rpms/freerdp
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160)

Browse Source
This commit is contained in:
Ondrej Holy 2021-11-10 09:19:53 +01:00
parent 1e8125180e
commit d274320ad4
6 changed files with 7 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -50,3 +50,4 @@
/FreeRDP-2.2.0.tar.gz /FreeRDP-2.2.0.tar.gz
/FreeRDP-2.3.2.tar.gz /FreeRDP-2.3.2.tar.gz
/FreeRDP-2.4.0.tar.gz /FreeRDP-2.4.0.tar.gz
/FreeRDP-2.4.1.tar.gz

41
Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
View File

@ -1,41 +0,0 @@
From df5d2572497f4cd7ab15144dbab99d0e01495127 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Wed, 12 May 2021 12:48:15 +0200
Subject: [PATCH] Fix FIPS mode support and build with OpenSSL 3.0
FreeRDP fails to build with OpenSSL 3.0 because of usage of the `FIPS_mode`
and `FIPS_mode_set` functions, which were removed there. Just a note that
the FIPS mode is not supported by OpenSSL 1.1.* although the mentioned
functions are still there (see https://wiki.openssl.org/index.php/FIPS_modules).
Let's make FreeRDP build with OpenSSL 3.0 and fix the FIPS mode support.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1952937
---
winpr/libwinpr/utils/ssl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/winpr/libwinpr/utils/ssl.c b/winpr/libwinpr/utils/ssl.c
index 3a8590390..03b23af43 100644
--- a/winpr/libwinpr/utils/ssl.c
+++ b/winpr/libwinpr/utils/ssl.c
@@ -244,9 +244,17 @@ static BOOL winpr_enable_fips(DWORD flags)
#else
WLog_DBG(TAG, "Ensuring openssl fips mode is ENabled");
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ if (!EVP_default_properties_is_fips_enabled(NULL))
+#else
if (FIPS_mode() != 1)
+#endif
{
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ if (EVP_set_default_properties(NULL, "fips=yes"))
+#else
if (FIPS_mode_set(1))
+#endif
WLog_INFO(TAG, "Openssl fips mode ENabled!");
else
{
--
2.31.1

11
freerdp.spec
View File

@ -21,8 +21,8 @@
%endif %endif
Name: freerdp Name: freerdp
Version: 2.4.0 Version: 2.4.1
Release: 3%{?dist} Release: 1%{?dist}
Epoch: 2 Epoch: 2
Summary: Free implementation of the Remote Desktop Protocol (RDP) Summary: Free implementation of the Remote Desktop Protocol (RDP)
License: ASL 2.0 License: ASL 2.0
@ -30,10 +30,6 @@ URL: http://www.freerdp.com/
Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{version}.tar.gz Source0: https://github.com/FreeRDP/FreeRDP/archive/%{version}/FreeRDP-%{version}.tar.gz
Patch0: Fix-FIPS-mode-support-and-build-with-OpenSSL-3.0.patch
Patch1: winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch
Patch2: winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: alsa-lib-devel BuildRequires: alsa-lib-devel
@ -299,6 +295,9 @@ find %{buildroot} -name "*.a" -delete
%{_libdir}/pkgconfig/winpr-tools2.pc %{_libdir}/pkgconfig/winpr-tools2.pc
%changelog %changelog
* Wed Nov 10 2021 Ondrej Holy <oholy@redhat.com> - 2:2.4.1-1
- Update to 2.4.1 (CVE-2021-41159, CVE-2021-41160).
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2:2.4.0-3 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2:2.4.0-3
- Rebuilt with OpenSSL 3.0.0 - Rebuilt with OpenSSL 3.0.0

2
sources
View File

@ -1 +1 @@
SHA512 (FreeRDP-2.4.0.tar.gz) = fb63c40dcdbbc16bf1d591227ec04537f96f0d5098be28a7b8b0158c83803941f1737604473e6fec45e85ec951bf4309c7b119a282ed2a7902f095757da67b20 SHA512 (FreeRDP-2.4.1.tar.gz) = a02c2fac8f90142b8b7a36e31a720c79d7947c32fc8d4ac1c976e4f01467b3d78c50b00974af1db6e3e61c2c81ac77c1ac9bf889d14e4be084afa18b634e28f0

47
winpr-crypto-Exit-cleanly-when-EVP_EncryptInit_ex-fa.patch
View File

@ -1,47 +0,0 @@
From a79e09d97435bfdf4fdd439d76d847ba8dcbb445 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Tue, 3 Aug 2021 08:39:21 +0200
Subject: [PATCH] winpr/crypto: Exit cleanly when EVP_EncryptInit_ex fails
The `EVP_EncryptInit_ex` function may fail in certain configurations.
Consequently, FreeRDP segfaults in `EVP_CIPHER_CTX_set_key_length`.
Let's handle the `EVP_EncryptInit_ex` failures and exit cleanly in
such case.
---
winpr/libwinpr/crypto/cipher.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c
index c47595b14..bd52cfeed 100644
--- a/winpr/libwinpr/crypto/cipher.c
+++ b/winpr/libwinpr/crypto/cipher.c
@@ -66,7 +66,12 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
return NULL;
EVP_CIPHER_CTX_init((EVP_CIPHER_CTX*)ctx);
- EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, evp, NULL, NULL, NULL);
+ if (EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, evp, NULL, NULL, NULL) != 1)
+ {
+ EVP_CIPHER_CTX_free ((EVP_CIPHER_CTX*)ctx);
+ return NULL;
+ }
+
/* EVP_CIPH_FLAG_NON_FIPS_ALLOW does not exist before openssl 1.0.1 */
#if !(OPENSSL_VERSION_NUMBER < 0x10001000L)
@@ -75,7 +80,11 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
#endif
EVP_CIPHER_CTX_set_key_length((EVP_CIPHER_CTX*)ctx, keylen);
- EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, NULL, NULL, key, NULL);
+ if (EVP_EncryptInit_ex((EVP_CIPHER_CTX*)ctx, NULL, NULL, key, NULL) != 1)
+ {
+ EVP_CIPHER_CTX_free ((EVP_CIPHER_CTX*)ctx);
+ return NULL;
+ }
#elif defined(WITH_MBEDTLS) && defined(MBEDTLS_ARC4_C)
if (!(ctx = (WINPR_RC4_CTX*)calloc(1, sizeof(mbedtls_arc4_context))))
--
2.31.1

46
winpr-crypto-Load-legacy-provider-to-fix-rc4-with-Op.patch
View File

@ -1,46 +0,0 @@
From e1f63dba5c63302b8a5e9d33c9ffe5580105de72 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Tue, 3 Aug 2021 08:47:13 +0200
Subject: [PATCH] winpr/crypto: Load legacy provider to fix rc4 with OpenSSL
3.0
Currently, the `EVP_EncryptInit_ex` function fails for rc4 with OpenSSL 3.0.
This is becuase rc4 is provided by the legacy provider which is not loaded
by default. Let's explicitly load the legacy provider to make FreeRDP work
with OpenSSL 3.0.
Relates: https://github.com/openssl/openssl/issues/14392
Fixes: https://github.com/FreeRDP/FreeRDP/issues/6604
---
winpr/libwinpr/crypto/cipher.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/winpr/libwinpr/crypto/cipher.c b/winpr/libwinpr/crypto/cipher.c
index bd52cfeed..75d25a1c7 100644
--- a/winpr/libwinpr/crypto/cipher.c
+++ b/winpr/libwinpr/crypto/cipher.c
@@ -29,6 +29,9 @@
#include <openssl/rc4.h>
#include <openssl/des.h>
#include <openssl/evp.h>
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+#include <openssl/provider.h>
+#endif
#endif
#ifdef WITH_MBEDTLS
@@ -58,6 +60,11 @@ static WINPR_RC4_CTX* winpr_RC4_New_Internal(const BYTE* key, size_t keylen, BOO
#if defined(WITH_OPENSSL)
+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
+ if (OSSL_PROVIDER_load(NULL, "legacy") == NULL)
+ return NULL;
+#endif
+
if (!(ctx = (WINPR_RC4_CTX*)EVP_CIPHER_CTX_new()))
return NULL;
--
2.31.1