Hello community, here is the log from the commit of package rdesktop checked in at Tue Jun 3 01:09:31 CEST 2008. -------- --- rdesktop/rdesktop.changes 2007-04-25 17:24:04.000000000 +0200 +++ /mounts/work_src_done/STABLE/rdesktop/rdesktop.changes 2008-05-08 14:41:41.112646000 +0200 @@ -1,0 +2,8 @@ +Thu May 8 14:29:51 CEST 2008 - mc@suse.de + +- fix multiple problems in rdesktop + * CVE-2008-1801 - integer underflow vulnerability + * CVE-2008-1802 - BSS overflow vulnerability + * CVE-2008-1803 - integer signedness vulnerability + +------------------------------------------------------------------- New: ---- rdesktop-1.5.0-CVE-2008-1801.dif rdesktop-1.5.0-CVE-2008-1802.dif rdesktop-1.5.0-CVE-2008-1803.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rdesktop.spec ++++++ --- /var/tmp/diff_new_pack.im9500/_old 2008-06-03 01:09:26.000000000 +0200 +++ /var/tmp/diff_new_pack.im9500/_new 2008-06-03 01:09:26.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package rdesktop (Version 1.5.0) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -10,20 +10,24 @@ # norootforbuild + Name: rdesktop BuildRequires: openssl-devel xorg-x11-devel -URL: http://www.rdesktop.org/ -License: GNU General Public License (GPL) -Group: Productivity/Networking/Other -Autoreqprov: on +Url: http://www.rdesktop.org/ +License: GPL v2 or later +Group: Productivity/Networking/Remote Desktop +AutoReqProv: on Version: 1.5.0 -Release: 41 -Summary: a Remote Desktop Protocol client +Release: 132 +Summary: A Remote Desktop Protocol client Source: %{name}-%{version}.tar.bz2 Patch0: rdesktop-1.4.0-lib64.dif Patch1: rdesktop-1.5.0-fs-fix-1.dif Patch2: rdesktop-1.5.0-fix-printer-strcmp.dif Patch3: rdesktop-1.5.0-fix-segfault.dif +Patch4: rdesktop-1.5.0-CVE-2008-1801.dif +Patch5: rdesktop-1.5.0-CVE-2008-1802.dif +Patch6: rdesktop-1.5.0-CVE-2008-1803.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -44,6 +48,9 @@ %patch1 %patch2 %patch3 +%patch4 +%patch5 +%patch6 %build %{suse_update_config} @@ -73,14 +80,19 @@ %{_mandir}/man1/rdesktop.1.gz %changelog -* Wed Apr 25 2007 - mc@suse.de +* Thu May 08 2008 mc@suse.de +- fix multiple problems in rdesktop + * CVE-2008-1801 - integer underflow vulnerability + * CVE-2008-1802 - BSS overflow vulnerability + * CVE-2008-1803 - integer signedness vulnerability +* Wed Apr 25 2007 mc@suse.de - fix segfaults after recent update of X.org [#267016] -* Tue Dec 19 2006 - mc@suse.de +* Tue Dec 19 2006 mc@suse.de - fix "comparison with string literal" [#228709] -* Mon Nov 06 2006 - schwab@suse.de +* Mon Nov 06 2006 schwab@suse.de - Don't strip binaries. -* Tue Sep 19 2006 - mc@suse.de +* Tue Sep 19 2006 mc@suse.de - rdesktop (1.5.0) * SeamlessRDP - seamless windows support * Keymap fixes @@ -97,18 +109,18 @@ * The default color depth is now the depth of the root window * Basic support for Windows Vista Beta 2 * Fix high cpu-usage in OSS-driver -* Mon Sep 11 2006 - mc@suse.de +* Mon Sep 11 2006 mc@suse.de - /usr/X11R6 => /usr/ -* Fri May 26 2006 - schwab@suse.de +* Fri May 26 2006 schwab@suse.de - Don't strip binaries. -* Thu May 04 2006 - mc@suse.de +* Thu May 04 2006 mc@suse.de - add xgl fix [#164671] -* Mon Mar 20 2006 - mc@suse.de +* Mon Mar 20 2006 mc@suse.de - fix Compiz makes rdesktop window entirely transparent [# 155335] -* Wed Jan 25 2006 - mls@suse.de +* Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires -* Fri Jun 03 2005 - mc@suse.de +* Fri Jun 03 2005 mc@suse.de - switch to version 1.4.1 * persistent bitmap cache optimisations * support for more RDP-orders (ellipse, polygon) @@ -120,46 +132,46 @@ * Support for RDP-compression (all bpps) * process RDP recv queue if send queue is full (Debian bug #246461) * SGI/Irix sound-driver fixes -* Wed Mar 30 2005 - mc@suse.de +* Wed Mar 30 2005 mc@suse.de - switch to version 1.4.0 - remove rdesktop-1.2.0-24bit-color.dif, rdesktop-1.2.0-configure.dif and rdesktop-kdehead.patch - add rdesktop-1.4.0-lib64.dif -* Tue Aug 24 2004 - mc@suse.de +* Tue Aug 24 2004 mc@suse.de - add rdesktop-kdehead.patch to make krdc working [#43860] -* Thu Feb 26 2004 - mc@suse.de +* Thu Feb 26 2004 mc@suse.de - switch to version 1.3.1 * Crypto fixes for RDP5 * Keyboard and keymap fixes * some endianess fixes for high color * portability enhancements -* Sat Jan 10 2004 - adrian@suse.de +* Sat Jan 10 2004 adrian@suse.de - build as user -* Thu Oct 30 2003 - mc@suse.de +* Thu Oct 30 2003 mc@suse.de - switch to version 1.3.0 -* Mon Aug 18 2003 - mc@suse.de +* Mon Aug 18 2003 mc@suse.de - renamed rdesktop-1.2.0.dif to rdesktop-1.2.0-24bit-color.dif - add rdesktop-1.2.0-configure.dif . Makes it possible to set CFLAGS from external. - add -fno-strict-aliasing - removed unused patches (rdesktop-unified-patch19-9-0.bz2, rdesktop-1.1.0.dif) -* Fri Jul 04 2003 - sndirsch@suse.de +* Fri Jul 04 2003 sndirsch@suse.de - workaround for 24bit color depth problem (Bug #27726) -* Mon Jun 16 2003 - coolo@suse.de +* Mon Jun 16 2003 coolo@suse.de - use BuildRoot -* Tue Mar 18 2003 - sndirsch@suse.de +* Tue Mar 18 2003 sndirsch@suse.de - added missing keymaps (Bug #25565) -* Thu Jan 30 2003 - sndirsch@suse.de +* Fri Jan 31 2003 sndirsch@suse.de - updated to release 1.2.0 (Bug #23211) * this features new keyboard mapping code, high encryption support and many small additions and bugfixes -* Fri Aug 23 2002 - uli@suse.de +* Fri Aug 23 2002 uli@suse.de - added patches from http://bibl4.oru.se/projects/rdesktop that have been reported to be necessary for proper operation (bug #18223) -* Wed Apr 24 2002 - uli@suse.de +* Wed Apr 24 2002 uli@suse.de - fixed for lib64 -* Thu Oct 18 2001 - uli@suse.de +* Thu Oct 18 2001 uli@suse.de - initial package ++++++ rdesktop-1.5.0-CVE-2008-1801.dif ++++++ Index: iso.c =================================================================== RCS file: /cvsroot/rdesktop/rdesktop/iso.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- iso.c 8 Jan 2007 04:47:05 -0000 1.19 +++ iso.c 14 Feb 2008 11:45:13 -0000 1.20 @@ -98,6 +98,11 @@ next_be(s, length); } } + if (length < 4) + { + error("Bad packet header\n"); + return NULL; + } s = tcp_recv(s, length - 4); if (s == NULL) return NULL; ++++++ rdesktop-1.5.0-CVE-2008-1802.dif ++++++ Index: rdp.c =================================================================== --- rdp.c.orig +++ rdp.c @@ -241,10 +241,10 @@ rdp_out_unistr(STREAM s, char *string, i * Returns str_len of string */ int -rdp_in_unistr(STREAM s, char *string, int uni_len) +rdp_in_unistr(STREAM s, char *string, int str_size, int in_len) { #ifdef HAVE_ICONV - size_t ibl = uni_len, obl = uni_len; + size_t ibl = in_len, obl = str_size-1; char *pin = (char *) s->p, *pout = string; static iconv_t iconv_h = (iconv_t) - 1; @@ -258,37 +258,56 @@ rdp_in_unistr(STREAM s, char *string, in WINDOWS_CODEPAGE, g_codepage, (int) iconv_h); g_iconv_works = False; - return rdp_in_unistr(s, string, uni_len); + return rdp_in_unistr(s, string, str_size, in_len); } } if (iconv(iconv_h, (ICONV_CONST char **) &pin, &ibl, &pout, &obl) == (size_t) - 1) { - iconv_close(iconv_h); - iconv_h = (iconv_t) - 1; - warning("rdp_in_unistr: iconv fail, errno %d\n", errno); + if (errno == E2BIG) + { + warning("server sent an unexpectedly long string, truncating\n"); + } + else + { + iconv_close(iconv_h); + iconv_h = (iconv_t) - 1; + warning("rdp_in_unistr: iconv fail, errno %d\n", errno); - g_iconv_works = False; - return rdp_in_unistr(s, string, uni_len); + g_iconv_works = False; + return rdp_in_unistr(s, string, str_size, in_len); + } } /* we must update the location of the current STREAM for future reads of s->p */ - s->p += uni_len; + s->p += in_len; + *pout = 0; return pout - string; } else #endif { int i = 0; + int len = in_len/2; + int rem = 0; + + if (len > str_size-1) + { + warning("server sent an unexpectedly long string, truncating\n"); + len = str_size-1; + rem = in_len - 2*len; + } - while (i < uni_len / 2) + while (i < len) { in_uint8a(s, &string[i++], 1); in_uint8s(s, 1); } - return i - 1; + in_uint8s(s, rem); + string[len] = 0; + return len; } } @@ -1323,32 +1342,44 @@ process_redirect_pdu(STREAM s /*, uint32 in_uint32_le(s, len); /* read ip string */ - rdp_in_unistr(s, g_redirect_server, len); + rdp_in_unistr(s, g_redirect_server, sizeof(g_redirect_server), len); /* read length of cookie string */ in_uint32_le(s, len); /* read cookie string (plain ASCII) */ - in_uint8a(s, g_redirect_cookie, len); + if (len > sizeof(g_redirect_cookie)-1) + { + uint32 rem = len - (sizeof(g_redirect_cookie)-1); + len = sizeof(g_redirect_cookie)-1; + + warning("Unexpectedly large redirection cookie\n"); + in_uint8a(s, g_redirect_cookie, len); + in_uint8s(s, rem); + } + else + { + in_uint8a(s, g_redirect_cookie, len); + } g_redirect_cookie[len] = 0; /* read length of username string */ in_uint32_le(s, len); /* read username string */ - rdp_in_unistr(s, g_redirect_username, len); + rdp_in_unistr(s, g_redirect_username, sizeof(g_redirect_username), len); /* read length of domain string */ in_uint32_le(s, len); /* read domain string */ - rdp_in_unistr(s, g_redirect_domain, len); + rdp_in_unistr(s, g_redirect_domain, sizeof(g_redirect_domain), len); /* read length of password string */ in_uint32_le(s, len); /* read password string */ - rdp_in_unistr(s, g_redirect_password, len); + rdp_in_unistr(s, g_redirect_password, sizeof(g_redirect_password), len); g_redirect = True; Index: proto.h =================================================================== --- proto.h.orig +++ proto.h @@ -135,7 +135,7 @@ BOOL rd_lock_file(int fd, int start, int void rdp5_process(STREAM s); /* rdp.c */ void rdp_out_unistr(STREAM s, char *string, int len); -int rdp_in_unistr(STREAM s, char *string, int uni_len); +int rdp_in_unistr(STREAM s, char *string, int str_size, int in_len); void rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags, uint16 param1, uint16 param2); void rdp_send_client_window_status(int status); Index: printercache.c =================================================================== --- printercache.c.orig +++ printercache.c @@ -245,8 +245,8 @@ printercache_process(STREAM s) /* NOTE - 'driver' doesn't contain driver, it contains the new printer name */ - rdp_in_unistr(s, printer, printer_length); - rdp_in_unistr(s, driver, driver_length); + rdp_in_unistr(s, printer, sizeof(printer), printer_length); + rdp_in_unistr(s, driver, sizeof(driver), driver_length); printercache_rename_blob(printer, driver); break; @@ -254,7 +254,7 @@ printercache_process(STREAM s) case 3: /* delete item */ in_uint8(s, printer_unicode_length); in_uint8s(s, 0x3); /* padding */ - printer_length = rdp_in_unistr(s, printer, printer_unicode_length); + printer_length = rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length); printercache_unlink_blob(printer); break; @@ -264,7 +264,7 @@ printercache_process(STREAM s) if (printer_unicode_length < 2 * 255) { - rdp_in_unistr(s, printer, printer_unicode_length); + rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length); printercache_save_blob(printer, s->p, blob_length); } break; Index: disk.c =================================================================== --- disk.c.orig +++ disk.c @@ -799,7 +799,7 @@ disk_set_information(NTHANDLE handle, ui if (length && (length / 2) < 256) { - rdp_in_unistr(in, newname, length); + rdp_in_unistr(in, newname, sizeof(newname), length); convert_to_unix_filename(newname); } else Index: rdpdr.c =================================================================== --- rdpdr.c.orig +++ rdpdr.c @@ -415,7 +415,7 @@ rdpdr_process_irp(STREAM s) if (length && (length / 2) < 256) { - rdp_in_unistr(s, filename, length); + rdp_in_unistr(s, filename, sizeof(filename), length); convert_to_unix_filename(filename); } else @@ -608,7 +608,8 @@ rdpdr_process_irp(STREAM s) in_uint8s(s, 0x17); if (length && length < 2 * 255) { - rdp_in_unistr(s, filename, length); + rdp_in_unistr(s, filename, sizeof(filename), + length); convert_to_unix_filename(filename); } else ++++++ rdesktop-1.5.0-CVE-2008-1803.dif ++++++ Index: rdesktop.c =================================================================== --- rdesktop.c.orig +++ rdesktop.c @@ -1078,16 +1078,16 @@ xstrdup(const char *s) /* realloc; exit if out of memory */ void * -xrealloc(void *oldmem, int size) +xrealloc(void *oldmem, size_t size) { void *mem; - if (size < 1) + if (size == 0) size = 1; mem = realloc(oldmem, size); if (mem == NULL) { - error("xrealloc %d\n", size); + error("xrealloc %ld\n", size); exit(1); } return mem; Index: proto.h =================================================================== --- proto.h.orig +++ proto.h @@ -110,7 +110,7 @@ int main(int argc, char *argv[]); void generate_random(uint8 * random); void *xmalloc(int size); char *xstrdup(const char *s); -void *xrealloc(void *oldmem, int size); +void *xrealloc(void *oldmem, size_t size); void xfree(void *mem); void error(char *format, ...); void warning(char *format, ...); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org