Commit aadb4fa2 authored by Mike Gabriel's avatar Mike Gabriel

debian/patches: Add security patches: CVE-2018-8786.patch,...

debian/patches: Add security patches: CVE-2018-8786.patch, CVE-2018-8787.patch, CVE-2018-8788.patch and CVE-2018-8789.patch. Thanks to Alex Murray for backporting them to FreeRDP 1.1.
parent e3d98747
Backport of:
From 445a5a42c500ceb80f8fa7f2c11f3682538033f3 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 22 Oct 2018 16:25:13 +0200
Subject: [PATCH] Fixed CVE-2018-8786
Thanks to Eyal Itkin from Check Point Software Technologies.
---
libfreerdp/core/update.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/update.c
===================================================================
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/core/update.c
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/core/update.c
@@ -119,7 +119,7 @@ BOOL update_read_bitmap(rdpUpdate* updat
if (bitmap_update->number > bitmap_update->count)
{
- UINT16 count;
+ UINT32 count;
count = bitmap_update->number * 2;
Backport of:
From 09b9d4f1994a674c4ec85b4947aa656eda1aed8a Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 22 Oct 2018 16:30:20 +0200
Subject: [PATCH] Fixed CVE-2018-8787
Thanks to Eyal Itkin from Check Point Software Technologies.
---
libfreerdp/gdi/graphics.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c
===================================================================
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/libfreerdp/gdi/graphics.c
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/libfreerdp/gdi/graphics.c
@@ -23,6 +23,7 @@
#include <winpr/crt.h>
+#include <stdint.h>
#include <freerdp/gdi/dc.h>
#include <freerdp/gdi/brush.h>
#include <freerdp/gdi/shape.h>
@@ -98,7 +99,7 @@ void gdi_Bitmap_Decompress(rdpContext* c
BYTE* data, int width, int height, int bpp, int length,
BOOL compressed, int codec_id)
{
- UINT16 size;
+ UINT32 size;
RFX_MESSAGE* msg;
BYTE* src;
BYTE* dst;
@@ -107,7 +108,16 @@ void gdi_Bitmap_Decompress(rdpContext* c
rdpGdi* gdi;
BOOL status;
- size = width * height * ((bpp + 7) / 8);
+ size = width * height;
+
+ if (bpp <= 0 || width <= 0 || height <= 0 ||
+ width > (UINT32_MAX / height) ||
+ size > (UINT32_MAX / (bpp + 7) / 8))
+ {
+ printf("Invalid parameters, unable to decompress bitmap\n");
+ return;
+ }
+ size *= (bpp + 7) / 8;
if (bitmap->data == NULL)
bitmap->data = (BYTE*) malloc(size);
This diff is collapsed.
Backport of:
From 2ee663f39dc8dac3d9988e847db19b2d7e3ac8c6 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Mon, 22 Oct 2018 16:00:03 +0200
Subject: [PATCH] Fixed CVE-2018-8789
Thanks to Eyal Itkin from Check Point Software Technologies.
---
winpr/libwinpr/sspi/NTLM/ntlm_message.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
Index: freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/sspi/NTLM/ntlm_message.c
===================================================================
--- freerdp-1.1.0~git20140921.1.440916e+dfsg1.orig/winpr/libwinpr/sspi/NTLM/ntlm_message.c
+++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/winpr/libwinpr/sspi/NTLM/ntlm_message.c
@@ -146,6 +146,10 @@ void ntlm_read_message_fields_buffer(wSt
{
if (fields->Len > 0)
{
+ const UINT64 offset = (UINT64)fields->BufferOffset + (UINT64)fields->Len;
+
+ if (offset > Stream_Length(s))
+ return;
fields->Buffer = malloc(fields->Len);
Stream_SetPosition(s, fields->BufferOffset);
Stream_Read(s, fields->Buffer, fields->Len);
......@@ -21,3 +21,7 @@
1013_aligned_meminfo_alignment.patch
0008-Fix-multiple-security-issues.patch
0009-enable-TLS-12.patch
CVE-2018-8786.patch
CVE-2018-8787.patch
CVE-2018-8788.patch
CVE-2018-8789.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment