import freerdp-2.0.0-46.rc4.el8_2.2

2020-06-04 16:38:43 -04:00 · 2020-06-04 16:38:43 -04:00 · b3339ab49a
parent 9ae04fc6d3
commit b3339ab49a
2 changed files with 83 additions and 1 deletions
--- a/SOURCES/Fixed-GHSL-2020-102-heap-overflow.patch
+++ b/SOURCES/Fixed-GHSL-2020-102-heap-overflow.patch
@ -0,0 +1,78 @@
+From 0d468aacfc2c14b904896d9d7ee2cd07bf7c6004 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Tue, 19 May 2020 07:41:14 +0200
+Subject: [PATCH] Fixed  GHSL-2020-102 heap overflow
+
+(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)
+---
+ libfreerdp/crypto/crypto.c | 41 ++++++++++++++++++++++++++++----------
+ 1 file changed, 30 insertions(+), 11 deletions(-)
+
+diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
+index 39875f74d..10d430a82 100644
+--- a/libfreerdp/crypto/crypto.c
+++ b/libfreerdp/crypto/crypto.c
+@@ -96,13 +96,24 @@ exit:
+ static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus,
+                              const BYTE* exponent, int exponent_size, BYTE* output)
+ {
+-	BN_CTX* ctx;
+	BN_CTX* ctx = NULL;
+ 	int output_length = -1;
+-	BYTE* input_reverse;
+-	BYTE* modulus_reverse;
+-	BYTE* exponent_reverse;
+-	BIGNUM* mod, *exp, *x, *y;
+-	input_reverse = (BYTE*) malloc(2 * key_length + exponent_size);
+	BYTE* input_reverse = NULL;
+	BYTE* modulus_reverse = NULL;
+	BYTE* exponent_reverse = NULL;
+	BIGNUM* mod = NULL;
+	BIGNUM* exp = NULL;
+	BIGNUM* x = NULL;
+	BIGNUM* y = NULL;
+	size_t bufferSize = 2 * key_length + exponent_size;
+
+	if (!input || (length < 0) || (exponent_size < 0) || !modulus || !exponent || !output)
+		return -1;
+
+	if (length > bufferSize)
+		bufferSize = length;
+
+	input_reverse = (BYTE*)calloc(bufferSize, 1);
+ 
+ 	if (!input_reverse)
+ 		return -1;
+@@ -131,16 +142,24 @@ static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, c
+ 	if (!(y = BN_new()))
+ 		goto fail_bn_y;
+ 
+-	BN_bin2bn(modulus_reverse, key_length, mod);
+-	BN_bin2bn(exponent_reverse, exponent_size, exp);
+-	BN_bin2bn(input_reverse, length, x);
+-	BN_mod_exp(y, x, exp, mod, ctx);
+	if (!BN_bin2bn(modulus_reverse, key_length, mod))
+		goto fail;
+
+	if (!BN_bin2bn(exponent_reverse, exponent_size, exp))
+		goto fail;
+	if (!BN_bin2bn(input_reverse, length, x))
+		goto fail;
+	if (BN_mod_exp(y, x, exp, mod, ctx) != 1)
+		goto fail;
+ 	output_length = BN_bn2bin(y, output);
+	if (output_length < 0)
+		goto fail;
+ 	crypto_reverse(output, output_length);
+ 
+-	if (output_length < (int) key_length)
+	if (output_length < key_length)
+ 		memset(output + output_length, 0, key_length - output_length);
+ 
+fail:
+ 	BN_free(y);
+ fail_bn_y:
+ 	BN_clear_free(x);
+-- 
+2.26.2
+
--- a/SPECS/freerdp.spec
+++ b/SPECS/freerdp.spec
@ -18,7 +18,7 @@

 Name:           freerdp
 Version:        2.0.0
-Release:        46.rc4%{?dist}.1
+Release:        46.rc4%{?dist}.2
 Epoch:          2
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)
 License:        ASL 2.0
@ -29,6 +29,7 @@ Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{gittag}/FreeRDP-%{g
 Patch1:         Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch
 Patch2:         Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch
 Patch3:         Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch
+Patch4:         Fixed-GHSL-2020-102-heap-overflow.patch

 BuildRequires:  gcc
 BuildRequires:  gcc-c++
@ -299,6 +300,9 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools2.pc

 %changelog
+* Mon Jun 01 2020 Ondrej Holy <oholy@redhat.com> - 2:2.0.0-46.rc4.2
+- CVE-2020-13398: Fix out-of-bounds write in crypto.c (#1841978)
+
 * Wed May 20 2020 Ondrej Holy <oholy@redhat.com> - 2:2.0.0-46.rc4.1
 - CVE-2020-11521: Fix out-of-bounds write in planar.c (#1837632)
 - CVE-2020-11523: Fix integer overflow in region.c (#1837633)