Import fix for CVE-2021-41160 - Improper region checks in all clients allow out of bound write to memory (Closes: #1001062)

debian/changelog

@@ -1,8 +1,11 @@
 freerdp2 (2.3.0+dfsg1-2+deb10u4) UNRELEASED; urgency=medium
 
-  * Fix typo in CVE list. It was CVE 2023-40567 not CVE 2023-39357 
+  * Non-maintainer upload by the LTS Security Team.
+  * Import fix for CVE-2021-41160 - Improper region checks in all clients
+    allow out of bound write to memory (Closes: #1001062)
+  * Previous upload: fix typo in CVE list. It was CVE 2023-40567 not CVE 2023-39357 
 
- -- Tobias Frost <tobi@debian.org>  Sat, 07 Oct 2023 20:02:26 +0200
+ -- Tobias Frost <tobi@debian.org>  Sat, 28 Oct 2023 18:12:57 +0200
 
 freerdp2 (2.3.0+dfsg1-2+deb10u3) buster-security; urgency=medium
 

debian/patches/0050-CVE-2021-41160.patch

@@ -0,0 +1,153 @@
+Description: Fix for CVE-2021-41160 - out of bound write
+Origin: https://github.com/FreeRDP/FreeRDP/commit/217e0caa181fc1690cf84dd6a3ba1a4f90c02692.
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001062
+
+From 217e0caa181fc1690cf84dd6a3ba1a4f90c02692 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@users.noreply.github.com>
+Date: Tue, 12 Oct 2021 12:26:22 +0200
+Subject: [PATCH] Bitmap update fix (#7349)
+
+* Added checks for bitmap width and heigth values
+
+Data received from the server might have invalid values for bitmap
+with or height. Abort parsing if such a value is found.
+Reported by Sunglin from the Knownsec 404 team & 0103 sec team
+
+* Added checks for glyph width & height
+---
+ libfreerdp/core/orders.c  | 14 ++++++++++++
+ libfreerdp/core/surface.c | 45 +++++++++++++++++++++++++++++++++++++++
+ libfreerdp/core/update.c  |  7 ++++++
+ 3 files changed, 66 insertions(+)
+
+--- a/libfreerdp/core/orders.c
++++ b/libfreerdp/core/orders.c
+@@ -1948,6 +1948,13 @@
+ 			    !update_read_2byte_unsigned(&sub, &glyph->cy))
+ 				return FALSE;
+ 
++			if ((glyph->cx == 0) || (glyph->cy == 0))
++			{
++				WLog_ERR(TAG, "GLYPH_DATA_V2::cx=%" PRIu32 ", GLYPH_DATA_V2::cy=%" PRIu32,
++				         glyph->cx, glyph->cy);
++				return FALSE;
++			}
++
+ 			glyph->cb = Stream_GetRemainingLength(&sub);
+ 			if (glyph->cb > 0)
+ 			{
+@@ -2949,6 +2956,13 @@
+ 	Stream_Read_UINT16(s, create_offscreen_bitmap->cy); /* cy (2 bytes) */
+ 	deleteList = &(create_offscreen_bitmap->deleteList);
+ 
++	if ((create_offscreen_bitmap->cx == 0) || (create_offscreen_bitmap->cy == 0))
++	{
++		WLog_ERR(TAG, "Invalid OFFSCREEN_DELETE_LIST: cx=%" PRIu16 ", cy=%" PRIu16,
++		         create_offscreen_bitmap->cx, create_offscreen_bitmap->cy);
++		return FALSE;
++	}
++
+ 	if (deleteListPresent)
+ 	{
+ 		UINT32 i;
+--- a/libfreerdp/core/surface.c
++++ b/libfreerdp/core/surface.c
+@@ -21,6 +21,8 @@
+ #include "config.h"
+ #endif
+ 
++#include <assert.h>
++
+ #include <freerdp/utils/pcap.h>
+ #include <freerdp/log.h>
+ 
+@@ -29,6 +31,8 @@
+ 
+ #define TAG FREERDP_TAG("core.surface")
+ 
++#define WINPR_ASSERT assert
++
+ static BOOL update_recv_surfcmd_bitmap_header_ex(wStream* s, TS_COMPRESSED_BITMAP_HEADER_EX* header)
+ {
+ 	if (!s || !header)
+@@ -62,6 +66,13 @@
+ 	Stream_Read_UINT16(s, bmp->height);
+ 	Stream_Read_UINT32(s, bmp->bitmapDataLength);
+ 
++	if ((bmp->width == 0) || (bmp->height == 0))
++	{
++		WLog_ERR(TAG, "invalid size value width=%" PRIu16 ", height=%" PRIu16, bmp->width,
++		         bmp->height);
++		return FALSE;
++	}
++
+ 	if ((bmp->bpp < 1) || (bmp->bpp > 32))
+ 	{
+ 		WLog_ERR(TAG, "invalid bpp value %" PRIu32 "", bmp->bpp);
+@@ -85,6 +96,39 @@
+ 	return TRUE;
+ }
+ 
++static BOOL update_recv_surfcmd_is_rect_valid(const rdpContext* context,
++                                              const SURFACE_BITS_COMMAND* cmd)
++{
++	WINPR_ASSERT(context);
++	WINPR_ASSERT(context->settings);
++	WINPR_ASSERT(cmd);
++
++	/* We need a rectangle with left/top being smaller than right/bottom.
++	 * Also do not allow empty rectangles. */
++	if ((cmd->destTop >= cmd->destBottom) || (cmd->destLeft >= cmd->destRight))
++	{
++		WLog_WARN(TAG,
++		          "Empty surface bits command rectangle: %" PRIu16 "x%" PRIu16 "-%" PRIu16
++		          "x%" PRIu16,
++		          cmd->destLeft, cmd->destTop, cmd->destRight, cmd->destBottom);
++		return FALSE;
++	}
++
++	/* The rectangle needs to fit into our session size */
++	if ((cmd->destRight > context->settings->DesktopWidth) ||
++	    (cmd->destBottom > context->settings->DesktopHeight))
++	{
++		WLog_WARN(TAG,
++		          "Invalid surface bits command rectangle: %" PRIu16 "x%" PRIu16 "-%" PRIu16
++		          "x%" PRIu16 " does not fit %" PRIu32 "x%" PRIu32,
++		          cmd->destLeft, cmd->destTop, cmd->destRight, cmd->destBottom,
++		          context->settings->DesktopWidth, context->settings->DesktopHeight);
++		return FALSE;
++	}
++
++	return TRUE;
++}
++
+ static BOOL update_recv_surfcmd_surface_bits(rdpUpdate* update, wStream* s, UINT16 cmdType)
+ {
+ 	SURFACE_BITS_COMMAND cmd = { 0 };
+@@ -98,6 +142,9 @@
+ 	Stream_Read_UINT16(s, cmd.destRight);
+ 	Stream_Read_UINT16(s, cmd.destBottom);
+ 
++	if (!update_recv_surfcmd_is_rect_valid(update->context, &cmd))
++		goto fail;
++
+ 	if (!update_recv_surfcmd_bitmap_ex(s, &cmd.bmp))
+ 		goto fail;
+ 
+--- a/libfreerdp/core/update.c
++++ b/libfreerdp/core/update.c
+@@ -99,6 +99,13 @@
+ 	Stream_Read_UINT16(s, bitmapData->flags);
+ 	Stream_Read_UINT16(s, bitmapData->bitmapLength);
+ 
++	if ((bitmapData->width == 0) || (bitmapData->height == 0))
++	{
++		WLog_ERR(TAG, "Invalid BITMAP_DATA: width=%" PRIu16 ", height=%" PRIu16, bitmapData->width,
++		         bitmapData->height);
++		return FALSE;
++	}
++
+ 	if (bitmapData->flags & BITMAP_COMPRESSION)
+ 	{
+ 		if (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR))

debian/patches/series

@@ -39,3 +39,4 @@
 0047-CVE-2023-40188.patch
 0048-CVE-2023-40569.patch
 0049-CVE-2023-40589.patch
+0050-CVE-2021-41160.patch