diff --git a/debian/changelog b/debian/changelog index de7b858..15e9e7c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,7 +14,7 @@ freerdp2 (2.3.0+dfsg1-2~deb10u3) UNRELEASED; urgency=medium CVE-2020-13397 CVE-2020-13398 and CVE-2020-15103 (Closes: #965979) * Backporting/Importing upstream patches for (Closes: #1051638): - CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 + CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 -- Tobias Frost Mon, 02 Oct 2023 17:10:48 +0200 diff --git a/debian/patches/0039-CVE-2023-39353-part1.patch b/debian/patches/0039-CVE-2023-39353-part1.patch new file mode 100644 index 0000000..5ee83c0 --- /dev/null +++ b/debian/patches/0039-CVE-2023-39353-part1.patch @@ -0,0 +1,52 @@ +Description: Upstream fix for CVE-2023-39353 - Missing offset validation leading to Out Of Bound Read + commit 1 of 2. +Origin: https://github.com/FreeRDP/FreeRDP/commit/efa0567c027239b901ccdc590b9e229e0111c68b +Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051638 +From efa0567c027239b901ccdc590b9e229e0111c68b Mon Sep 17 00:00:00 2001 +From: Armin Novak +Date: Sat, 5 Aug 2023 08:57:28 +0200 +Subject: [PATCH] [coded,rfx] check indices are within range + +reported by @pwn2carr + +(cherry picked from commit 61e17f4707cee66ecaa7519073bae74ecf0a9af4) +--- + libfreerdp/codec/rfx.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c +index 13d48c24f329..d7f0d8c65d25 100644 +--- a/libfreerdp/codec/rfx.c ++++ b/libfreerdp/codec/rfx.c +@@ -936,6 +936,30 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa + Stream_Read_UINT8(&sub, tile->quantIdxY); /* quantIdxY (1 byte) */ + Stream_Read_UINT8(&sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */ + Stream_Read_UINT8(&sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */ ++ if (tile->quantIdxY >= context->numQuant) ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, ++ "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY, ++ context->numQuant); ++ rc = FALSE; ++ break; ++ } ++ if (tile->quantIdxCb >= context->numQuant) ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, ++ "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb, ++ context->numQuant); ++ rc = FALSE; ++ break; ++ } ++ if (tile->quantIdxCr >= context->numQuant) ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, ++ "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr, ++ context->numQuant); ++ rc = FALSE; ++ break; ++ + Stream_Read_UINT16(&sub, tile->xIdx); /* xIdx (2 bytes) */ + Stream_Read_UINT16(&sub, tile->yIdx); /* yIdx (2 bytes) */ + Stream_Read_UINT16(&sub, tile->YLen); /* YLen (2 bytes) */ diff --git a/debian/patches/0039-CVE-2023-39353-part2.patch b/debian/patches/0039-CVE-2023-39353-part2.patch new file mode 100644 index 0000000..be3aaad --- /dev/null +++ b/debian/patches/0039-CVE-2023-39353-part2.patch @@ -0,0 +1,68 @@ +Description: Upstream fix for CVE-2023-39353 - Missing offset validation leading to Out Of Bound Read + commit 2 of 2. +Origin: https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a +Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051638 +From 9ed6d6baede27d5006e0e4c9bec8e506f695cb6a Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Tue, 22 Aug 2023 11:37:57 +0200 +Subject: [PATCH] [codec,rfx] fix missing brace from broken backport + +--- + libfreerdp/codec/rfx.c | 43 ++++++++++++++++++++---------------------- + 1 file changed, 20 insertions(+), 23 deletions(-) + +diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c +index d7f0d8c65d25..ccbc5afe44fa 100644 +--- a/libfreerdp/codec/rfx.c ++++ b/libfreerdp/codec/rfx.c +@@ -937,29 +937,26 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa + Stream_Read_UINT8(&sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */ + Stream_Read_UINT8(&sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */ + if (tile->quantIdxY >= context->numQuant) +- { +- WLog_Print(context->priv->log, WLOG_ERROR, +- "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY, +- context->numQuant); +- rc = FALSE; +- break; +- } +- if (tile->quantIdxCb >= context->numQuant) +- { +- WLog_Print(context->priv->log, WLOG_ERROR, +- "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb, +- context->numQuant); +- rc = FALSE; +- break; +- } +- if (tile->quantIdxCr >= context->numQuant) +- { +- WLog_Print(context->priv->log, WLOG_ERROR, +- "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr, +- context->numQuant); +- rc = FALSE; +- break; +- ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, ++ tile->quantIdxY, context->numQuant); ++ rc = FALSE; ++ break; ++ } ++ else if (tile->quantIdxCb >= context->numQuant) ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, ++ tile->quantIdxCb, context->numQuant); ++ rc = FALSE; ++ break; ++ } ++ else if (tile->quantIdxCr >= context->numQuant) ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, ++ tile->quantIdxCr, context->numQuant); ++ rc = FALSE; ++ break; ++ } + Stream_Read_UINT16(&sub, tile->xIdx); /* xIdx (2 bytes) */ + Stream_Read_UINT16(&sub, tile->yIdx); /* yIdx (2 bytes) */ + Stream_Read_UINT16(&sub, tile->YLen); /* YLen (2 bytes) */ diff --git a/debian/patches/series b/debian/patches/series index f6c1d59..6b95e8a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -26,3 +26,5 @@ 0036-CVE-2023-39350.patch 0037-CVE-2023-39351.patch 0038-CVE-2023-39352.patch +0039-CVE-2023-39353-part1.patch +0039-CVE-2023-39353-part2.patch