82 100644 +--- a/libfreerdp/crypto/crypto.c ++++ b/libfreerdp/crypto/crypto.c +@@ -96,13 +96,24 @@ exit: + static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus, + const BYTE* exponent, int exponent_size, BYTE* output) + { +- BN_CTX* ctx; ++ BN_CTX* ctx = NULL; + int output_length = -1; +- BYTE* input_reverse; +- BYTE* modulus_reverse; +- BYTE* exponent_reverse; +- BIGNUM* mod, *exp, *x, *y; +- input_reverse = (BYTE*) malloc(2 * key_length + exponent_size); ++ BYTE* input_reverse = NULL; ++ BYTE* modulus_reverse = NULL; ++ BYTE* exponent_reverse = NULL; ++ BIGNUM* mod = NULL; ++ BIGNUM* exp = NULL; ++ BIGNUM* x = NULL; ++ BIGNUM* y = NULL; ++ size_t bufferSize = 2 * key_length + exponent_size; ++ ++ if (!input || (length < 0) || (exponent_size < 0) || !modulus || !exponent || !output) ++ return -1; ++ ++ if (length > bufferSize) ++ bufferSize = length; ++ ++ input_reverse = (BYTE*)calloc(bufferSize, 1); + + if (!input_reverse) + return -1; +@@ -131,16 +142,24 @@ static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, c + if (!(y = BN_new())) + goto fail_bn_y; + +- BN_bin2bn(modulus_reverse, key_length, mod); +- BN_bin2bn(exponent_reverse, exponent_size, exp); +- BN_bin2bn(input_reverse, length, x); +- BN_mod_exp(y, x, exp, mod, ctx); ++ if (!BN_bin2bn(modulus_reverse, key_length, mod)) ++ goto fail; ++ ++ if (!BN_bin2bn(exponent_reverse, exponent_size, exp)) ++ goto fail; ++ if (!BN_bin2bn(input_reverse, length, x)) ++ goto fail; ++ if (BN_mod_exp(y, x, exp, mod, ctx) != 1) ++ goto fail; + output_length = BN_bn2bin(y, output); ++ if (output_length < 0) ++ goto fail; + crypto_reverse(output, output_length); + +- if (output_length < (int) key_length) ++ if (output_length < key_length) + memset(output + output_length, 0, key_length - output_length); + ++fail: + BN_free(y); + fail_bn_y: + BN_clear_free(x); +-- +2.26.2 + diff --git a/SPECS/freerdp.spec b/SPECS/freerdp.spec index 70c16f3..3d3ee9d 100644 --- a/SPECS/freerdp.spec +++ b/SPECS/freerdp.spec @@ -18,7 +18,7 @@ Name: freerdp Version: 2.0.0 -Release: 46.rc4%{?dist} +Release: 46.rc4%{?dist}.2 Epoch: 2 Summary: Free implementation of the Remote Desktop Protocol (RDP) License: ASL 2.0 @@ -26,6 +26,11 @@ URL: http://www.freerdp.com/ Source0: https://github.com/FreeRDP/FreeRDP/archive/%{gittag}/FreeRDP-%{gittag}.tar.gz +Patch1: Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch +Patch2: Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch +Patch3: Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch +Patch4: Fixed-GHSL-2020-102-heap-overflow.patch + BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: alsa-lib-devel @@ -295,6 +300,14 @@ find %{buildroot} -name "*.a" -delete %{_libdir}/pkgconfig/winpr-tools2.pc %changelog +* Mon Jun 01 2020 Ondrej Holy - 2:2.0.0-46.rc4.2 +- CVE-2020-13398: Fix out-of-bounds write in crypto.c (#1841978) + +* Wed May 20 2020 Ondrej Holy - 2:2.0.0-46.rc4.1 +- CVE-2020-11521: Fix out-of-bounds write in planar.c (#1837632) +- CVE-2020-11523: Fix integer overflow in region.c (#1837633) +- CVE-2020-11524: Fix out-of-bounds write in interleaved.c (#1837631) + * Wed Nov 28 2018 Ondrej Holy - 2:2.0.0-46.rc4 - Update to 2.0.0-rc4 (#1624340)