From 0657b181a41e0249d6781f8fff863d2b87146c16 Mon Sep 17 00:00:00 2001 From: Ondrej Holy Date: Thu, 8 Dec 2022 10:57:53 +0100 Subject: [PATCH] CVE-2022-39283: Add missing length check in video channel Resolves: #2136154 --- ...issing-length-check-in-video-channel.patch | 29 +++++++++++++++++++ freerdp.spec | 4 +++ 2 files changed, 33 insertions(+) create mode 100644 Fixed-missing-length-check-in-video-channel.patch diff --git a/Fixed-missing-length-check-in-video-channel.patch b/Fixed-missing-length-check-in-video-channel.patch new file mode 100644 index 0000000..3ba3d3d --- /dev/null +++ b/Fixed-missing-length-check-in-video-channel.patch @@ -0,0 +1,29 @@ +From bf28ea249de57acc6dfadbd778afef2093c1c283 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Thu, 6 Oct 2022 09:15:40 +0200 +Subject: [PATCH] Fixed missing length check in video channel + +Data received in video redirection channel was not checked for +proper length. + +(cherry picked from commit eeffd1050e9284d1464b58e049b2b4d88726632b) +--- + channels/video/client/video_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/channels/video/client/video_main.c b/channels/video/client/video_main.c +index a21e7cdf2..a8031fc86 100644 +--- a/channels/video/client/video_main.c ++++ b/channels/video/client/video_main.c +@@ -930,6 +930,8 @@ static UINT video_data_on_data_received(IWTSVirtualChannelCallback* pChannelCall + Stream_Read_UINT16(s, data.PacketsInSample); + Stream_Read_UINT32(s, data.SampleNumber); + Stream_Read_UINT32(s, data.cbSample); ++ if (!Stream_CheckAndLogRequiredLength(TAG, s, data.cbSample)) ++ return ERROR_INVALID_DATA; + data.pSample = Stream_Pointer(s); + + /* +-- +2.37.1 + diff --git a/freerdp.spec b/freerdp.spec index d3fe4be..f42632f 100644 --- a/freerdp.spec +++ b/freerdp.spec @@ -43,6 +43,9 @@ Patch3: Implement-BIO_CTRL_GET_KTLS_SEND-and-BIO_CTRL_GET_KT.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2136152 Patch4: Fix-length-checks-in-parallel-driver.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2136154 +Patch5: Fixed-missing-length-check-in-video-channel.patch + BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: alsa-lib-devel @@ -310,6 +313,7 @@ find %{buildroot} -name "*.a" -delete %changelog * Thu Dec 08 2022 Ondrej Holy - - 2:2.4.1-4 - CVE-2022-39282: Fix length checks in parallel driver (#2136152) +- CVE-2022-39283: Add missing length check in video channel (#2136154) * Wed Jun 22 2022 Ondrej Holy - - 2:2.4.1-3 - Fix gateway functionality with OpenSSL 3.0 (#2023262)