| Message ID | 20230509035309.3773590-1-chee.yang.lee@intel.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,kirkstone,1/2] freerdp: fix CVE-2022-39316/39318/39319 | expand |
On 5/8/23 11:53 PM, Lee Chee Yang wrote: > From: Chee Yang Lee <chee.yang.lee@intel.com> > > Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> > --- > .../freerdp/freerdp/CVE-2022-39316.patch | 53 +++++++++++++++++++ > .../freerdp/CVE-2022-39318-39319.patch | 41 ++++++++++++++ > .../recipes-support/freerdp/freerdp_2.6.1.bb | 2 + > 3 files changed, 96 insertions(+) > create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch > create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch Do these affect master or mickledore? Adding something like " Affects [<, <= ] {version} " would be helpful. I am tending 4 active branches and not having to checking newer branches would be nice. BR, - armin > > diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch > new file mode 100644 > index 0000000000..a60b2854c8 > --- /dev/null > +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch > @@ -0,0 +1,53 @@ > +https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0 > +CVE: CVE-2022-39316 > +Upstream-Status: Backport > +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> > + > +From e865c24efc40ebc52e75979c94cdd4ee2c1495b0 Mon Sep 17 00:00:00 2001 > +From: akallabeth <akallabeth@posteo.net> > +Date: Thu, 13 Oct 2022 09:09:28 +0200 > +Subject: [PATCH] Added missing length checks in zgfx_decompress_segment > + > +(cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816) > +--- > + libfreerdp/codec/zgfx.c | 11 +++++++---- > + 1 file changed, 7 insertions(+), 4 deletions(-) > + > +diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c > +index 20fbd354571..e260aa6e28a 100644 > +--- a/libfreerdp/codec/zgfx.c > ++++ b/libfreerdp/codec/zgfx.c > +@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t > + BYTE* pbSegment; > + size_t cbSegment; > + > +- if (!zgfx || !stream) > ++ if (!zgfx || !stream || (segmentSize < 2)) > + return FALSE; > + > + cbSegment = segmentSize - 1; > + > +- if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) || > +- (segmentSize > UINT32_MAX)) > ++ if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX)) > + return FALSE; > + > + Stream_Read_UINT8(stream, flags); /* header (1 byte) */ > + zgfx->OutputCount = 0; > + pbSegment = Stream_Pointer(stream); > +- Stream_Seek(stream, cbSegment); > ++ if (!Stream_SafeSeek(stream, cbSegment)) > ++ return FALSE; > + > + if (!(flags & PACKET_COMPRESSED)) > + { > +@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t > + if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount) > + return FALSE; > + > ++ if (count > zgfx->cBitsRemaining / 8) > ++ return FALSE; > ++ > + CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent, > + count); > + zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count); > diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch > new file mode 100644 > index 0000000000..76a9e00dd3 > --- /dev/null > +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch > @@ -0,0 +1,41 @@ > +https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea > +CVE: CVE-2022-39318 CVE-2022-39319 > +Upstream-Status: Backport > +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> > + > +From 80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea Mon Sep 17 00:00:00 2001 > +From: akallabeth <akallabeth@posteo.net> > +Date: Thu, 13 Oct 2022 08:27:41 +0200 > +Subject: [PATCH] Fixed division by zero in urbdrc > + > +(cherry picked from commit 731f8419d04b481d7160de1f34062d630ed48765) > +--- > + channels/urbdrc/client/libusb/libusb_udevice.c | 12 +++++++++--- > + 1 file changed, 9 insertions(+), 3 deletions(-) > + > +diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c > +index 505c31d7b55..ef87f195f38 100644 > +--- a/channels/urbdrc/client/libusb/libusb_udevice.c > ++++ b/channels/urbdrc/client/libusb/libusb_udevice.c > +@@ -1221,12 +1221,18 @@ static int libusb_udev_isoch_transfer(IUDEVICE* idev, URBDRC_CHANNEL_CALLBACK* c > + if (!Buffer) > + Stream_Seek(user_data->data, (NumberOfPackets * 12)); > + > +- iso_packet_size = BufferSize / NumberOfPackets; > +- iso_transfer = libusb_alloc_transfer(NumberOfPackets); > ++ if (NumberOfPackets > 0) > ++ { > ++ iso_packet_size = BufferSize / NumberOfPackets; > ++ iso_transfer = libusb_alloc_transfer((int)NumberOfPackets); > ++ } > + > + if (iso_transfer == NULL) > + { > +- WLog_Print(urbdrc->log, WLOG_ERROR, "Error: libusb_alloc_transfer."); > ++ WLog_Print(urbdrc->log, WLOG_ERROR, > ++ "Error: libusb_alloc_transfer [NumberOfPackets=%" PRIu32 ", BufferSize=%" PRIu32 > ++ " ]", > ++ NumberOfPackets, BufferSize); > + async_transfer_user_data_free(user_data); > + return -1; > + } > diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb > index ece2f56960..9da8b27c0d 100644 > --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb > +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb > @@ -16,6 +16,8 @@ PKGV = "${GITPKGVTAG}" > SRCREV = "658a72980f6e93241d927c46cfa664bf2547b8b1" > SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \ > file://winpr-makecert-Build-with-install-RPATH.patch \ > + file://CVE-2022-39316.patch \ > + file://CVE-2022-39318-39319.patch \ > " > > S = "${WORKDIR}/git" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#102461): https://lists.openembedded.org/g/openembedded-devel/message/102461 > Mute This Topic: https://lists.openembedded.org/mt/98777251/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
> +++++++++++++++++++ > > .../freerdp/CVE-2022-39318-39319.patch | 41 ++++++++++++++ > > .../recipes-support/freerdp/freerdp_2.6.1.bb | 2 + > > 3 files changed, 96 insertions(+) > > create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE- > 2022-39316.patch > > create mode 100644 > > meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch > > Do these affect master or mickledore? Adding something like " Affects [<, <= ] > {version} " would be helpful. I am tending 4 active branches and not having to > checking newer branches would be nice. These is fixed in 2.9.0, not affecting master and mickledore.
diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch new file mode 100644 index 0000000000..a60b2854c8 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39316.patch @@ -0,0 +1,53 @@ +https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0 +CVE: CVE-2022-39316 +Upstream-Status: Backport +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +From e865c24efc40ebc52e75979c94cdd4ee2c1495b0 Mon Sep 17 00:00:00 2001 +From: akallabeth <akallabeth@posteo.net> +Date: Thu, 13 Oct 2022 09:09:28 +0200 +Subject: [PATCH] Added missing length checks in zgfx_decompress_segment + +(cherry picked from commit 64716b335858109d14f27b51acc4c4d71a92a816) +--- + libfreerdp/codec/zgfx.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c +index 20fbd354571..e260aa6e28a 100644 +--- a/libfreerdp/codec/zgfx.c ++++ b/libfreerdp/codec/zgfx.c +@@ -230,19 +230,19 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t + BYTE* pbSegment; + size_t cbSegment; + +- if (!zgfx || !stream) ++ if (!zgfx || !stream || (segmentSize < 2)) + return FALSE; + + cbSegment = segmentSize - 1; + +- if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize < 1) || +- (segmentSize > UINT32_MAX)) ++ if ((Stream_GetRemainingLength(stream) < segmentSize) || (segmentSize > UINT32_MAX)) + return FALSE; + + Stream_Read_UINT8(stream, flags); /* header (1 byte) */ + zgfx->OutputCount = 0; + pbSegment = Stream_Pointer(stream); +- Stream_Seek(stream, cbSegment); ++ if (!Stream_SafeSeek(stream, cbSegment)) ++ return FALSE; + + if (!(flags & PACKET_COMPRESSED)) + { +@@ -346,6 +346,9 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t + if (count > sizeof(zgfx->OutputBuffer) - zgfx->OutputCount) + return FALSE; + ++ if (count > zgfx->cBitsRemaining / 8) ++ return FALSE; ++ + CopyMemory(&(zgfx->OutputBuffer[zgfx->OutputCount]), zgfx->pbInputCurrent, + count); + zgfx_history_buffer_ring_write(zgfx, zgfx->pbInputCurrent, count); diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch new file mode 100644 index 0000000000..76a9e00dd3 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-39318-39319.patch @@ -0,0 +1,41 @@ +https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea +CVE: CVE-2022-39318 CVE-2022-39319 +Upstream-Status: Backport +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +From 80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea Mon Sep 17 00:00:00 2001 +From: akallabeth <akallabeth@posteo.net> +Date: Thu, 13 Oct 2022 08:27:41 +0200 +Subject: [PATCH] Fixed division by zero in urbdrc + +(cherry picked from commit 731f8419d04b481d7160de1f34062d630ed48765) +--- + channels/urbdrc/client/libusb/libusb_udevice.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c +index 505c31d7b55..ef87f195f38 100644 +--- a/channels/urbdrc/client/libusb/libusb_udevice.c ++++ b/channels/urbdrc/client/libusb/libusb_udevice.c +@@ -1221,12 +1221,18 @@ static int libusb_udev_isoch_transfer(IUDEVICE* idev, URBDRC_CHANNEL_CALLBACK* c + if (!Buffer) + Stream_Seek(user_data->data, (NumberOfPackets * 12)); + +- iso_packet_size = BufferSize / NumberOfPackets; +- iso_transfer = libusb_alloc_transfer(NumberOfPackets); ++ if (NumberOfPackets > 0) ++ { ++ iso_packet_size = BufferSize / NumberOfPackets; ++ iso_transfer = libusb_alloc_transfer((int)NumberOfPackets); ++ } + + if (iso_transfer == NULL) + { +- WLog_Print(urbdrc->log, WLOG_ERROR, "Error: libusb_alloc_transfer."); ++ WLog_Print(urbdrc->log, WLOG_ERROR, ++ "Error: libusb_alloc_transfer [NumberOfPackets=%" PRIu32 ", BufferSize=%" PRIu32 ++ " ]", ++ NumberOfPackets, BufferSize); + async_transfer_user_data_free(user_data); + return -1; + } diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index ece2f56960..9da8b27c0d 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -16,6 +16,8 @@ PKGV = "${GITPKGVTAG}" SRCREV = "658a72980f6e93241d927c46cfa664bf2547b8b1" SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \ file://winpr-makecert-Build-with-install-RPATH.patch \ + file://CVE-2022-39316.patch \ + file://CVE-2022-39318-39319.patch \ " S = "${WORKDIR}/git"