Accepting request 237029 from home:dliang:branches:X11:RemoteDesktop

fix bnc#880317, CVE-2014-0250

OBS-URL: https://build.opensuse.org/request/show/237029
OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/freerdp?expand=0&rev=43

freerdp-CVE-2014-0250.patch

@@ -0,0 +1,192 @@
+diff -Npur FreeRDP-1.0.2/libfreerdp-core/fastpath.c FreeRDP-1.0.2-new/libfreerdp-core/fastpath.c
+--- FreeRDP-1.0.2/libfreerdp-core/fastpath.c	2013-01-03 05:46:59.000000000 +0800
++++ FreeRDP-1.0.2-new/libfreerdp-core/fastpath.c	2014-06-13 04:46:30.293159988 +0800
+@@ -203,8 +203,10 @@ static void fastpath_recv_update(rdpFast
+ 			break;
+ 
+ 		case FASTPATH_UPDATETYPE_COLOR:
+-			update_read_pointer_color(s, &pointer->pointer_color);
+-			IFCALL(pointer->PointerColor, context, &pointer->pointer_color);
++			if (update_read_pointer_color(s, &pointer->pointer_color))
++				IFCALL(pointer->PointerColor, context, &pointer->pointer_color);
++			else
++				DEBUG_WARN("update color failed");
+ 			break;
+ 
+ 		case FASTPATH_UPDATETYPE_CACHED:
+@@ -213,8 +215,10 @@ static void fastpath_recv_update(rdpFast
+ 			break;
+ 
+ 		case FASTPATH_UPDATETYPE_POINTER:
+-			update_read_pointer_new(s, &pointer->pointer_new);
+-			IFCALL(pointer->PointerNew, context, &pointer->pointer_new);
++			if (update_read_pointer_new(s, &pointer->pointer_new))
++				IFCALL(pointer->PointerNew, context, &pointer->pointer_new);
++			else
++				DEBUG_WARN("update pointer error");
+ 			break;
+ 
+ 		default:
+diff -Npur FreeRDP-1.0.2/libfreerdp-core/rdp.c FreeRDP-1.0.2-new/libfreerdp-core/rdp.c
+--- FreeRDP-1.0.2/libfreerdp-core/rdp.c	2013-01-03 05:46:59.000000000 +0800
++++ FreeRDP-1.0.2-new/libfreerdp-core/rdp.c	2014-06-13 04:37:01.317162752 +0800
+@@ -471,7 +471,7 @@ void rdp_recv_set_error_info_data_pdu(rd
+ 		rdp_print_errinfo(rdp->errorInfo);
+ }
+ 
+-void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
++boolean rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s)
+ {
+ 	uint8 type;
+ 	uint16 length;
+@@ -497,7 +497,8 @@ void rdp_recv_data_pdu(rdpRdp* rdp, STRE
+ 			break;
+ 
+ 		case DATA_PDU_TYPE_POINTER:
+-			update_recv_pointer(rdp->update, s);
++			if (!update_recv_pointer(rdp->update, s))
++				return false;
+ 			break;
+ 
+ 		case DATA_PDU_TYPE_INPUT:
+@@ -571,6 +572,7 @@ void rdp_recv_data_pdu(rdpRdp* rdp, STRE
+ 		default:
+ 			break;
+ 	}
++	return true;
+ }
+ 
+ boolean rdp_recv_out_of_sequence_pdu(rdpRdp* rdp, STREAM* s)
+@@ -583,8 +585,10 @@ boolean rdp_recv_out_of_sequence_pdu(rdp
+ 
+ 	if (type == PDU_TYPE_DATA)
+ 	{
+-		rdp_recv_data_pdu(rdp, s);
+-		return true;
++		if (rdp_recv_data_pdu(rdp, s))
++			return true;
++		else
++			return false;
+ 	}
+ 	else if (type == PDU_TYPE_SERVER_REDIRECTION)
+ 	{
+@@ -719,7 +723,8 @@ static boolean rdp_recv_tpkt_pdu(rdpRdp*
+ 		switch (pduType)
+ 		{
+ 			case PDU_TYPE_DATA:
+-				rdp_recv_data_pdu(rdp, s);
++				if (!rdp_recv_data_pdu(rdp, s))
++					return false;
+ 				break;
+ 
+ 			case PDU_TYPE_DEACTIVATE_ALL:
+diff -Npur FreeRDP-1.0.2/libfreerdp-core/rdp.h FreeRDP-1.0.2-new/libfreerdp-core/rdp.h
+--- FreeRDP-1.0.2/libfreerdp-core/rdp.h	2013-01-03 05:46:59.000000000 +0800
++++ FreeRDP-1.0.2-new/libfreerdp-core/rdp.h	2014-06-13 04:37:01.317162752 +0800
+@@ -181,7 +181,7 @@ boolean rdp_send_pdu(rdpRdp* rdp, STREAM
+ 
+ STREAM* rdp_data_pdu_init(rdpRdp* rdp);
+ boolean rdp_send_data_pdu(rdpRdp* rdp, STREAM* s, uint8 type, uint16 channel_id);
+-void rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s);
++boolean rdp_recv_data_pdu(rdpRdp* rdp, STREAM* s);
+ 
+ boolean rdp_send(rdpRdp* rdp, STREAM* s, uint16 channel_id);
+ void rdp_recv(rdpRdp* rdp);
+diff -Npur FreeRDP-1.0.2/libfreerdp-core/update.c FreeRDP-1.0.2-new/libfreerdp-core/update.c
+--- FreeRDP-1.0.2/libfreerdp-core/update.c	2013-01-03 05:46:59.000000000 +0800
++++ FreeRDP-1.0.2-new/libfreerdp-core/update.c	2014-06-13 04:37:01.317162752 +0800
+@@ -165,13 +165,27 @@ void update_read_pointer_system(STREAM*
+ 	stream_read_uint32(s, pointer_system->type); /* systemPointerType (4 bytes) */
+ }
+ 
+-void update_read_pointer_color(STREAM* s, POINTER_COLOR_UPDATE* pointer_color)
++boolean update_read_pointer_color(STREAM* s, POINTER_COLOR_UPDATE* pointer_color)
+ {
+ 	stream_read_uint16(s, pointer_color->cacheIndex); /* cacheIndex (2 bytes) */
+ 	stream_read_uint16(s, pointer_color->xPos); /* xPos (2 bytes) */
+ 	stream_read_uint16(s, pointer_color->yPos); /* yPos (2 bytes) */
++
++    /**
++         *  As stated in 2.2.9.1.1.4.4 Color Pointer Update:
++         *  The maximum allowed pointer width/height is 96 pixels if the client indicated support
++         *  for large pointers by setting the LARGE_POINTER_FLAG (0x00000001) in the Large
++         *  Pointer Capability Set (section 2.2.7.2.7). If the LARGE_POINTER_FLAG was not
++         *  set, the maximum allowed pointer width/height is 32 pixels.
++         *
++         *  So we check for a maximum of 96 for CVE-2014-0250.
++         */
+ 	stream_read_uint16(s, pointer_color->width); /* width (2 bytes) */
+ 	stream_read_uint16(s, pointer_color->height); /* height (2 bytes) */
++        if ((pointer_color->width > 96) || (pointer_color->height > 96))
++                return false;
++
++
+ 	stream_read_uint16(s, pointer_color->lengthAndMask); /* lengthAndMask (2 bytes) */
+ 	stream_read_uint16(s, pointer_color->lengthXorMask); /* lengthXorMask (2 bytes) */
+ 
+@@ -200,12 +214,13 @@ void update_read_pointer_color(STREAM* s
+ 
+ 	if (stream_get_left(s) > 0)
+ 		stream_seek_uint8(s); /* pad (1 byte) */
++	return true;
+ }
+ 
+-void update_read_pointer_new(STREAM* s, POINTER_NEW_UPDATE* pointer_new)
++boolean update_read_pointer_new(STREAM* s, POINTER_NEW_UPDATE* pointer_new)
+ {
+ 	stream_read_uint16(s, pointer_new->xorBpp); /* xorBpp (2 bytes) */
+-	update_read_pointer_color(s, &pointer_new->colorPtrAttr); /* colorPtrAttr */
++	return update_read_pointer_color(s, &pointer_new->colorPtrAttr); /* colorPtrAttr */
+ }
+ 
+ void update_read_pointer_cached(STREAM* s, POINTER_CACHED_UPDATE* pointer_cached)
+@@ -213,7 +228,7 @@ void update_read_pointer_cached(STREAM*
+ 	stream_read_uint16(s, pointer_cached->cacheIndex); /* cacheIndex (2 bytes) */
+ }
+ 
+-void update_recv_pointer(rdpUpdate* update, STREAM* s)
++boolean update_recv_pointer(rdpUpdate* update, STREAM* s)
+ {
+ 	uint16 messageType;
+ 	rdpContext* context = update->context;
+@@ -235,8 +250,10 @@ void update_recv_pointer(rdpUpdate* upda
+ 			break;
+ 
+ 		case PTR_MSG_TYPE_COLOR:
+-			update_read_pointer_color(s, &pointer->pointer_color);
+-			IFCALL(pointer->PointerColor, context, &pointer->pointer_color);
++			if (update_read_pointer_color(s, &pointer->pointer_color))
++				IFCALL(pointer->PointerColor, context, &pointer->pointer_color);
++			else
++				return false;
+ 			break;
+ 
+ 		case PTR_MSG_TYPE_POINTER:
+@@ -252,6 +269,7 @@ void update_recv_pointer(rdpUpdate* upda
+ 		default:
+ 			break;
+ 	}
++	return true;
+ }
+ 
+ void update_recv(rdpUpdate* update, STREAM* s)
+diff -Npur FreeRDP-1.0.2/libfreerdp-core/update.h FreeRDP-1.0.2-new/libfreerdp-core/update.h
+--- FreeRDP-1.0.2/libfreerdp-core/update.h	2013-01-03 05:46:59.000000000 +0800
++++ FreeRDP-1.0.2-new/libfreerdp-core/update.h	2014-06-13 04:45:52.981160169 +0800
+@@ -43,13 +43,13 @@ void update_reset_state(rdpUpdate* updat
+ void update_read_bitmap(rdpUpdate* update, STREAM* s, BITMAP_UPDATE* bitmap_update);
+ void update_read_palette(rdpUpdate* update, STREAM* s, PALETTE_UPDATE* palette_update);
+ void update_recv_play_sound(rdpUpdate* update, STREAM* s);
+-void update_recv_pointer(rdpUpdate* update, STREAM* s);
++boolean update_recv_pointer(rdpUpdate* update, STREAM* s);
+ void update_recv(rdpUpdate* update, STREAM* s);
+ 
+ void update_read_pointer_position(STREAM* s, POINTER_POSITION_UPDATE* pointer_position);
+ void update_read_pointer_system(STREAM* s, POINTER_SYSTEM_UPDATE* pointer_system);
+-void update_read_pointer_color(STREAM* s, POINTER_COLOR_UPDATE* pointer_color);
+-void update_read_pointer_new(STREAM* s, POINTER_NEW_UPDATE* pointer_new);
++boolean update_read_pointer_color(STREAM* s, POINTER_COLOR_UPDATE* pointer_color);
++boolean update_read_pointer_new(STREAM* s, POINTER_NEW_UPDATE* pointer_new);
+ void update_read_pointer_cached(STREAM* s, POINTER_CACHED_UPDATE* pointer_cached);
+ 
+ void update_register_server_callbacks(rdpUpdate* update);

freerdp.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jun 12 20:50:36 UTC 2014 - dliang@suse.com
+
+- Add freerdp-CVE-2014-0250.patch to fix bnc#880317
+  solves CVE-2014-0250, backport from upstream
+
 -------------------------------------------------------------------
 Thu Oct 31 17:58:21 UTC 2013 - lnt-sysadmin@lists.lrz.de
 

freerdp.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package freerdp
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -33,16 +33,18 @@ Patch1:         freerdp-fix-FindPCSC-macro.patch
 Patch4:         freerdp-handle-null-device-name.patch
 # PATCH-FIX-UPSTREAM (wip) fix handle of kpdivide on keypad - issue #831
 Patch5:         freerdp_branch-1.0.x_fix-kpdivide-issue831.patch
+# PATCH-FIX-UPSTREAM freerdp-CVE-2014-0250.patch bnc#880317 dliang@suse.com - backport from upstream 
+Patch6:         freerdp-CVE-2014-0250.patch
+BuildRequires:  alsa-devel
 BuildRequires:  cmake
 BuildRequires:  cups-devel
 BuildRequires:  ed
+BuildRequires:  libopenssl-devel
+BuildRequires:  libpulse-devel
+BuildRequires:  pcsc-lite-devel
 BuildRequires:  xmlto
 BuildRequires:  xorg-x11-devel
 BuildRequires:  zlib-devel
-BuildRequires:  alsa-devel
-BuildRequires:  pcsc-lite-devel
-BuildRequires:  libpulse-devel
-BuildRequires:  libopenssl-devel
 Recommends:     libfreerdp-plugins
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -83,6 +85,7 @@ based on libfreerdp.
 %patch1 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 # use a versioned subdirectory for plugins in order to comply with the shared
 # library policy
 ed -s CMakeLists.txt 2>/dev/null <<'EOF'