Backport patch for CVE-2023-39353.

debian/changelog

@@ -14,7 +14,7 @@ freerdp2 (2.3.0+dfsg1-2~deb10u3) UNRELEASED; urgency=medium
      CVE-2020-13397 CVE-2020-13398 and
      CVE-2020-15103 (Closes: #965979)
   * Backporting/Importing upstream patches for (Closes: #1051638):
-    CVE-2023-39350 CVE-2023-39351 CVE-2023-39352
+    CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353
 
  -- Tobias Frost <tobi@debian.org>  Mon, 02 Oct 2023 17:10:48 +0200
 

debian/patches/0039-CVE-2023-39353-part1.patch

@@ -0,0 +1,52 @@
+Description: Upstream fix for CVE-2023-39353 - Missing offset validation leading to Out Of Bound Read
+ commit 1 of 2.
+Origin: https://github.com/FreeRDP/FreeRDP/commit/efa0567c027239b901ccdc590b9e229e0111c68b
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051638
+From efa0567c027239b901ccdc590b9e229e0111c68b Mon Sep 17 00:00:00 2001
+From: Armin Novak <anovak@thincast.com>
+Date: Sat, 5 Aug 2023 08:57:28 +0200
+Subject: [PATCH] [coded,rfx] check indices are within range
+
+reported by @pwn2carr
+
+(cherry picked from commit 61e17f4707cee66ecaa7519073bae74ecf0a9af4)
+---
+ libfreerdp/codec/rfx.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c
+index 13d48c24f329..d7f0d8c65d25 100644
+--- a/libfreerdp/codec/rfx.c
++++ b/libfreerdp/codec/rfx.c
+@@ -936,6 +936,30 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa
+ 		Stream_Read_UINT8(&sub, tile->quantIdxY);  /* quantIdxY (1 byte) */
+ 		Stream_Read_UINT8(&sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */
+ 		Stream_Read_UINT8(&sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */
++		if (tile->quantIdxY >= context->numQuant)
++			{
++				WLog_Print(context->priv->log, WLOG_ERROR,
++				           "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY,
++				           context->numQuant);
++				rc = FALSE;
++				break;
++			}
++			if (tile->quantIdxCb >= context->numQuant)
++			{
++				WLog_Print(context->priv->log, WLOG_ERROR,
++				           "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb,
++				           context->numQuant);
++				rc = FALSE;
++				break;
++			}
++			if (tile->quantIdxCr >= context->numQuant)
++			{
++				WLog_Print(context->priv->log, WLOG_ERROR,
++				           "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr,
++				           context->numQuant);
++				rc = FALSE;
++				break;
++
+ 		Stream_Read_UINT16(&sub, tile->xIdx);      /* xIdx (2 bytes) */
+ 		Stream_Read_UINT16(&sub, tile->yIdx);      /* yIdx (2 bytes) */
+ 		Stream_Read_UINT16(&sub, tile->YLen);      /* YLen (2 bytes) */

debian/patches/0039-CVE-2023-39353-part2.patch

@@ -0,0 +1,68 @@
+Description: Upstream fix for CVE-2023-39353 - Missing offset validation leading to Out Of Bound Read
+ commit 2 of 2.
+Origin: https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051638
+From 9ed6d6baede27d5006e0e4c9bec8e506f695cb6a Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Tue, 22 Aug 2023 11:37:57 +0200
+Subject: [PATCH] [codec,rfx] fix missing brace from broken backport
+
+---
+ libfreerdp/codec/rfx.c | 43 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 23 deletions(-)
+
+diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c
+index d7f0d8c65d25..ccbc5afe44fa 100644
+--- a/libfreerdp/codec/rfx.c
++++ b/libfreerdp/codec/rfx.c
+@@ -937,29 +937,26 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa
+ 		Stream_Read_UINT8(&sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */
+ 		Stream_Read_UINT8(&sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */
+ 		if (tile->quantIdxY >= context->numQuant)
+-			{
+-				WLog_Print(context->priv->log, WLOG_ERROR,
+-				           "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY,
+-				           context->numQuant);
+-				rc = FALSE;
+-				break;
+-			}
+-			if (tile->quantIdxCb >= context->numQuant)
+-			{
+-				WLog_Print(context->priv->log, WLOG_ERROR,
+-				           "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb,
+-				           context->numQuant);
+-				rc = FALSE;
+-				break;
+-			}
+-			if (tile->quantIdxCr >= context->numQuant)
+-			{
+-				WLog_Print(context->priv->log, WLOG_ERROR,
+-				           "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr,
+-				           context->numQuant);
+-				rc = FALSE;
+-				break;
+-
++		{
++			WLog_Print(context->priv->log, WLOG_ERROR, "quantIdxY %" PRIu8 " >= numQuant %" PRIu8,
++			           tile->quantIdxY, context->numQuant);
++			rc = FALSE;
++			break;
++		}
++		else if (tile->quantIdxCb >= context->numQuant)
++		{
++			WLog_Print(context->priv->log, WLOG_ERROR, "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8,
++			           tile->quantIdxCb, context->numQuant);
++			rc = FALSE;
++			break;
++		}
++		else if (tile->quantIdxCr >= context->numQuant)
++		{
++			WLog_Print(context->priv->log, WLOG_ERROR, "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8,
++			           tile->quantIdxCr, context->numQuant);
++			rc = FALSE;
++			break;
++		}
+ 		Stream_Read_UINT16(&sub, tile->xIdx);      /* xIdx (2 bytes) */
+ 		Stream_Read_UINT16(&sub, tile->yIdx);      /* yIdx (2 bytes) */
+ 		Stream_Read_UINT16(&sub, tile->YLen);      /* YLen (2 bytes) */

debian/patches/series

@@ -26,3 +26,5 @@
 0036-CVE-2023-39350.patch
 0037-CVE-2023-39351.patch
 0038-CVE-2023-39352.patch
+0039-CVE-2023-39353-part1.patch
+0039-CVE-2023-39353-part2.patch