From 1d886fecaa1cbdde685055a19e3399fba6131661be48496cfb523f8a80fbd837 Mon Sep 17 00:00:00 2001
From: Johannes Weberhofer <jweberhofer@weberhofer.at>
Date: Fri, 22 May 2020 08:17:00 +0000
Subject: [PATCH] Accepting request 808120 from
 home:weberho:branches:X11:RemoteDesktop

- Updated to release 2.1.1
  * CVE-2020-NYA: GHSL-2020-100 OOB Read in ntlm_read_ChallengeMessage
  * CVE-2020-NYA: GHSL-2020-101 OOB Read in security_fips_decrypt due to uninitialized value
  * CVE-2020-NYA: GHSL-2020-102 OOB Write in crypto_rsa_common
  * Enforce synchronous legacy RDP encryption count (#6156)
  * Fixed some leaks and crashes missed in 2.1.0
  * Removed dynamic channel listener limits
  * Lots of resource cleanup fixes (clang sanitizers)
  * A couple of performance improvements
  * Various small annoyances eliminated (typos, prefilled username for windows client, ...)
- Removed freerdp-bug-6175.patch and freerdp-bug-6207.patch because included in upstream

OBS-URL: https://build.opensuse.org/request/show/808120
OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/freerdp?expand=0&rev=101
---
 FreeRDP-2.1.0.tar.gz   |  3 --
 FreeRDP-2.1.1.tar.gz   |  3 ++
 freerdp-bug-6175.patch | 69 ------------------------------------------
 freerdp-bug-6207.patch | 40 ------------------------
 freerdp.changes        | 16 ++++++++++
 freerdp.spec           |  8 ++---
 6 files changed, 21 insertions(+), 118 deletions(-)
 delete mode 100644 FreeRDP-2.1.0.tar.gz
 create mode 100644 FreeRDP-2.1.1.tar.gz
 delete mode 100644 freerdp-bug-6175.patch
 delete mode 100644 freerdp-bug-6207.patch

diff --git a/FreeRDP-2.1.0.tar.gz b/FreeRDP-2.1.0.tar.gz
deleted file mode 100644
index 70569d9..0000000
--- a/FreeRDP-2.1.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:463b337c832dfc0918d03cf24cc94202535ad718915f11f51051da3442d4d8a7
-size 6825453
diff --git a/FreeRDP-2.1.1.tar.gz b/FreeRDP-2.1.1.tar.gz
new file mode 100644
index 0000000..336c5c1
--- /dev/null
+++ b/FreeRDP-2.1.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce363a6578530cf508df802bb980a8dd49a874919bfa33b8c61d992ad0882bfb
+size 6828178
diff --git a/freerdp-bug-6175.patch b/freerdp-bug-6175.patch
deleted file mode 100644
index ac34950..0000000
--- a/freerdp-bug-6175.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From f3063a589d908a087a295b9217bc5fa34a80fb36 Mon Sep 17 00:00:00 2001
-From: akallabeth <akallabeth@posteo.net>
-Date: Tue, 12 May 2020 13:00:13 +0200
-Subject: [PATCH] Fixed #6148: multiple ceritificate purposes
-
-OpenSSL certificate verification can only check a single purpose.
-Run the checks with all allowed purposes and accept any.
----
- libfreerdp/crypto/crypto.c | 35 +++++++++++++++++++++++------------
- 1 file changed, 23 insertions(+), 12 deletions(-)
-
-diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
-index 0920e356e9..4507578ab6 100644
---- a/libfreerdp/crypto/crypto.c
-+++ b/libfreerdp/crypto/crypto.c
-@@ -797,6 +797,8 @@ static int verify_cb(int ok, X509_STORE_CTX* csc)
- 
- BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path)
- {
-+	size_t i;
-+	const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY };
- 	X509_STORE_CTX* csc;
- 	BOOL status = FALSE;
- 	X509_STORE* cert_ctx = NULL;
-@@ -831,23 +833,32 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
- 		X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
- 	}
- 
--	csc = X509_STORE_CTX_new();
--
--	if (csc == NULL)
--		goto end;
--
- 	X509_STORE_set_flags(cert_ctx, 0);
- 
--	if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
--		goto end;
-+	for (i = 0; i < ARRAYSIZE(purposes); i++)
-+	{
-+		int rc = -1;
-+		int purpose = purposes[i];
-+		csc = X509_STORE_CTX_new();
- 
--	X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_ANY);
--	X509_STORE_CTX_set_verify_cb(csc, verify_cb);
-+		if (csc == NULL)
-+			goto skip;
-+		if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
-+			goto skip;
- 
--	if (X509_verify_cert(csc) == 1)
--		status = TRUE;
-+		X509_STORE_CTX_set_purpose(csc, purpose);
-+		X509_STORE_CTX_set_verify_cb(csc, verify_cb);
-+
-+		rc = X509_verify_cert(csc);
-+	skip:
-+		X509_STORE_CTX_free(csc);
-+		if (rc == 1)
-+		{
-+			status = TRUE;
-+			break;
-+		}
-+	}
- 
--	X509_STORE_CTX_free(csc);
- 	X509_STORE_free(cert_ctx);
- end:
- 	return status;
diff --git a/freerdp-bug-6207.patch b/freerdp-bug-6207.patch
deleted file mode 100644
index 10ec71e..0000000
--- a/freerdp-bug-6207.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From de619e9964684eced5fb3108de81440b979aace0 Mon Sep 17 00:00:00 2001
-From: akallabeth <akallabeth@posteo.net>
-Date: Wed, 20 May 2020 13:45:57 +0200
-Subject: [PATCH] Abort on first possible certificate validation error
-
-Only retry certificate validation if the purpose was wrong.
----
- libfreerdp/crypto/crypto.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
-index 4507578ab6..5aaaa95924 100644
---- a/libfreerdp/crypto/crypto.c
-+++ b/libfreerdp/crypto/crypto.c
-@@ -837,7 +837,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
- 
- 	for (i = 0; i < ARRAYSIZE(purposes); i++)
- 	{
--		int rc = -1;
-+		int err = -1, rc = -1;
- 		int purpose = purposes[i];
- 		csc = X509_STORE_CTX_new();
- 
-@@ -850,6 +850,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
- 		X509_STORE_CTX_set_verify_cb(csc, verify_cb);
- 
- 		rc = X509_verify_cert(csc);
-+		err = X509_STORE_CTX_get_error(csc);
- 	skip:
- 		X509_STORE_CTX_free(csc);
- 		if (rc == 1)
-@@ -857,6 +858,8 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
- 			status = TRUE;
- 			break;
- 		}
-+		else if (err != X509_V_ERR_INVALID_PURPOSE)
-+			break;
- 	}
- 
- 	X509_STORE_free(cert_ctx);
diff --git a/freerdp.changes b/freerdp.changes
index edeb6ef..bd1c121 100644
--- a/freerdp.changes
+++ b/freerdp.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed May 20 15:14:52 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Updated to release 2.1.1
+  * CVE-2020-NYA: GHSL-2020-100 OOB Read in ntlm_read_ChallengeMessage
+  * CVE-2020-NYA: GHSL-2020-101 OOB Read in security_fips_decrypt due to uninitialized value
+  * CVE-2020-NYA: GHSL-2020-102 OOB Write in crypto_rsa_common
+  * Enforce synchronous legacy RDP encryption count (#6156)
+  * Fixed some leaks and crashes missed in 2.1.0
+  * Removed dynamic channel listener limits
+  * Lots of resource cleanup fixes (clang sanitizers)
+  * A couple of performance improvements
+  * Various small annoyances eliminated (typos, prefilled username for windows client, ...)
+
+- Removed freerdp-bug-6175.patch and freerdp-bug-6207.patch because included in upstream
+
 -------------------------------------------------------------------
 Wed May 20 12:34:27 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
 
diff --git a/freerdp.spec b/freerdp.spec
index a2567ac..17d57f0 100644
--- a/freerdp.spec
+++ b/freerdp.spec
@@ -27,19 +27,15 @@
 %define _lto_cflags %{nil}
 %endif
 Name:           freerdp
-Version:        2.1.0
+Version:        2.1.1
 Release:        0
 Summary:        Remote Desktop Viewer Client
 License:        Apache-2.0
 Group:          Productivity/Networking/Other
 URL:            https://www.freerdp.com/
 Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{version}.tar.gz#/FreeRDP-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM freerdp-bug-6175.patch gh#FreeRDP/FreeRDP#6175
-Patch0:         freerdp-bug-6175.patch
 # PATCH-FIX-UPSTREAM freerdp-bug-6205.patch gh#FreeRDP/FreeRDP#6205
-Patch1:         freerdp-bug-6205.patch
-# PATCH-FIX-UPSTREAM freerdp-bug-6207.patch gh#FreeRDP/FreeRDP#6207
-Patch2:         freerdp-bug-6207.patch
+Patch0:         freerdp-bug-6205.patch
 BuildRequires:  chrpath
 BuildRequires:  cmake >= 2.8
 BuildRequires:  cups-devel