Mailinglist Archive: opensuse-commit (771 mails)
| < Previous | Next > |
commit rdesktop
- From: root@xxxxxxxxxxxxxxx (h_root)
- Date: Tue, 03 Jun 2008 01:09:31 +0200
- Message-id: <20080602230932.14FA867816D@xxxxxxxxxxxxxxx>
Hello community,
here is the log from the commit of package rdesktop
checked in at Tue Jun 3 01:09:31 CEST 2008.
--------
--- rdesktop/rdesktop.changes 2007-04-25 17:24:04.000000000 +0200
+++ /mounts/work_src_done/STABLE/rdesktop/rdesktop.changes 2008-05-08
14:41:41.112646000 +0200
@@ -1,0 +2,8 @@
+Thu May 8 14:29:51 CEST 2008 - mc@xxxxxxx
+
+- fix multiple problems in rdesktop
+ * CVE-2008-1801 - integer underflow vulnerability
+ * CVE-2008-1802 - BSS overflow vulnerability
+ * CVE-2008-1803 - integer signedness vulnerability
+
+-------------------------------------------------------------------
New:
----
rdesktop-1.5.0-CVE-2008-1801.dif
rdesktop-1.5.0-CVE-2008-1802.dif
rdesktop-1.5.0-CVE-2008-1803.dif
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rdesktop.spec ++++++
--- /var/tmp/diff_new_pack.im9500/_old 2008-06-03 01:09:26.000000000 +0200
+++ /var/tmp/diff_new_pack.im9500/_new 2008-06-03 01:09:26.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package rdesktop (Version 1.5.0)
#
-# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@@ -10,20 +10,24 @@
# norootforbuild
+
Name: rdesktop
BuildRequires: openssl-devel xorg-x11-devel
-URL: http://www.rdesktop.org/
-License: GNU General Public License (GPL)
-Group: Productivity/Networking/Other
-Autoreqprov: on
+Url: http://www.rdesktop.org/
+License: GPL v2 or later
+Group: Productivity/Networking/Remote Desktop
+AutoReqProv: on
Version: 1.5.0
-Release: 41
-Summary: a Remote Desktop Protocol client
+Release: 132
+Summary: A Remote Desktop Protocol client
Source: %{name}-%{version}.tar.bz2
Patch0: rdesktop-1.4.0-lib64.dif
Patch1: rdesktop-1.5.0-fs-fix-1.dif
Patch2: rdesktop-1.5.0-fix-printer-strcmp.dif
Patch3: rdesktop-1.5.0-fix-segfault.dif
+Patch4: rdesktop-1.5.0-CVE-2008-1801.dif
+Patch5: rdesktop-1.5.0-CVE-2008-1802.dif
+Patch6: rdesktop-1.5.0-CVE-2008-1803.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -44,6 +48,9 @@
%patch1
%patch2
%patch3
+%patch4
+%patch5
+%patch6
%build
%{suse_update_config}
@@ -73,14 +80,19 @@
%{_mandir}/man1/rdesktop.1.gz
%changelog
-* Wed Apr 25 2007 - mc@xxxxxxx
+* Thu May 08 2008 mc@xxxxxxx
+- fix multiple problems in rdesktop
+ * CVE-2008-1801 - integer underflow vulnerability
+ * CVE-2008-1802 - BSS overflow vulnerability
+ * CVE-2008-1803 - integer signedness vulnerability
+* Wed Apr 25 2007 mc@xxxxxxx
- fix segfaults after recent update of X.org
[#267016]
-* Tue Dec 19 2006 - mc@xxxxxxx
+* Tue Dec 19 2006 mc@xxxxxxx
- fix "comparison with string literal" [#228709]
-* Mon Nov 06 2006 - schwab@xxxxxxx
+* Mon Nov 06 2006 schwab@xxxxxxx
- Don't strip binaries.
-* Tue Sep 19 2006 - mc@xxxxxxx
+* Tue Sep 19 2006 mc@xxxxxxx
- rdesktop (1.5.0)
* SeamlessRDP - seamless windows support
* Keymap fixes
@@ -97,18 +109,18 @@
* The default color depth is now the depth of the root window
* Basic support for Windows Vista Beta 2
* Fix high cpu-usage in OSS-driver
-* Mon Sep 11 2006 - mc@xxxxxxx
+* Mon Sep 11 2006 mc@xxxxxxx
- /usr/X11R6 => /usr/
-* Fri May 26 2006 - schwab@xxxxxxx
+* Fri May 26 2006 schwab@xxxxxxx
- Don't strip binaries.
-* Thu May 04 2006 - mc@xxxxxxx
+* Thu May 04 2006 mc@xxxxxxx
- add xgl fix [#164671]
-* Mon Mar 20 2006 - mc@xxxxxxx
+* Mon Mar 20 2006 mc@xxxxxxx
- fix Compiz makes rdesktop window entirely transparent
[# 155335]
-* Wed Jan 25 2006 - mls@xxxxxxx
+* Wed Jan 25 2006 mls@xxxxxxx
- converted neededforbuild to BuildRequires
-* Fri Jun 03 2005 - mc@xxxxxxx
+* Fri Jun 03 2005 mc@xxxxxxx
- switch to version 1.4.1
* persistent bitmap cache optimisations
* support for more RDP-orders (ellipse, polygon)
@@ -120,46 +132,46 @@
* Support for RDP-compression (all bpps)
* process RDP recv queue if send queue is full (Debian bug #246461)
* SGI/Irix sound-driver fixes
-* Wed Mar 30 2005 - mc@xxxxxxx
+* Wed Mar 30 2005 mc@xxxxxxx
- switch to version 1.4.0
- remove rdesktop-1.2.0-24bit-color.dif, rdesktop-1.2.0-configure.dif
and rdesktop-kdehead.patch
- add rdesktop-1.4.0-lib64.dif
-* Tue Aug 24 2004 - mc@xxxxxxx
+* Tue Aug 24 2004 mc@xxxxxxx
- add rdesktop-kdehead.patch to make krdc working
[#43860]
-* Thu Feb 26 2004 - mc@xxxxxxx
+* Thu Feb 26 2004 mc@xxxxxxx
- switch to version 1.3.1
* Crypto fixes for RDP5
* Keyboard and keymap fixes
* some endianess fixes for high color
* portability enhancements
-* Sat Jan 10 2004 - adrian@xxxxxxx
+* Sat Jan 10 2004 adrian@xxxxxxx
- build as user
-* Thu Oct 30 2003 - mc@xxxxxxx
+* Thu Oct 30 2003 mc@xxxxxxx
- switch to version 1.3.0
-* Mon Aug 18 2003 - mc@xxxxxxx
+* Mon Aug 18 2003 mc@xxxxxxx
- renamed rdesktop-1.2.0.dif to rdesktop-1.2.0-24bit-color.dif
- add rdesktop-1.2.0-configure.dif . Makes it possible to set
CFLAGS from external.
- add -fno-strict-aliasing
- removed unused patches
(rdesktop-unified-patch19-9-0.bz2, rdesktop-1.1.0.dif)
-* Fri Jul 04 2003 - sndirsch@xxxxxxx
+* Fri Jul 04 2003 sndirsch@xxxxxxx
- workaround for 24bit color depth problem (Bug #27726)
-* Mon Jun 16 2003 - coolo@xxxxxxx
+* Mon Jun 16 2003 coolo@xxxxxxx
- use BuildRoot
-* Tue Mar 18 2003 - sndirsch@xxxxxxx
+* Tue Mar 18 2003 sndirsch@xxxxxxx
- added missing keymaps (Bug #25565)
-* Thu Jan 30 2003 - sndirsch@xxxxxxx
+* Fri Jan 31 2003 sndirsch@xxxxxxx
- updated to release 1.2.0 (Bug #23211)
* this features new keyboard mapping code, high encryption support
and many small additions and bugfixes
-* Fri Aug 23 2002 - uli@xxxxxxx
+* Fri Aug 23 2002 uli@xxxxxxx
- added patches from http://bibl4.oru.se/projects/rdesktop
that have been reported to be necessary for proper operation
(bug #18223)
-* Wed Apr 24 2002 - uli@xxxxxxx
+* Wed Apr 24 2002 uli@xxxxxxx
- fixed for lib64
-* Thu Oct 18 2001 - uli@xxxxxxx
+* Thu Oct 18 2001 uli@xxxxxxx
- initial package
++++++ rdesktop-1.5.0-CVE-2008-1801.dif ++++++
Index: iso.c
===================================================================
RCS file: /cvsroot/rdesktop/rdesktop/iso.c,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- iso.c 8 Jan 2007 04:47:05 -0000 1.19
+++ iso.c 14 Feb 2008 11:45:13 -0000 1.20
@@ -98,6 +98,11 @@
next_be(s, length);
}
}
+ if (length < 4)
+ {
+ error("Bad packet header\n");
+ return NULL;
+ }
s = tcp_recv(s, length - 4);
if (s == NULL)
return NULL;
++++++ rdesktop-1.5.0-CVE-2008-1802.dif ++++++
Index: rdp.c
===================================================================
--- rdp.c.orig
+++ rdp.c
@@ -241,10 +241,10 @@ rdp_out_unistr(STREAM s, char *string, i
* Returns str_len of string
*/
int
-rdp_in_unistr(STREAM s, char *string, int uni_len)
+rdp_in_unistr(STREAM s, char *string, int str_size, int in_len)
{
#ifdef HAVE_ICONV
- size_t ibl = uni_len, obl = uni_len;
+ size_t ibl = in_len, obl = str_size-1;
char *pin = (char *) s->p, *pout = string;
static iconv_t iconv_h = (iconv_t) - 1;
@@ -258,37 +258,56 @@ rdp_in_unistr(STREAM s, char *string, in
WINDOWS_CODEPAGE, g_codepage, (int)
iconv_h);
g_iconv_works = False;
- return rdp_in_unistr(s, string, uni_len);
+ return rdp_in_unistr(s, string, str_size,
in_len);
}
}
if (iconv(iconv_h, (ICONV_CONST char **) &pin, &ibl, &pout,
&obl) == (size_t) - 1)
{
- iconv_close(iconv_h);
- iconv_h = (iconv_t) - 1;
- warning("rdp_in_unistr: iconv fail, errno %d\n", errno);
+ if (errno == E2BIG)
+ {
+ warning("server sent an unexpectedly long
string, truncating\n");
+ }
+ else
+ {
+ iconv_close(iconv_h);
+ iconv_h = (iconv_t) - 1;
+ warning("rdp_in_unistr: iconv fail, errno
%d\n", errno);
- g_iconv_works = False;
- return rdp_in_unistr(s, string, uni_len);
+ g_iconv_works = False;
+ return rdp_in_unistr(s, string, str_size,
in_len);
+ }
}
/* we must update the location of the current STREAM for future
reads of s->p */
- s->p += uni_len;
+ s->p += in_len;
+ *pout = 0;
return pout - string;
}
else
#endif
{
int i = 0;
+ int len = in_len/2;
+ int rem = 0;
+
+ if (len > str_size-1)
+ {
+ warning("server sent an unexpectedly long string,
truncating\n");
+ len = str_size-1;
+ rem = in_len - 2*len;
+ }
- while (i < uni_len / 2)
+ while (i < len)
{
in_uint8a(s, &string[i++], 1);
in_uint8s(s, 1);
}
- return i - 1;
+ in_uint8s(s, rem);
+ string[len] = 0;
+ return len;
}
}
@@ -1323,32 +1342,44 @@ process_redirect_pdu(STREAM s /*, uint32
in_uint32_le(s, len);
/* read ip string */
- rdp_in_unistr(s, g_redirect_server, len);
+ rdp_in_unistr(s, g_redirect_server, sizeof(g_redirect_server), len);
/* read length of cookie string */
in_uint32_le(s, len);
/* read cookie string (plain ASCII) */
- in_uint8a(s, g_redirect_cookie, len);
+ if (len > sizeof(g_redirect_cookie)-1)
+ {
+ uint32 rem = len - (sizeof(g_redirect_cookie)-1);
+ len = sizeof(g_redirect_cookie)-1;
+
+ warning("Unexpectedly large redirection cookie\n");
+ in_uint8a(s, g_redirect_cookie, len);
+ in_uint8s(s, rem);
+ }
+ else
+ {
+ in_uint8a(s, g_redirect_cookie, len);
+ }
g_redirect_cookie[len] = 0;
/* read length of username string */
in_uint32_le(s, len);
/* read username string */
- rdp_in_unistr(s, g_redirect_username, len);
+ rdp_in_unistr(s, g_redirect_username, sizeof(g_redirect_username), len);
/* read length of domain string */
in_uint32_le(s, len);
/* read domain string */
- rdp_in_unistr(s, g_redirect_domain, len);
+ rdp_in_unistr(s, g_redirect_domain, sizeof(g_redirect_domain), len);
/* read length of password string */
in_uint32_le(s, len);
/* read password string */
- rdp_in_unistr(s, g_redirect_password, len);
+ rdp_in_unistr(s, g_redirect_password, sizeof(g_redirect_password), len);
g_redirect = True;
Index: proto.h
===================================================================
--- proto.h.orig
+++ proto.h
@@ -135,7 +135,7 @@ BOOL rd_lock_file(int fd, int start, int
void rdp5_process(STREAM s);
/* rdp.c */
void rdp_out_unistr(STREAM s, char *string, int len);
-int rdp_in_unistr(STREAM s, char *string, int uni_len);
+int rdp_in_unistr(STREAM s, char *string, int str_size, int in_len);
void rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags,
uint16 param1,
uint16 param2);
void rdp_send_client_window_status(int status);
Index: printercache.c
===================================================================
--- printercache.c.orig
+++ printercache.c
@@ -245,8 +245,8 @@ printercache_process(STREAM s)
/* NOTE - 'driver' doesn't contain driver, it contains
the new printer name */
- rdp_in_unistr(s, printer, printer_length);
- rdp_in_unistr(s, driver, driver_length);
+ rdp_in_unistr(s, printer, sizeof(printer),
printer_length);
+ rdp_in_unistr(s, driver, sizeof(driver), driver_length);
printercache_rename_blob(printer, driver);
break;
@@ -254,7 +254,7 @@ printercache_process(STREAM s)
case 3: /* delete item */
in_uint8(s, printer_unicode_length);
in_uint8s(s, 0x3); /* padding */
- printer_length = rdp_in_unistr(s, printer,
printer_unicode_length);
+ printer_length = rdp_in_unistr(s, printer,
sizeof(printer), printer_unicode_length);
printercache_unlink_blob(printer);
break;
@@ -264,7 +264,7 @@ printercache_process(STREAM s)
if (printer_unicode_length < 2 * 255)
{
- rdp_in_unistr(s, printer,
printer_unicode_length);
+ rdp_in_unistr(s, printer, sizeof(printer),
printer_unicode_length);
printercache_save_blob(printer, s->p,
blob_length);
}
break;
Index: disk.c
===================================================================
--- disk.c.orig
+++ disk.c
@@ -799,7 +799,7 @@ disk_set_information(NTHANDLE handle, ui
if (length && (length / 2) < 256)
{
- rdp_in_unistr(in, newname, length);
+ rdp_in_unistr(in, newname, sizeof(newname),
length);
convert_to_unix_filename(newname);
}
else
Index: rdpdr.c
===================================================================
--- rdpdr.c.orig
+++ rdpdr.c
@@ -415,7 +415,7 @@ rdpdr_process_irp(STREAM s)
if (length && (length / 2) < 256)
{
- rdp_in_unistr(s, filename, length);
+ rdp_in_unistr(s, filename, sizeof(filename),
length);
convert_to_unix_filename(filename);
}
else
@@ -608,7 +608,8 @@ rdpdr_process_irp(STREAM s)
in_uint8s(s, 0x17);
if (length && length < 2 * 255)
{
- rdp_in_unistr(s, filename,
length);
+ rdp_in_unistr(s, filename,
sizeof(filename),
+ length);
convert_to_unix_filename(filename);
}
else
++++++ rdesktop-1.5.0-CVE-2008-1803.dif ++++++
Index: rdesktop.c
===================================================================
--- rdesktop.c.orig
+++ rdesktop.c
@@ -1078,16 +1078,16 @@ xstrdup(const char *s)
/* realloc; exit if out of memory */
void *
-xrealloc(void *oldmem, int size)
+xrealloc(void *oldmem, size_t size)
{
void *mem;
- if (size < 1)
+ if (size == 0)
size = 1;
mem = realloc(oldmem, size);
if (mem == NULL)
{
- error("xrealloc %d\n", size);
+ error("xrealloc %ld\n", size);
exit(1);
}
return mem;
Index: proto.h
===================================================================
--- proto.h.orig
+++ proto.h
@@ -110,7 +110,7 @@ int main(int argc, char *argv[]);
void generate_random(uint8 * random);
void *xmalloc(int size);
char *xstrdup(const char *s);
-void *xrealloc(void *oldmem, int size);
+void *xrealloc(void *oldmem, size_t size);
void xfree(void *mem);
void error(char *format, ...);
void warning(char *format, ...);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx
| < Previous | Next > |