rpms/freerdp
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import freerdp-2.1.1-1.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 06:58:03 -05:00 committed by Andrew Lukoshko
parent b3339ab49a
commit c178d4fe83
8 changed files with 71 additions and 319 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.freerdp.metadata
View File

@ -1 +1 @@
bd50ce9d8807499e14884a3019e9f42b40f3480b SOURCES/FreeRDP-2.0.0-rc4.tar.gz
74013042a9d8bdbfd58f0a887f197702183c0df9 SOURCES/FreeRDP-2.1.1.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/FreeRDP-2.0.0-rc4.tar.gz
SOURCES/FreeRDP-2.1.1.tar.gz

69
SOURCES/Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch
View File

@ -1,69 +0,0 @@
From bda8e5ebfb772c0de3832d77b49749538c61eb14 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 17:32:04 +0200
Subject: [PATCH] Fix CVE-2020-11523: clamp invalid rectangles to size 0
Thanks to Sunglin and HuanGMz from Knownsec 404
---
libfreerdp/gdi/region.c | 36 ++++++++++++++++++++++++++++++++++--
1 file changed, 34 insertions(+), 2 deletions(-)
diff --git a/libfreerdp/gdi/region.c b/libfreerdp/gdi/region.c
index d3b28b562..1ffbf79bf 100644
--- a/libfreerdp/gdi/region.c
+++ b/libfreerdp/gdi/region.c
@@ -37,6 +37,19 @@
#define TAG FREERDP_TAG("gdi.region")
+static char* gdi_rect_str(char* buffer, size_t size, const HGDI_RECT rect)
+{
+ if (!buffer || (size < 1) || !rect)
+ return NULL;
+
+ _snprintf(buffer, size - 1,
+ "[top/left=%" PRId32 "x%" PRId32 "-bottom/right%" PRId32 "x%" PRId32 "]", rect->top,
+ rect->left, rect->bottom, rect->right);
+ buffer[size - 1] = '\0';
+
+ return buffer;
+}
+
/**
* Create a region from rectangular coordinates.\n
* @msdn{dd183514}
@@ -134,10 +147,29 @@ INLINE void gdi_RectToCRgn(const HGDI_RECT rect,
INT32* x, INT32* y,
INT32* w, INT32* h)
{
+ INT64 tmp;
*x = rect->left;
*y = rect->top;
- *w = rect->right - rect->left + 1;
- *h = rect->bottom - rect->top + 1;
+ tmp = rect->right - rect->left + 1;
+ if ((tmp < 0) || (tmp > INT32_MAX))
+ {
+ char buffer[256];
+ WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
+ gdi_rect_str(buffer, sizeof(buffer), rect));
+ *w = 0;
+ }
+ else
+ *w = tmp;
+ tmp = rect->bottom - rect->top + 1;
+ if ((tmp < 0) || (tmp > INT32_MAX))
+ {
+ char buffer[256];
+ WLog_ERR(TAG, "[%s] rectangle invalid %s", __FUNCTION__,
+ gdi_rect_str(buffer, sizeof(buffer), rect));
+ *h = 0;
+ }
+ else
+ *h = tmp;
}
/**
--
2.26.2

42
SOURCES/Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch
View File

@ -1,42 +0,0 @@
From b62b942e805cdfdfd1e71ec752c08091d4c3229f Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 18:05:17 +0200
Subject: [PATCH] Fix CVE-2020-11524: out of bounds access in interleaved
Thanks to Sunglin and HuanGMz from Knownsec 404
---
libfreerdp/codec/include/bitmap.c | 4 ++++
libfreerdp/codec/interleaved.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/libfreerdp/codec/include/bitmap.c b/libfreerdp/codec/include/bitmap.c
index 602d1b333..734ed136d 100644
--- a/libfreerdp/codec/include/bitmap.c
+++ b/libfreerdp/codec/include/bitmap.c
@@ -338,6 +338,10 @@ static INLINE BOOL RLEDECOMPRESS(const BYTE* pbSrcBuffer, UINT32 cbSrcBuffer,
case MEGA_MEGA_COLOR_IMAGE:
runLength = ExtractRunLength(code, pbSrc, &advance);
pbSrc = pbSrc + advance;
+
+ if (!ENSURE_CAPACITY(pbDest, pbDestEnd, runLength))
+ return FALSE;
+
UNROLL(runLength,
{
SRCREADPIXEL(temp, pbSrc);
diff --git a/libfreerdp/codec/interleaved.c b/libfreerdp/codec/interleaved.c
index a3fe7dd3f..0d36e9b9f 100644
--- a/libfreerdp/codec/interleaved.c
+++ b/libfreerdp/codec/interleaved.c
@@ -215,7 +215,7 @@ static INLINE BOOL ensure_capacity(const BYTE* start, const BYTE* end, size_t si
{
const size_t available = (uintptr_t)end - (uintptr_t)start;
const BOOL rc = available >= size * base;
- return rc;
+ return rc && (start <= end);
}
static INLINE void write_pixel_8(BYTE* _buf, BYTE _pix)
--
2.26.2

92
SOURCES/Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch
View File

@ -1,92 +0,0 @@
From d9f3c98918912de94af033fbab9578188ad46cf7 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 30 Mar 2020 18:18:12 +0200
Subject: [PATCH] Fixed CVE-2020-11521: Out of bounds write in planar codec.
Thanks to Sunglin and HuanGMz from Knownsec 404
---
libfreerdp/codec/planar.c | 15 ++++++++-------
libfreerdp/core/orders.c | 6 ++++++
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
index 98f2495e2..34c48d786 100644
--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
@@ -42,10 +42,9 @@ static INLINE BYTE* freerdp_bitmap_planar_delta_encode_plane(
static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
UINT32 nWidth, UINT32 nHeight)
{
+ UINT32 used = 0;
UINT32 x, y;
BYTE controlByte;
- const BYTE* pRLE = pSrcData;
- const BYTE* pEnd = &pSrcData[SrcSize];
for (y = 0; y < nHeight; y++)
{
@@ -54,10 +53,10 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
int cRawBytes;
int nRunLength;
- if (pRLE >= pEnd)
+ if (used >= SrcSize)
return -1;
- controlByte = *pRLE++;
+ controlByte = pSrcData[used++];
nRunLength = PLANAR_CONTROL_BYTE_RUN_LENGTH(controlByte);
cRawBytes = PLANAR_CONTROL_BYTE_RAW_BYTES(controlByte);
@@ -72,19 +71,21 @@ static INLINE INT32 planar_skip_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
cRawBytes = 0;
}
- pRLE += cRawBytes;
+ used += cRawBytes;
x += cRawBytes;
x += nRunLength;
if (x > nWidth)
return -1;
- if (pRLE > pEnd)
+ if (used > SrcSize)
return -1;
}
}
- return (INT32)(pRLE - pSrcData);
+ if (used > INT32_MAX)
+ return -1;
+ return (INT32)used;
}
static INLINE INT32 planar_decompress_plane_rle(const BYTE* pSrcData, UINT32 SrcSize,
diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
index 9f3489f17..e44f0dead 100644
--- a/libfreerdp/core/orders.c
+++ b/libfreerdp/core/orders.c
@@ -1961,6 +1961,9 @@ static CACHE_BITMAP_ORDER* update_read_cache_bitmap_order(rdpUpdate* update, wSt
}
}
+ if (cache_bitmap->bitmapLength == 0)
+ goto fail;
+
if (Stream_GetRemainingLength(s) < cache_bitmap->bitmapLength)
goto fail;
@@ -2095,6 +2098,9 @@ static CACHE_BITMAP_V2_ORDER* update_read_cache_bitmap_v2_order(rdpUpdate* updat
}
}
+ if (cache_bitmap_v2->bitmapLength == 0)
+ goto fail;
+
if (Stream_GetRemainingLength(s) < cache_bitmap_v2->bitmapLength)
goto fail;
--
2.26.2

78
SOURCES/Fixed-GHSL-2020-102-heap-overflow.patch
View File

@ -1,78 +0,0 @@
From 0d468aacfc2c14b904896d9d7ee2cd07bf7c6004 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Tue, 19 May 2020 07:41:14 +0200
Subject: [PATCH] Fixed GHSL-2020-102 heap overflow
(cherry picked from commit 197b16cc15a12813c2e4fa2d6ae9cd9c4a57e581)
---
libfreerdp/crypto/crypto.c | 41 ++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 11 deletions(-)
diff --git a/libfreerdp/crypto/crypto.c b/libfreerdp/crypto/crypto.c
index 39875f74d..10d430a82 100644
--- a/libfreerdp/crypto/crypto.c
+++ b/libfreerdp/crypto/crypto.c
@@ -96,13 +96,24 @@ exit:
static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, const BYTE* modulus,
const BYTE* exponent, int exponent_size, BYTE* output)
{
- BN_CTX* ctx;
+ BN_CTX* ctx = NULL;
int output_length = -1;
- BYTE* input_reverse;
- BYTE* modulus_reverse;
- BYTE* exponent_reverse;
- BIGNUM* mod, *exp, *x, *y;
- input_reverse = (BYTE*) malloc(2 * key_length + exponent_size);
+ BYTE* input_reverse = NULL;
+ BYTE* modulus_reverse = NULL;
+ BYTE* exponent_reverse = NULL;
+ BIGNUM* mod = NULL;
+ BIGNUM* exp = NULL;
+ BIGNUM* x = NULL;
+ BIGNUM* y = NULL;
+ size_t bufferSize = 2 * key_length + exponent_size;
+
+ if (!input || (length < 0) || (exponent_size < 0) || !modulus || !exponent || !output)
+ return -1;
+
+ if (length > bufferSize)
+ bufferSize = length;
+
+ input_reverse = (BYTE*)calloc(bufferSize, 1);
if (!input_reverse)
return -1;
@@ -131,16 +142,24 @@ static int crypto_rsa_common(const BYTE* input, int length, UINT32 key_length, c
if (!(y = BN_new()))
goto fail_bn_y;
- BN_bin2bn(modulus_reverse, key_length, mod);
- BN_bin2bn(exponent_reverse, exponent_size, exp);
- BN_bin2bn(input_reverse, length, x);
- BN_mod_exp(y, x, exp, mod, ctx);
+ if (!BN_bin2bn(modulus_reverse, key_length, mod))
+ goto fail;
+
+ if (!BN_bin2bn(exponent_reverse, exponent_size, exp))
+ goto fail;
+ if (!BN_bin2bn(input_reverse, length, x))
+ goto fail;
+ if (BN_mod_exp(y, x, exp, mod, ctx) != 1)
+ goto fail;
output_length = BN_bn2bin(y, output);
+ if (output_length < 0)
+ goto fail;
crypto_reverse(output, output_length);
- if (output_length < (int) key_length)
+ if (output_length < key_length)
memset(output + output_length, 0, key_length - output_length);
+fail:
BN_free(y);
fail_bn_y:
BN_clear_free(x);
--
2.26.2

32
SOURCES/winpr-library-Use-RTLD_GLOBAL-for-dlopen.patch Normal file
View File

@ -0,0 +1,32 @@
From d8cd671cc68d503757e32eb80f7a4dee44e47754 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Wed, 27 May 2020 08:43:00 +0200
Subject: [PATCH] winpr/library: Use RTLD_GLOBAL for dlopen
LoadLibraryA implementation uses the RTLD_LOCAL flag for dlopen currently.
This flag doesn't allow the symbols to be used by the subsequently loaded
libraries. This is a problem for the video channel when -DBUILTIN_CHANNELS=OFF
is used as it uses functions from the geometry channel. Let's use RTLD_GLOBAL
instead to prevent "undefined symbol" errors in such cases.
Fixes: https://github.com/FreeRDP/FreeRDP/issues/6236
---
winpr/libwinpr/library/library.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/winpr/libwinpr/library/library.c b/winpr/libwinpr/library/library.c
index f44a96d27..8d33227b2 100644
--- a/winpr/libwinpr/library/library.c
+++ b/winpr/libwinpr/library/library.c
@@ -125,7 +125,7 @@ HMODULE LoadLibraryA(LPCSTR lpLibFileName)
return hModule;
#else
HMODULE library;
- library = dlopen(lpLibFileName, RTLD_LOCAL | RTLD_LAZY);
+ library = dlopen(lpLibFileName, RTLD_GLOBAL | RTLD_LAZY);
if (!library)
{
--
2.26.2

73
SPECS/freerdp.spec
View File

@ -1,5 +1,3 @@
%global gittag 2.0.0-rc4
# Can be rebuilt with FFmpeg/H264 support enabled by passing "--with=ffmpeg",
# "--with=x264" or "--with=openh264" to mock/rpmbuild; or by globally setting
# these variables:
@ -16,20 +14,23 @@
# https://bugzilla.redhat.com/show_bug.cgi?id=1639165
%{!?rhel:%global _with_server 1}
# Disable support for missing codecs in RHEL
%{!?rhel:%global _with_soxr 1}
%if 0%{?fedora} || 0%{?rhel} >= 8
%global _with_lame 1
%endif
Name: freerdp
Version: 2.0.0
Release: 46.rc4%{?dist}.2
Version: 2.1.1
Release: 1%{?dist}
Epoch: 2
Summary: Free implementation of the Remote Desktop Protocol (RDP)
License: ASL 2.0
URL: http://www.freerdp.com/
Source0: https://github.com/FreeRDP/FreeRDP/archive/%{gittag}/FreeRDP-%{gittag}.tar.gz
Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{version}.tar.gz
Patch1: Fixed-CVE-2020-11521-Out-of-bounds-write-in-planar-c.patch
Patch2: Fix-CVE-2020-11523-clamp-invalid-rectangles-to-size-.patch
Patch3: Fix-CVE-2020-11524-out-of-bounds-access-in-interleav.patch
Patch4: Fixed-GHSL-2020-102-heap-overflow.patch
Patch1: winpr-library-Use-RTLD_GLOBAL-for-dlopen.patch
BuildRequires: gcc
BuildRequires: gcc-c++
@ -37,6 +38,8 @@ BuildRequires: alsa-lib-devel
BuildRequires: cmake >= 2.8
BuildRequires: cups-devel
BuildRequires: gsm-devel
%{?_with_lame:BuildRequires: lame-devel}
BuildRequires: libicu-devel
BuildRequires: libjpeg-turbo-devel
BuildRequires: libX11-devel
BuildRequires: libXcursor-devel
@ -55,6 +58,7 @@ BuildRequires: xmlto
BuildRequires: zlib-devel
BuildRequires: multilib-rpm-config
BuildRequires: pkgconfig(cairo)
BuildRequires: pkgconfig(dbus-1)
BuildRequires: pkgconfig(dbus-glib-1)
BuildRequires: pkgconfig(glib-2.0)
@ -69,7 +73,9 @@ BuildRequires: pkgconfig(gstreamer-video-1.0)
BuildRequires: pkgconfig(libpcsclite)
BuildRequires: pkgconfig(libpulse)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libusb-1.0)
BuildRequires: pkgconfig(openssl)
%{?_with_soxr:BuildRequires: pkgconfig(soxr)}
BuildRequires: pkgconfig(wayland-client)
BuildRequires: pkgconfig(wayland-scanner)
BuildRequires: pkgconfig(xkbcommon)
@ -79,7 +85,7 @@ BuildRequires: pkgconfig(libavcodec) >= 57.48.101
BuildRequires: pkgconfig(libavutil)
}
Provides: xfreerdp = %{version}-%{release}
Provides: xfreerdp = %{?epoch}:%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{?epoch}:%{version}-%{release}
Requires: libwinpr%{?_isa} = %{?epoch}:%{version}-%{release}
@ -127,7 +133,7 @@ the RDP protocol.
%package -n libwinpr
Summary: Windows Portable Runtime
Provides: %{name}-libwinpr = %{?epoch}:%{version}-%{release}
Obsoletes: %{name}-libwinpr < %{?epoch}:%{version}-%{release}
Obsoletes: %{name}-libwinpr < 1:1.2.0
%description -n libwinpr
WinPR provides API compatibility for applications targeting non-Windows
@ -145,7 +151,7 @@ The %{name}-libwinpr-devel package contains libraries and header files for
developing applications that use %{name}-libwinpr.
%prep
%autosetup -p1 -n FreeRDP-%{gittag}
%autosetup -p1 -n FreeRDP-%{version}
# Rpmlint fixes
find . -name "*.h" -exec chmod 664 {} \;
@ -164,8 +170,10 @@ find . -name "*.c" -exec chmod 664 {} \;
-DWITH_GSSAPI=%{?_with_gss:ON}%{?!_with_gss:OFF} \
-DWITH_GSTREAMER_1_0=ON -DWITH_GSTREAMER_0_10=OFF \
-DGSTREAMER_1_0_INCLUDE_DIRS=%{_includedir}/gstreamer-1.0 \
-DWITH_ICU=ON \
-DWITH_IPP=OFF \
-DWITH_JPEG=ON \
-DWITH_LAME=%{?_with_lame:ON}%{?!_with_lame:OFF} \
-DWITH_MANPAGES=ON \
-DWITH_OPENH264=%{?_with_openh264:ON}%{?!_with_openh264:OFF} \
-DWITH_OPENSSL=ON \
@ -175,6 +183,7 @@ find . -name "*.c" -exec chmod 664 {} \;
-DWITH_SERVER_INTERFACE=%{?_with_server:ON}%{?!_with_server:OFF} \
-DWITH_SHADOW_X11=%{?_with_server:ON}%{?!_with_server:OFF} \
-DWITH_SHADOW_MAC=%{?_with_server:ON}%{?!_with_server:OFF} \
-DWITH_SOXR=%{?_with_soxr:ON}%{?!_with_soxr:OFF} \
-DWITH_WAYLAND=ON \
-DWITH_X11=ON \
-DWITH_X264=%{?_with_x264:ON}%{?!_with_x264:OFF} \
@ -189,6 +198,7 @@ find . -name "*.c" -exec chmod 664 {} \;
-DWITH_ZLIB=ON \
%ifarch x86_64
-DWITH_SSE2=ON \
-DWITH_VAAPI=%{?_with_ffmpeg:ON}%{?!_with_ffmpeg:OFF} \
%else
-DWITH_SSE2=OFF \
%endif
@ -206,10 +216,10 @@ find . -name "*.c" -exec chmod 664 {} \;
%endif
.
make %{?_smp_mflags}
%make_build
pushd winpr/tools/makecert-cli
make %{?_smp_mflags}
%make_build
popd
%install
@ -220,27 +230,19 @@ find %{buildroot} -name "*.a" -delete
%multilib_fix_c_header --file %{_includedir}/freerdp2/freerdp/build-config.h
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%post -n libwinpr -p /sbin/ldconfig
%postun -n libwinpr -p /sbin/ldconfig
%files
%{_bindir}/winpr-hash
%{_bindir}/winpr-makecert
%{_bindir}/wlfreerdp
%{_bindir}/xfreerdp
%{_mandir}/man1/winpr-hash.1.*
%{_mandir}/man1/winpr-makecert.1.*
%{_mandir}/man1/wlfreerdp.1.*
%{_mandir}/man1/xfreerdp.1.*
%{_mandir}/man1/winpr-hash.1*
%{_mandir}/man1/winpr-makecert.1*
%{_mandir}/man1/wlfreerdp.1*
%{_mandir}/man1/xfreerdp.1*
%files libs
%license LICENSE
%doc README ChangeLog
%doc README.md ChangeLog
%{_libdir}/freerdp2/
%{_libdir}/libfreerdp-client2.so.*
%{?_with_server:
@ -280,14 +282,14 @@ find %{buildroot} -name "*.a" -delete
%{?_with_server:
%files server
%{_bindir}/freerdp-proxy
%{_bindir}/freerdp-shadow-cli
%{_mandir}/man1/freerdp-shadow-cli.1.*
%{_mandir}/man1/freerdp-shadow-cli.1*
}
%files -n libwinpr
%{!?_licensedir:%global license %%doc}
%license LICENSE
%doc README ChangeLog
%doc README.md ChangeLog
%{_libdir}/libwinpr2.so.*
%{_libdir}/libwinpr-tools2.so.*
@ -300,13 +302,12 @@ find %{buildroot} -name "*.a" -delete
%{_libdir}/pkgconfig/winpr-tools2.pc
%changelog
* Mon Jun 01 2020 Ondrej Holy <oholy@redhat.com> - 2:2.0.0-46.rc4.2
- CVE-2020-13398: Fix out-of-bounds write in crypto.c (#1841978)
* Mon May 25 2020 Ondrej Holy <oholy@redhat.com> - 2:2.1.1-1
- Update to 2.1.1 (rhbz#1834287).
* Wed May 20 2020 Ondrej Holy <oholy@redhat.com> - 2:2.0.0-46.rc4.1
- CVE-2020-11521: Fix out-of-bounds write in planar.c (#1837632)
- CVE-2020-11523: Fix integer overflow in region.c (#1837633)
- CVE-2020-11524: Fix out-of-bounds write in interleaved.c (#1837631)
* Fri Apr 17 2020 Ondrej Holy <oholy@redhat.com> - 2:2.0.0-47.rc4
- Fix SCARD_INSUFFICIENT_BUFFER error (rhbz#1803054)
- Do not advertise /usb in help output (rhbz#1761144)
* Wed Nov 28 2018 Ondrej Holy <oholy@redhat.com> - 2:2.0.0-46.rc4
- Update to 2.0.0-rc4 (#1624340)