Accepting request 808120 from home:weberho:branches:X11:RemoteDesktop

- Updated to release 2.1.1 * CVE-2020-NYA: GHSL-2020-100 OOB Read in ntlm_read_ChallengeMessage * CVE-2020-NYA: GHSL-2020-101 OOB Read in security_fips_decrypt due to uninitialized value * CVE-2020-NYA: GHSL-2020-102 OOB Write in crypto_rsa_common * Enforce synchronous legacy RDP encryption count (#6156) * Fixed some leaks and crashes missed in 2.1.0 * Removed dynamic channel listener limits * Lots of resource cleanup fixes (clang sanitizers) * A couple of performance improvements * Various small annoyances eliminated (typos, prefilled username for windows client, ...) - Removed freerdp-bug-6175.patch and freerdp-bug-6207.patch because included in upstream OBS-URL: https://build.opensuse.org/request/show/808120 OBS-URL: https://build.opensuse.org/package/show/X11:RemoteDesktop/freerdp?expand=0&rev=101
2020-05-22 08:17:00 +00:00 · 2020-05-22 08:17:00 +00:00 · 1d886fecaa
commit 1d886fecaa
parent e85e92e73b
6 changed files with 21 additions and 118 deletions
--- a/FreeRDP-2.1.0.tar.gz
+++ b/FreeRDP-2.1.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:463b337c832dfc0918d03cf24cc94202535ad718915f11f51051da3442d4d8a7
-size 6825453
--- a/FreeRDP-2.1.1.tar.gz
+++ b/FreeRDP-2.1.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ce363a6578530cf508df802bb980a8dd49a874919bfa33b8c61d992ad0882bfb
+size 6828178
--- a/freerdp-bug-6175.patch
+++ b/freerdp-bug-6175.patch
@ -1,69 +0,0 @@
-From f3063a589d908a087a295b9217bc5fa34a80fb36 Mon Sep 17 00:00:00 2001
-From: akallabeth <akallabeth@posteo.net>
-Date: Tue, 12 May 2020 13:00:13 +0200
-Subject: [PATCH] Fixed #6148: multiple ceritificate purposes
-
-OpenSSL certificate verification can only check a single purpose.
-Run the checks with all allowed purposes and accept any.
---
- libfreerdp/crypto/crypto.c | 35 +++++++++++++++++++++++------------
- 1 file changed, 23 insertions(+), 12 deletions(-)
-
-diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
-index 0920e356e9..4507578ab6 100644
--- a/libfreerdp/crypto/crypto.c
-+++ b/libfreerdp/crypto/crypto.c
-@@ -797,6 +797,8 @@ static int verify_cb(int ok, X509_STORE_CTX* csc)
- 
- BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path)
- {
-+	size_t i;
-+	const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY };
- 	X509_STORE_CTX* csc;
- 	BOOL status = FALSE;
- 	X509_STORE* cert_ctx = NULL;
-@@ -831,23 +833,32 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
- 		X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
- 	}
- 
-	csc = X509_STORE_CTX_new();
-
-	if (csc == NULL)
-		goto end;
-
- 	X509_STORE_set_flags(cert_ctx, 0);
- 
-	if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
-		goto end;
-+	for (i = 0; i < ARRAYSIZE(purposes); i++)
-+	{
-+		int rc = -1;
-+		int purpose = purposes[i];
-+		csc = X509_STORE_CTX_new();
- 
-	X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_ANY);
-	X509_STORE_CTX_set_verify_cb(csc, verify_cb);
-+		if (csc == NULL)
-+			goto skip;
-+		if (!X509_STORE_CTX_init(csc, cert_ctx, cert->px509, cert->px509chain))
-+			goto skip;
- 
-	if (X509_verify_cert(csc) == 1)
-		status = TRUE;
-+		X509_STORE_CTX_set_purpose(csc, purpose);
-+		X509_STORE_CTX_set_verify_cb(csc, verify_cb);
-+
-+		rc = X509_verify_cert(csc);
-+	skip:
-+		X509_STORE_CTX_free(csc);
-+		if (rc == 1)
-+		{
-+			status = TRUE;
-+			break;
-+		}
-+	}
- 
-	X509_STORE_CTX_free(csc);
- 	X509_STORE_free(cert_ctx);
- end:
- 	return status;
--- a/freerdp-bug-6207.patch
+++ b/freerdp-bug-6207.patch
@ -1,40 +0,0 @@
-From de619e9964684eced5fb3108de81440b979aace0 Mon Sep 17 00:00:00 2001
-From: akallabeth <akallabeth@posteo.net>
-Date: Wed, 20 May 2020 13:45:57 +0200
-Subject: [PATCH] Abort on first possible certificate validation error
-
-Only retry certificate validation if the purpose was wrong.
---
- libfreerdp/crypto/crypto.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
-index 4507578ab6..5aaaa95924 100644
--- a/libfreerdp/crypto/crypto.c
-+++ b/libfreerdp/crypto/crypto.c
-@@ -837,7 +837,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
- 
- 	for (i = 0; i < ARRAYSIZE(purposes); i++)
- 	{
-		int rc = -1;
-+		int err = -1, rc = -1;
- 		int purpose = purposes[i];
- 		csc = X509_STORE_CTX_new();
- 
-@@ -850,6 +850,7 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
- 		X509_STORE_CTX_set_verify_cb(csc, verify_cb);
- 
- 		rc = X509_verify_cert(csc);
-+		err = X509_STORE_CTX_get_error(csc);
- 	skip:
- 		X509_STORE_CTX_free(csc);
- 		if (rc == 1)
-@@ -857,6 +858,8 @@ BOOL x509_verify_certificate(CryptoCert cert, const char* certificate_store_path
- 			status = TRUE;
- 			break;
- 		}
-+		else if (err != X509_V_ERR_INVALID_PURPOSE)
-+			break;
- 	}
- 
- 	X509_STORE_free(cert_ctx);
--- a/freerdp.changes
+++ b/freerdp.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Wed May 20 15:14:52 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Updated to release 2.1.1
+  * CVE-2020-NYA: GHSL-2020-100 OOB Read in ntlm_read_ChallengeMessage
+  * CVE-2020-NYA: GHSL-2020-101 OOB Read in security_fips_decrypt due to uninitialized value
+  * CVE-2020-NYA: GHSL-2020-102 OOB Write in crypto_rsa_common
+  * Enforce synchronous legacy RDP encryption count (#6156)
+  * Fixed some leaks and crashes missed in 2.1.0
+  * Removed dynamic channel listener limits
+  * Lots of resource cleanup fixes (clang sanitizers)
+  * A couple of performance improvements
+  * Various small annoyances eliminated (typos, prefilled username for windows client, ...)
+
+- Removed freerdp-bug-6175.patch and freerdp-bug-6207.patch because included in upstream
+
 -------------------------------------------------------------------
 Wed May 20 12:34:27 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>

--- a/freerdp.spec
+++ b/freerdp.spec
@ -27,19 +27,15 @@
 %define _lto_cflags %{nil}
 %endif
 Name:           freerdp
-Version:        2.1.0
+Version:        2.1.1
 Release:        0
 Summary:        Remote Desktop Viewer Client
 License:        Apache-2.0
 Group:          Productivity/Networking/Other
 URL:            https://www.freerdp.com/
 Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{version}.tar.gz#/FreeRDP-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM freerdp-bug-6175.patch gh#FreeRDP/FreeRDP#6175
-Patch0:         freerdp-bug-6175.patch
 # PATCH-FIX-UPSTREAM freerdp-bug-6205.patch gh#FreeRDP/FreeRDP#6205
-Patch1:         freerdp-bug-6205.patch
-# PATCH-FIX-UPSTREAM freerdp-bug-6207.patch gh#FreeRDP/FreeRDP#6207
-Patch2:         freerdp-bug-6207.patch
+Patch0:         freerdp-bug-6205.patch
 BuildRequires:  chrpath
 BuildRequires:  cmake >= 2.8
 BuildRequires:  cups-devel