From 14442af9ac41b9fb968f2f496ee5ee1f88f2b895 Mon Sep 17 00:00:00 2001 From: Tobias Frost Date: Sat, 28 Oct 2023 18:27:39 +0200 Subject: [PATCH] Import fix for CVE-2021-41160 - Improper region checks in all clients allow out of bound write to memory (Closes: #1001062) --- debian/changelog | 7 +- debian/patches/0050-CVE-2021-41160.patch | 153 +++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 159 insertions(+), 2 deletions(-) create mode 100644 debian/patches/0050-CVE-2021-41160.patch diff --git a/debian/changelog b/debian/changelog index d076cfb..e6900e7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,11 @@ freerdp2 (2.3.0+dfsg1-2+deb10u4) UNRELEASED; urgency=medium - * Fix typo in CVE list. It was CVE 2023-40567 not CVE 2023-39357 + * Non-maintainer upload by the LTS Security Team. + * Import fix for CVE-2021-41160 - Improper region checks in all clients + allow out of bound write to memory (Closes: #1001062) + * Previous upload: fix typo in CVE list. It was CVE 2023-40567 not CVE 2023-39357 - -- Tobias Frost Sat, 07 Oct 2023 20:02:26 +0200 + -- Tobias Frost Sat, 28 Oct 2023 18:12:57 +0200 freerdp2 (2.3.0+dfsg1-2+deb10u3) buster-security; urgency=medium diff --git a/debian/patches/0050-CVE-2021-41160.patch b/debian/patches/0050-CVE-2021-41160.patch new file mode 100644 index 0000000..03f16a9 --- /dev/null +++ b/debian/patches/0050-CVE-2021-41160.patch @@ -0,0 +1,153 @@ +Description: Fix for CVE-2021-41160 - out of bound write +Origin: https://github.com/FreeRDP/FreeRDP/commit/217e0caa181fc1690cf84dd6a3ba1a4f90c02692. +Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001062 + +From 217e0caa181fc1690cf84dd6a3ba1a4f90c02692 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Tue, 12 Oct 2021 12:26:22 +0200 +Subject: [PATCH] Bitmap update fix (#7349) + +* Added checks for bitmap width and heigth values + +Data received from the server might have invalid values for bitmap +with or height. Abort parsing if such a value is found. +Reported by Sunglin from the Knownsec 404 team & 0103 sec team + +* Added checks for glyph width & height +--- + libfreerdp/core/orders.c | 14 ++++++++++++ + libfreerdp/core/surface.c | 45 +++++++++++++++++++++++++++++++++++++++ + libfreerdp/core/update.c | 7 ++++++ + 3 files changed, 66 insertions(+) + +--- a/libfreerdp/core/orders.c ++++ b/libfreerdp/core/orders.c +@@ -1948,6 +1948,13 @@ + !update_read_2byte_unsigned(&sub, &glyph->cy)) + return FALSE; + ++ if ((glyph->cx == 0) || (glyph->cy == 0)) ++ { ++ WLog_ERR(TAG, "GLYPH_DATA_V2::cx=%" PRIu32 ", GLYPH_DATA_V2::cy=%" PRIu32, ++ glyph->cx, glyph->cy); ++ return FALSE; ++ } ++ + glyph->cb = Stream_GetRemainingLength(&sub); + if (glyph->cb > 0) + { +@@ -2949,6 +2956,13 @@ + Stream_Read_UINT16(s, create_offscreen_bitmap->cy); /* cy (2 bytes) */ + deleteList = &(create_offscreen_bitmap->deleteList); + ++ if ((create_offscreen_bitmap->cx == 0) || (create_offscreen_bitmap->cy == 0)) ++ { ++ WLog_ERR(TAG, "Invalid OFFSCREEN_DELETE_LIST: cx=%" PRIu16 ", cy=%" PRIu16, ++ create_offscreen_bitmap->cx, create_offscreen_bitmap->cy); ++ return FALSE; ++ } ++ + if (deleteListPresent) + { + UINT32 i; +--- a/libfreerdp/core/surface.c ++++ b/libfreerdp/core/surface.c +@@ -21,6 +21,8 @@ + #include "config.h" + #endif + ++#include ++ + #include + #include + +@@ -29,6 +31,8 @@ + + #define TAG FREERDP_TAG("core.surface") + ++#define WINPR_ASSERT assert ++ + static BOOL update_recv_surfcmd_bitmap_header_ex(wStream* s, TS_COMPRESSED_BITMAP_HEADER_EX* header) + { + if (!s || !header) +@@ -62,6 +66,13 @@ + Stream_Read_UINT16(s, bmp->height); + Stream_Read_UINT32(s, bmp->bitmapDataLength); + ++ if ((bmp->width == 0) || (bmp->height == 0)) ++ { ++ WLog_ERR(TAG, "invalid size value width=%" PRIu16 ", height=%" PRIu16, bmp->width, ++ bmp->height); ++ return FALSE; ++ } ++ + if ((bmp->bpp < 1) || (bmp->bpp > 32)) + { + WLog_ERR(TAG, "invalid bpp value %" PRIu32 "", bmp->bpp); +@@ -85,6 +96,39 @@ + return TRUE; + } + ++static BOOL update_recv_surfcmd_is_rect_valid(const rdpContext* context, ++ const SURFACE_BITS_COMMAND* cmd) ++{ ++ WINPR_ASSERT(context); ++ WINPR_ASSERT(context->settings); ++ WINPR_ASSERT(cmd); ++ ++ /* We need a rectangle with left/top being smaller than right/bottom. ++ * Also do not allow empty rectangles. */ ++ if ((cmd->destTop >= cmd->destBottom) || (cmd->destLeft >= cmd->destRight)) ++ { ++ WLog_WARN(TAG, ++ "Empty surface bits command rectangle: %" PRIu16 "x%" PRIu16 "-%" PRIu16 ++ "x%" PRIu16, ++ cmd->destLeft, cmd->destTop, cmd->destRight, cmd->destBottom); ++ return FALSE; ++ } ++ ++ /* The rectangle needs to fit into our session size */ ++ if ((cmd->destRight > context->settings->DesktopWidth) || ++ (cmd->destBottom > context->settings->DesktopHeight)) ++ { ++ WLog_WARN(TAG, ++ "Invalid surface bits command rectangle: %" PRIu16 "x%" PRIu16 "-%" PRIu16 ++ "x%" PRIu16 " does not fit %" PRIu32 "x%" PRIu32, ++ cmd->destLeft, cmd->destTop, cmd->destRight, cmd->destBottom, ++ context->settings->DesktopWidth, context->settings->DesktopHeight); ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ + static BOOL update_recv_surfcmd_surface_bits(rdpUpdate* update, wStream* s, UINT16 cmdType) + { + SURFACE_BITS_COMMAND cmd = { 0 }; +@@ -98,6 +142,9 @@ + Stream_Read_UINT16(s, cmd.destRight); + Stream_Read_UINT16(s, cmd.destBottom); + ++ if (!update_recv_surfcmd_is_rect_valid(update->context, &cmd)) ++ goto fail; ++ + if (!update_recv_surfcmd_bitmap_ex(s, &cmd.bmp)) + goto fail; + +--- a/libfreerdp/core/update.c ++++ b/libfreerdp/core/update.c +@@ -99,6 +99,13 @@ + Stream_Read_UINT16(s, bitmapData->flags); + Stream_Read_UINT16(s, bitmapData->bitmapLength); + ++ if ((bitmapData->width == 0) || (bitmapData->height == 0)) ++ { ++ WLog_ERR(TAG, "Invalid BITMAP_DATA: width=%" PRIu16 ", height=%" PRIu16, bitmapData->width, ++ bitmapData->height); ++ return FALSE; ++ } ++ + if (bitmapData->flags & BITMAP_COMPRESSION) + { + if (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR)) diff --git a/debian/patches/series b/debian/patches/series index ff70651..ab7e23c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -39,3 +39,4 @@ 0047-CVE-2023-40188.patch 0048-CVE-2023-40569.patch 0049-CVE-2023-40589.patch +0050-CVE-2021-41160.patch