Import fix for CVE-2022-39283 - closes also #1021659

2023-11-12 12:52:03 +01:00 · 2023-11-12 12:52:03 +01:00 · 9c2cb890eb
commit 9c2cb890eb
parent 1cddd4643a
4 changed files with 46 additions and 2 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -11,11 +11,11 @@ freerdp2 (2.3.0+dfsg1-2+deb10u4) buster-security; urgency=medium
    - CVE-2022-39319 - Missing length validation in urbdrc channel
    - CVE-2022-39347 - Missing path sanitation with `drive` channel
    - CVE-2022-41877 - Missing input length validation in `drive` channel
-  * Import fix for CVE-2022-39282 (Closes: #1021659)
+  * Import fix for CVE-2022-39282 and CVE-2023-39283 (Closes: #1021659)
  * Previous upload had a typo in the CVE list: It was CVE 2023-40567 not
    CVE 2023-39357; fixing changelog entry.

- -- Tobias Frost <tobi@debian.org>  Sun, 12 Nov 2023 12:24:20 +0100
+ -- Tobias Frost <tobi@debian.org>  Sun, 12 Nov 2023 13:08:01 +0100

 freerdp2 (2.3.0+dfsg1-2+deb10u3) buster-security; urgency=medium

--- a/debian/patches/0058-CVE-2022-39282.patch
+++ b/debian/patches/0058-CVE-2022-39282.patch
@ -1,3 +1,7 @@
+Description: CVE-2022-39282 - RDP client: Read of uninitialized memory with parallel port redirection
+Origin: https://github.com/FreeRDP/FreeRDP/commit/60aac2abf0740dd36b62712fba91498fd6e055fe
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021659
 From 60aac2abf0740dd36b62712fba91498fd6e055fe Mon Sep 17 00:00:00 2001
 From: akallabeth <akallabeth@posteo.net>
 Date: Thu, 6 Oct 2022 09:12:40 +0200
--- a/debian/patches/0059-CVE-2022-39283.patch
+++ b/debian/patches/0059-CVE-2022-39283.patch
@ -0,0 +1,39 @@
+Description: CVE-2022-39283 - RDP client might read out of bounds data and display it 
+Origin: https://github.com/FreeRDP/FreeRDP/commit/be793c3bb776c1bbda9156b427408d5a5eb00f70
+Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021659
+From be793c3bb776c1bbda9156b427408d5a5eb00f70 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 6 Oct 2022 09:15:40 +0200
+Subject: [PATCH] Fixed missing length check in video channel
+
+Data received in video redirection channel was not checked for
+proper length.
+
+(cherry picked from commit eeffd1050e9284d1464b58e049b2b4d88726632b)
+---
+ channels/video/client/video_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/channels/video/client/video_main.c
+++ b/channels/video/client/video_main.c
+@@ -46,6 +46,10 @@
+ 
+ #include "video_main.h"
+ 
+#define Stream_CheckAndLogRequiredLength(tag, s, len)                                             \
+	Stream_CheckAndLogRequiredLengthWLogEx(WLog_Get(tag), WLOG_WARN, s, len, "%s(%s:%" PRIuz ")", __FUNCTION__, \
+	                                   __FILE__, __LINE__)
+
+ struct _VIDEO_CHANNEL_CALLBACK
+ {
+ 	IWTSVirtualChannelCallback iface;
+@@ -930,6 +934,8 @@
+ 	Stream_Read_UINT16(s, data.PacketsInSample);
+ 	Stream_Read_UINT32(s, data.SampleNumber);
+ 	Stream_Read_UINT32(s, data.cbSample);
+	if (!Stream_CheckAndLogRequiredLength(TAG, s, data.cbSample))
+		return ERROR_INVALID_DATA;
+ 	data.pSample = Stream_Pointer(s);
+ 
+ 	/*
--- a/debian/patches/series
+++ b/debian/patches/series
@ -47,3 +47,4 @@
 0056-CVE-2022-39347.patch
 0057-CVE-2022-41877.patch
 0058-CVE-2022-39282.patch
+0059-CVE-2022-39283.patch