[packages/rdesktop] - updated to 1.8.4, fixes: - memory corruption in process_bitmap_data - CVE-2018-8794 - remote

adamg adamg at pld-linux.org
Fri Oct 11 23:09:13 CEST 2019 

commit cc572024e4bfa4765ceb6b9dc28e6ccf4f74b539
Author: Adam Gołębiowski <adamg at pld-linux.org>
Date:   Fri Oct 11 23:07:20 2019 +0200

    - updated to 1.8.4, fixes:
      -  memory corruption in process_bitmap_data - CVE-2018-8794
      -  remote code execution in process_bitmap_data - CVE-2018-8795
      -  remote code execution in process_plane - CVE-2018-8797
      -  Denial of Service in mcs_recv_connect_response - CVE-2018-20175
      -  Denial of Service in mcs_parse_domain_params - CVE-2018-20175
      -  Denial of Service in sec_parse_crypt_info - CVE-2018-20176
      -  Denial of Service in sec_recv - CVE-2018-20176
      -  minor information leak in rdpdr_process - CVE-2018-8791
      -  Denial of Service in cssp_read_tsrequest - CVE-2018-8792
      -  remote code execution in cssp_read_tsrequest - CVE-2018-8793
      -  Denial of Service in process_bitmap_data - CVE-2018-8796
      -  minor information leak in rdpsnd_process_ping - CVE-2018-8798
      -  Denial of Service in process_secondary_order - CVE-2018-8799
      -  remote code execution in in ui_clip_handle_data - CVE-2018-8800
      -  major information leak in ui_clip_handle_data - CVE-2018-20174
      -  memory corruption in rdp_in_unistr - CVE-2018-20177
      -  Denial of Service in process_demand_active - CVE-2018-20178
      -  remote code execution in lspci_process - CVE-2018-20179
      -  remote code execution in rdpsnddbg_process - CVE-2018-20180
      -  remote code execution in seamless_process - CVE-2018-20181
      -  remote code execution in seamless_process_line - CVE-2018-20182

 openssl.patch | 125 ----------------------------------------------------------
 rdesktop.spec |  10 ++---
 2 files changed, 4 insertions(+), 131 deletions(-)
---
diff --git a/rdesktop.spec b/rdesktop.spec
index 3d145d8..b77bce4 100644
--- a/rdesktop.spec
+++ b/rdesktop.spec
@@ -1,15 +1,14 @@
 Summary:	RDP client for accessing Windows NT Terminal Server
 Summary(pl.UTF-8):	Klient RDP umożliwiający dostęp do Terminal Serwera WinNT
 Name:		rdesktop
-Version:	1.8.3
-Release:	3
+Version:	1.8.4
+Release:	1
 License:	GPL v3+
 Group:		X11/Applications/Networking
-Source0:	http://downloads.sourceforge.net/rdesktop/%{name}-%{version}.tar.gz
-# Source0-md5:	86e8b368a7c715e74ded92e0d7912dc5
+Source0:	https://github.com/rdesktop/rdesktop/releases/download/v1.8.4/rdesktop-1.8.4.tar.gz
+# Source0-md5:	7273f9dad833f6899a3e5b39d7fdd6f2
 Patch0:		%{name}-xinerama.patch
 Patch1:		%{name}-heimdal.patch
-Patch2:		openssl.patch
 URL:		http://www.rdesktop.org/
 BuildRequires:	alsa-lib-devel
 BuildRequires:	autoconf >= 2.50
@@ -40,7 +39,6 @@ wymagane żadne rozszerzenia po stronie serwera.
 %setup -q
 %patch0 -p1
 %patch1 -p1
-%patch2 -p1
 
 %build
 %{__aclocal}
diff --git a/openssl.patch b/openssl.patch
deleted file mode 100644
index bea047c..0000000
--- a/openssl.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From bd6aa6acddf0ba640a49834807872f4cc0d0a773 Mon Sep 17 00:00:00 2001
-From: Jani Hakala <jjhakala at gmail.com>
-Date: Thu, 16 Jun 2016 14:28:15 +0300
-Subject: [PATCH] Fix OpenSSL 1.1 compability issues
-
-Some data types have been made opaque in OpenSSL version 1.1 so
-stack allocation and accessing struct fields directly does not work.
----
- ssl.c | 65 ++++++++++++++++++++++++++++++++++++-----------------------
- 1 file changed, 40 insertions(+), 25 deletions(-)
-
-diff --git a/ssl.c b/ssl.c
-index 48751255..032e9b9e 100644
---- a/ssl.c
-+++ b/ssl.c
-@@ -88,7 +88,7 @@ rdssl_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 *
- 		  uint8 * exponent)
- {
- 	BN_CTX *ctx;
--	BIGNUM mod, exp, x, y;
-+	BIGNUM *mod, *exp, *x, *y;
- 	uint8 inr[SEC_MAX_MODULUS_SIZE];
- 	int outlen;
- 
-@@ -98,24 +98,24 @@ rdssl_rsa_encrypt(uint8 * out, uint8 * in, int len, uint32 modulus_size, uint8 *
- 	reverse(inr, len);
- 
- 	ctx = BN_CTX_new();
--	BN_init(&mod);
--	BN_init(&exp);
--	BN_init(&x);
--	BN_init(&y);
--
--	BN_bin2bn(modulus, modulus_size, &mod);
--	BN_bin2bn(exponent, SEC_EXPONENT_SIZE, &exp);
--	BN_bin2bn(inr, len, &x);
--	BN_mod_exp(&y, &x, &exp, &mod, ctx);
--	outlen = BN_bn2bin(&y, out);
-+	mod = BN_new();
-+	exp = BN_new();
-+	x = BN_new();
-+	y = BN_new();
-+
-+	BN_bin2bn(modulus, modulus_size, mod);
-+	BN_bin2bn(exponent, SEC_EXPONENT_SIZE, exp);
-+	BN_bin2bn(inr, len, x);
-+	BN_mod_exp(y, x, exp, mod, ctx);
-+	outlen = BN_bn2bin(y, out);
- 	reverse(out, outlen);
- 	if (outlen < (int) modulus_size)
- 		memset(out + outlen, 0, modulus_size - outlen);
- 
--	BN_free(&y);
--	BN_clear_free(&x);
--	BN_free(&exp);
--	BN_free(&mod);
-+	BN_free(y);
-+	BN_clear_free(x);
-+	BN_free(exp);
-+	BN_free(mod);
- 	BN_CTX_free(ctx);
- }
- 
-@@ -146,12 +146,20 @@ rdssl_cert_to_rkey(RDSSL_CERT * cert, uint32 * key_len)
- 
- 	   Kudos to Richard Levitte for the following (. intiutive .) 
- 	   lines of code that resets the OID and let's us extract the key. */
--	nid = OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
-+
-+	X509_PUBKEY *key = NULL;
-+	X509_ALGOR *algor = NULL;
-+
-+	key = X509_get_X509_PUBKEY(cert);
-+	algor = X509_PUBKEY_get0_param(NULL, NULL, 0, &algor, key);
-+
-+	nid = OBJ_obj2nid(algor->algorithm);
-+
- 	if ((nid == NID_md5WithRSAEncryption) || (nid == NID_shaWithRSAEncryption))
- 	{
- 		DEBUG_RDP5(("Re-setting algorithm type to RSA in server certificate\n"));
--		ASN1_OBJECT_free(cert->cert_info->key->algor->algorithm);
--		cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
-+		X509_PUBKEY_set0_param(key, OBJ_nid2obj(NID_rsaEncryption),
-+				       0, NULL, NULL, 0);
- 	}
- 	epk = X509_get_pubkey(cert);
- 	if (NULL == epk)
-@@ -201,14 +209,24 @@ rdssl_rkey_get_exp_mod(RDSSL_RKEY * rkey, uint8 * exponent, uint32 max_exp_len,
- {
- 	int len;
- 
--	if ((BN_num_bytes(rkey->e) > (int) max_exp_len) ||
--	    (BN_num_bytes(rkey->n) > (int) max_mod_len))
-+	BIGNUM *e = NULL;
-+	BIGNUM *n = NULL;
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+	e = rkey->e;
-+	n = rkey->n;
-+#else
-+	RSA_get0_key(rkey, &e, &n, NULL);
-+#endif
-+
-+	if ((BN_num_bytes(e) > (int) max_exp_len) ||
-+	    (BN_num_bytes(n) > (int) max_mod_len))
- 	{
- 		return 1;
- 	}
--	len = BN_bn2bin(rkey->e, exponent);
-+	len = BN_bn2bin(e, exponent);
- 	reverse(exponent, len);
--	len = BN_bn2bin(rkey->n, modulus);
-+	len = BN_bn2bin(n, modulus);
- 	reverse(modulus, len);
- 	return 0;
- }
-@@ -229,8 +247,5 @@ void
- rdssl_hmac_md5(const void *key, int key_len, const unsigned char *msg, int msg_len,
- 	       unsigned char *md)
- {
--	HMAC_CTX ctx;
--	HMAC_CTX_init(&ctx);
- 	HMAC(EVP_md5(), key, key_len, msg, msg_len, md, NULL);
--	HMAC_CTX_cleanup(&ctx);
- }
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/rdesktop.git/commitdiff/cc572024e4bfa4765ceb6b9dc28e6ccf4f74b539

More information about the pld-cvs-commit mailing list