diff --git a/SOURCES/CVE-2018-8786.patch b/SOURCES/CVE-2018-8786.patch new file mode 100644 index 0000000..d3ba04a --- /dev/null +++ b/SOURCES/CVE-2018-8786.patch @@ -0,0 +1,14 @@ +diff --git a/libfreerdp-core/update.c b/libfreerdp-core/update.c +index c828b2214..5af9f6ab1 100644 +--- a/libfreerdp-core/update.c ++++ b/libfreerdp-core/update.c +@@ -90,7 +90,7 @@ void update_read_bitmap(rdpUpdate* update, STREAM* s, BITMAP_UPDATE* bitmap_upda + + if (bitmap_update->number > bitmap_update->count) + { +- uint16 count; ++ uint32 count; + + count = bitmap_update->number * 2; + + diff --git a/SOURCES/CVE-2018-8787.patch b/SOURCES/CVE-2018-8787.patch new file mode 100644 index 0000000..8d88554 --- /dev/null +++ b/SOURCES/CVE-2018-8787.patch @@ -0,0 +1,34 @@ +diff --git a/libfreerdp-gdi/graphics.c b/libfreerdp-gdi/graphics.c +index 04816334c..5a49bd365 100644 +--- a/libfreerdp-gdi/graphics.c ++++ b/libfreerdp-gdi/graphics.c +@@ -30,6 +30,8 @@ + #include + #include + ++#include ++ + #include "graphics.h" + + /* Bitmap Class */ +@@ -89,9 +91,18 @@ void gdi_Bitmap_Paint(rdpContext* context, rdpBitmap* bitmap) + void gdi_Bitmap_Decompress(rdpContext* context, rdpBitmap* bitmap, + uint8* data, int width, int height, int bpp, int length, boolean compressed) + { +- uint16 size; ++ uint32 size = width * height; ++ int bpp_op = (bpp + 7) / 8; ++ ++ if ((bpp == 0) || ++ (width == 0) || (height == 0) || (width > UINT32_MAX / height) || ++ (size > (UINT32_MAX / bpp_op))) ++ { ++ printf("gdi_Bitmap_Decompress failed\n"); ++ abort(); ++ } + +- size = width * height * (bpp + 7) / 8; ++ size *= bpp_op; + + if (bitmap->data == NULL) + bitmap->data = (uint8*) xmalloc(size); diff --git a/SOURCES/CVE-2018-8788.patch b/SOURCES/CVE-2018-8788.patch new file mode 100644 index 0000000..a8ae95f --- /dev/null +++ b/SOURCES/CVE-2018-8788.patch @@ -0,0 +1,88 @@ +diff --git a/libfreerdp-codec/nsc.c b/libfreerdp-codec/nsc.c +index a39bdd33e..a86ea80f4 100644 +--- a/libfreerdp-codec/nsc.c ++++ b/libfreerdp-codec/nsc.c +@@ -217,6 +217,11 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz) + + if (i == 5) + { ++ if (stream_get_left(out) < 1) ++ { ++ printf("nsc_rle_decode failed"); ++ abort(); ++ } + stream_write_uint8(out,value); + i-=1; + } +@@ -228,6 +233,11 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz) + { + uint8 len; + stream_read_uint8(in, len); ++ if (stream_get_left(out) < len+2) ++ { ++ printf("nsc_rle_decode failed"); ++ abort(); ++ } + stream_set_byte(out, value, len+2); + i -= (len+2); + } +@@ -236,17 +246,32 @@ void nsc_rle_decode(STREAM* in, STREAM* out, uint32 origsz) + uint32 len; + stream_seek(in, 1); + stream_read_uint32(in, len); ++ if (stream_get_left (out) < len) ++ { ++ printf("nsc_rle_decode failed"); ++ abort(); ++ } + stream_set_byte(out, value, len); + i -= len; + } + } + else + { ++ if (stream_get_left(out) < 1) ++ { ++ printf("nsc_rle_decode failed"); ++ abort(); ++ } + stream_write_uint8(out, value); + i -= 1; + } + } + ++ if (stream_get_left(out) < 4) ++ { ++ printf("nsc_rle_decode failed"); ++ abort(); ++ } + stream_copy(out, in, 4); + } + +@@ -264,11 +289,25 @@ void nsc_rle_decompress_data(NSC_CONTEXT* context) + origsize = context->OrgByteCount[i]; + + if (i == 3 && context->nsc_stream->PlaneByteCount[i] == 0) ++ { ++ if (stream_get_left(context->org_buf[i]) < origsize) ++ { ++ printf("nsc_rle_decompress_data failed"); ++ abort(); ++ } + stream_set_byte(context->org_buf[i], 0xff, origsize); ++ } + else if (context->nsc_stream->PlaneByteCount[i] < origsize) + nsc_rle_decode(rles, context->org_buf[i], origsize); + else ++ { ++ if (stream_get_left(context->org_buf[i]) < origsize) ++ { ++ printf("nsc_rle_decompress_data failed"); ++ abort(); ++ } + stream_copy(context->org_buf[i], rles, origsize); ++ } + + context->org_buf[i]->p = context->org_buf[i]->data; + } + diff --git a/SPECS/freerdp.spec b/SPECS/freerdp.spec index 2a39343..8efc64f 100644 --- a/SPECS/freerdp.spec +++ b/SPECS/freerdp.spec @@ -1,6 +1,6 @@ Name: freerdp Version: 1.0.2 -Release: 15%{?dist} +Release: 15%{?dist}.1 Summary: Remote Desktop Protocol client Group: Applications/Communications @@ -83,6 +83,18 @@ Patch18: Fix-colors-on-big-endian.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1363811 Patch19: FIPS-mode-support.patch +# Fix CVE-2018-8786 +# https://bugzilla.redhat.com/show_bug.cgi?id=1684152 +Patch21: CVE-2018-8786.patch + +# Fix CVE-2018-8787 +# https://bugzilla.redhat.com/show_bug.cgi?id=1684156 +Patch22: CVE-2018-8787.patch + +# Fix CVE-2018-8788 +# https://bugzilla.redhat.com/show_bug.cgi?id=1684163 +Patch23: CVE-2018-8788.patch + %description The xfreerdp Remote Desktop Protocol (RDP) client from the FreeRDP project. @@ -148,6 +160,9 @@ developing applications that use %{name}-libs. %patch18 -p1 -b .Fix-colors-on-big-endian %patch19 -p1 -b .FIPS-mode-support %patch20 -p1 -b .Fix-smartcard-usage-in-manpage +%patch21 -p1 -b .CVE-2018-8786 +%patch22 -p1 -b .CVE-2018-8787 +%patch23 -p1 -b .CVE-2018-8788 cat << EOF > xfreerdp.desktop [Desktop Entry] @@ -237,6 +252,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %changelog +* Fri Mar 8 2019 Ondrej Holy - 1.0.2-15.1 +- Fix CVE-2018-8786 (#1684152) +- Fix CVE-2018-8787 (#1684156) +- Fix CVE-2018-8788 (#1684163) + * Wed Jan 31 2018 Ondrej Holy - 1.0.2-15 - Fix smartcard usage in manpage (#1428041)