Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160)

(cherry picked from Fedora commit d274320ad4fd1c4e8a03d68813e80070a9a391f7) Resolves: #2017957, #2017950 Related: #2023182
2021-11-10 09:19:53 +01:00 · 2021-11-10 09:19:53 +01:00 · bfe82ab42a
parent 92dad3c150
commit bfe82ab42a
6 changed files with 7 additions and 141 deletions
--- a/.gitignore
+++ b/.gitignore
@ -50,3 +50,4 @@
 /FreeRDP-2.2.0.tar.gz
 /FreeRDP-2.3.2.tar.gz
 /FreeRDP-2.4.0.tar.gz
+/FreeRDP-2.4.1.tar.gz
--- a/Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
+++ b/Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
@ -1,41 +0,0 @@
-From df5d2572497f4cd7ab15144dbab99d0e01495127 Mon Sep 17 00:00:00 2001
-From: Ondrej Holy <oholy@redhat.com>
-Date: Wed, 12 May 2021 12:48:15 +0200
-Subject: [PATCH] Fix FIPS mode support and build with OpenSSL 3.0
-
-FreeRDP fails to build with OpenSSL 3.0 because of usage of the `FIPS_mode`
-and `FIPS_mode_set` functions, which were removed there. Just a note that
-the FIPS mode is not supported by OpenSSL 1.1.* although the mentioned
-functions are still there (see https://wiki.openssl.org/index.php/FIPS_modules).
-Let's make FreeRDP build with OpenSSL 3.0 and fix the FIPS mode support.
-
-See: https://bugzilla.redhat.com/show_bug.cgi?id=1952937
---
- winpr/libwinpr/utils/ssl.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
-index 3a8590390..03b23af43 100644
--- a/winpr/libwinpr/utils/ssl.c
-+++ b/winpr/libwinpr/utils/ssl.c
-@@ -244,9 +244,17 @@ static BOOL winpr_enable_fips(DWORD flags)
- #else
- 		WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
- 
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+		if (!EVP_default_properties_is_fips_enabled(NULL))
-+#else
- 		if (FIPS_mode() != 1)
-+#endif
- 		{
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+			if (EVP_set_default_properties(NULL, "fips=yes"))
-+#else
- 			if (FIPS_mode_set(1))
-+#endif
- 				WLog_INFO(TAG, "Openssl fips mode ENabled!");
- 			else
- 			{
-- 
-2.31.1
-
--- a/freerdp.spec
+++ b/freerdp.spec
@ -21,8 +21,8 @@
 %endif

 Name:           freerdp
-Version:        2.4.0
-Release:        3%{?dist}
+Version:        2.4.1
+Release:        1%{?dist}
 Epoch:          2
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)
 License:        ASL 2.0
@ -30,10 +30,6 @@ URL:            http://www.freerdp.com/

 Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{version}.tar.gz

-Patch0:         Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
-Patch1:         winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch
-Patch2:         winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch
-
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  alsa-lib-devel
@ -299,6 +295,9 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools2.pc

 %changelog
+* Wed Nov 10 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-1
+- Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160).
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:2.4.0-3
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (FreeRDP-2.4.0.tar.gz) = fb63c40dcdbbc16bf1d591227ec04537f96f0d5098be28a7b8b0158c83803941f1737604473e6fec45e85ec951bf4309c7b119a282ed2a7902f095757da67b20
+SHA512 (FreeRDP-2.4.1.tar.gz) = a02c2fac8f90142b8b7a36e31a720c79d7947c32fc8d4ac1c976e4f01467b3d78c50b00974af1db6e3e61c2c81ac77c1ac9bf889d14e4be084afa18b634e28f0
--- a/winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch
+++ b/winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch
@ -1,47 +0,0 @@
-From a79e09d97435bfdf4fdd439d76d847ba8dcbb445 Mon Sep 17 00:00:00 2001
-From: Ondrej Holy <oholy@redhat.com>
-Date: Tue, 3 Aug 2021 08:39:21 +0200
-Subject: [PATCH] winpr/crypto: Exit cleanly when EVP_EncryptInit_ex fails
-
-The `EVP_EncryptInit_ex` function may fail in certain configurations.
-Consequently, FreeRDP segfaults in `EVP_CIPHER_CTX_set_key_length`.
-Let's handle the `EVP_EncryptInit_ex` failures and exit cleanly in
-such case.
---
- winpr/libwinpr/crypto/cipher.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c
-index c47595b14..bd52cfeed 100644
--- a/winpr/libwinpr/crypto/cipher.c
-+++ b/winpr/libwinpr/crypto/cipher.c
-@@ -66,7 +66,12 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
- 		return NULL;
- 
- 	EVP_CIPHER_CTX_init((EVP_CIPHER_CTX*)ctx);
-	EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, evp, NULL, NULL, NULL);
-+	if (EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, evp, NULL, NULL, NULL) != 1)
-+	{
-+		EVP_CIPHER_CTX_free ((EVP_CIPHER_CTX*)ctx);
-+		return NULL;
-+	}
-+
- 	/* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist before openssl 1.0.1 */
- #if !(OPENSSL_VERSION_NUMBER < 0x10001000L)
- 
-@@ -75,7 +80,11 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
- 
- #endif
- 	EVP_CIPHER_CTX_set_key_length((EVP_CIPHER_CTX*)ctx, keylen);
-	EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, NULL, NULL, key, NULL);
-+	if (EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, NULL, NULL, key, NULL) != 1)
-+	{
-+		EVP_CIPHER_CTX_free ((EVP_CIPHER_CTX*)ctx);
-+		return NULL;
-+	}
- #elif defined(WITH_MBEDTLS) && defined(MBEDTLS_ARC4_C)
- 
- 	if (!(ctx = (WINPR_RC4_CTX*)calloc(1, sizeof(mbedtls_arc4_context))))
-- 
-2.31.1
-
--- a/winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch
+++ b/winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch
@ -1,46 +0,0 @@
-From e1f63dba5c63302b8a5e9d33c9ffe5580105de72 Mon Sep 17 00:00:00 2001
-From: Ondrej Holy <oholy@redhat.com>
-Date: Tue, 3 Aug 2021 08:47:13 +0200
-Subject: [PATCH] winpr/crypto: Load legacy provider to fix rc4 with OpenSSL
- 3.0
-
-Currently, the `EVP_EncryptInit_ex` function fails for rc4 with OpenSSL 3.0.
-This is becuase rc4 is provided by the legacy provider which is not loaded
-by default. Let's explicitly load the legacy provider to make FreeRDP work
-with OpenSSL 3.0.
-
-Relates: https://github.com/openssl/openssl/issues/14392
-Fixes: https://github.com/FreeRDP/FreeRDP/issues/6604
---
- winpr/libwinpr/crypto/cipher.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c
-index bd52cfeed..75d25a1c7 100644
--- a/winpr/libwinpr/crypto/cipher.c
-+++ b/winpr/libwinpr/crypto/cipher.c
-@@ -29,6 +29,9 @@
- #include <openssl/rc4.h>
- #include <openssl/des.h>
- #include <openssl/evp.h>
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+#include <openssl/provider.h>
-+#endif
- #endif
- 
- #ifdef WITH_MBEDTLS
-@@ -58,6 +60,11 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
- 
- #if defined(WITH_OPENSSL)
- 
-+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
-+	if (OSSL_PROVIDER_load(NULL, "legacy") == NULL)
-+		return NULL;
-+#endif
-+
- 	if (!(ctx = (WINPR_RC4_CTX*)EVP_CIPHER_CTX_new()))
- 		return NULL;
- 
-- 
-2.31.1
-