FreeRDP: Fix for CVE-2019-17177, CVE-2019-17178

CVEs fixed in this build: CVE-2019-17177 CVE-2019-17178 Note that CVE-2019-17177.patch fixed both issues in a single commit. See upstream issue tracker: FreeRDP/FreeRDP#5645
clearlinux-pkgs · Oct 9, 2019 · 67ff11c · 67ff11c
1 parent 65fb1c8
commit 67ff11c
Show file tree

Hide file tree

Showing 8 changed files with 204 additions and 12 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,7 @@
 .*~
 *~
+*.info
+*.mod
 *.swp
 .repo-index
 *.log
@@ -8,6 +10,10 @@ build.log.round*
 *.tgz
 !*.tar.*.*
 *.zip
+*.jar
+*.pom
+*.xml
 commitmsg
 results/
 rpms/
+for-review.txt
diff --git a/CVE-2019-17177.patch b/CVE-2019-17177.patch
@@ -0,0 +1,174 @@
+From 9fee4ae076b1ec97b97efb79ece08d1dab4df29a Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Fri, 4 Oct 2019 14:49:30 +0200
+Subject: [PATCH] Fixed #5645: realloc return handling
+
+---
+Note: also fixes CVE-2019-17178. See upstream issue:
+https://github.com/FreeRDP/FreeRDP/issues/5645
+
+ client/X11/generate_argument_docbook.c | 33 +++++++++++++++++++++-----
+ libfreerdp/codec/region.c              | 17 ++++++++++---
+ winpr/libwinpr/utils/lodepng/lodepng.c |  6 ++++-
+ 3 files changed, 46 insertions(+), 10 deletions(-)
+
+diff --git a/client/X11/generate_argument_docbook.c b/client/X11/generate_argument_docbook.c
+index b700539e27..1a3ebf563b 100644
+--- a/client/X11/generate_argument_docbook.c
++++ b/client/X11/generate_argument_docbook.c
+@@ -9,6 +9,7 @@
+ LPSTR tr_esc_str(LPCSTR arg, bool format)
+ {
+ 	LPSTR tmp = NULL;
++	LPSTR tmp2 = NULL;
+ 	size_t cs = 0, x, ds, len;
+ 	size_t s;
+
+@@ -25,7 +26,12 @@ LPSTR tr_esc_str(LPCSTR arg, bool format)
+ 	ds = s + 1;
+
+ 	if (s)
+-		tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++	{
++		tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++		if (!tmp2)
++			free(tmp);
++		tmp = tmp2;
++	}
+
+ 	if (NULL == tmp)
+ 	{
+@@ -43,7 +49,10 @@ LPSTR tr_esc_str(LPCSTR arg, bool format)
+ 			case '<':
+ 				len = format ? 13 : 4;
+ 				ds += len - 1;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+
+ 				if (NULL == tmp)
+ 				{
+@@ -64,7 +73,10 @@ LPSTR tr_esc_str(LPCSTR arg, bool format)
+ 			case '>':
+ 				len = format ? 14 : 4;
+ 				ds += len - 1;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+
+ 				if (NULL == tmp)
+ 				{
+@@ -84,7 +96,10 @@ LPSTR tr_esc_str(LPCSTR arg, bool format)
+
+ 			case '\'':
+ 				ds += 5;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+
+ 				if (NULL == tmp)
+ 				{
+@@ -102,7 +117,10 @@ LPSTR tr_esc_str(LPCSTR arg, bool format)
+
+ 			case '"':
+ 				ds += 5;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+
+ 				if (NULL == tmp)
+ 				{
+@@ -120,7 +138,10 @@ LPSTR tr_esc_str(LPCSTR arg, bool format)
+
+ 			case '&':
+ 				ds += 4;
+-				tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++				if (!tmp2)
++					free(tmp);
++				tmp = tmp2;
+
+ 				if (NULL == tmp)
+ 				{
+diff --git a/libfreerdp/codec/region.c b/libfreerdp/codec/region.c
+index 2bc866538c..c5d19c8061 100644
+--- a/libfreerdp/codec/region.c
++++ b/libfreerdp/codec/region.c
+@@ -467,8 +467,12 @@ static BOOL region16_simplify_bands(REGION16* region)
+
+ 	if (finalNbRects != nbRects)
+ 	{
+-		int allocSize = sizeof(REGION16_DATA) + (finalNbRects * sizeof(RECTANGLE_16));
+-		region->data = realloc(region->data, allocSize);
++		REGION16_DATA* data;
++		size_t allocSize = sizeof(REGION16_DATA) + (finalNbRects * sizeof(RECTANGLE_16));
++		data = realloc(region->data, allocSize);
++		if (!data)
++			free(region->data);
++		region->data = data;
+
+ 		if (!region->data)
+ 		{
+@@ -485,10 +489,12 @@ static BOOL region16_simplify_bands(REGION16* region)
+
+ BOOL region16_union_rect(REGION16* dst, const REGION16* src, const RECTANGLE_16* rect)
+ {
++	REGION16_DATA* data;
+ 	const RECTANGLE_16* srcExtents;
+ 	RECTANGLE_16* dstExtents;
+ 	const RECTANGLE_16* currentBand, *endSrcRect, *nextBand;
+ 	REGION16_DATA* newItems = NULL;
++	REGION16_DATA* tmpItems = NULL;
+ 	RECTANGLE_16* dstRect = NULL;
+ 	UINT32 usedRects, srcNbRects;
+ 	UINT16 topInterBand;
+@@ -673,7 +679,11 @@ BOOL region16_union_rect(REGION16* dst, const REGION16* src, const RECTANGLE_16*
+ 	dstExtents->bottom = MAX(rect->bottom, srcExtents->bottom);
+ 	dstExtents->right = MAX(rect->right, srcExtents->right);
+ 	newItems->size = sizeof(REGION16_DATA) + (usedRects * sizeof(RECTANGLE_16));
+-	dst->data = realloc(newItems, newItems->size);
++	tmpItems = realloc(newItems, newItems->size);
++	if (!tmpItems)
++		free(newItems);
++	newItems = tmpItems;
++	dst->data = newItems;
+
+ 	if (!dst->data)
+ 	{
+@@ -717,6 +727,7 @@ BOOL region16_intersects_rect(const REGION16* src, const RECTANGLE_16* arg2)
+
+ BOOL region16_intersect_rect(REGION16* dst, const REGION16* src, const RECTANGLE_16* rect)
+ {
++	REGION16_DATA* data;
+ 	REGION16_DATA* newItems;
+ 	const RECTANGLE_16* srcPtr, *endPtr, *srcExtents;
+ 	RECTANGLE_16* dstPtr;
+diff --git a/winpr/libwinpr/utils/lodepng/lodepng.c b/winpr/libwinpr/utils/lodepng/lodepng.c
+index 741a953b84..b48c881a2d 100644
+--- a/winpr/libwinpr/utils/lodepng/lodepng.c
++++ b/winpr/libwinpr/utils/lodepng/lodepng.c
+@@ -841,11 +841,15 @@ unsigned lodepng_huffman_code_lengths(unsigned* lengths, const unsigned* frequen
+ static unsigned HuffmanTree_makeFromFrequencies(HuffmanTree* tree, const unsigned* frequencies,
+                                                 size_t mincodes, size_t numcodes, unsigned maxbitlen)
+ {
++	unsigned* lengths;
+   unsigned error = 0;
+   while(!frequencies[numcodes - 1] && numcodes > mincodes) numcodes--; /*trim zeroes*/
+   tree->maxbitlen = maxbitlen;
+   tree->numcodes = (unsigned)numcodes; /*number of symbols*/
+-  tree->lengths = (unsigned*)realloc(tree->lengths, numcodes * sizeof(unsigned));
++  lengths = (unsigned*)realloc(tree->lengths, numcodes * sizeof(unsigned));
++	if (!lengths)
++		free(tree->lengths);
++	tree->lengths = lengths;
+   if(!tree->lengths) return 83; /*alloc fail*/
+   /*initialize all lengths to 0*/
+   memset(tree->lengths, 0, numcodes * sizeof(unsigned));
diff --git a/FreeRDP.spec b/FreeRDP.spec
@@ -4,10 +4,10 @@
 #
 Name     : FreeRDP
 Version  : 2.0.0.rc4
-Release  : 24
+Release  : 25
 URL      : https://github.com/FreeRDP/FreeRDP/archive/2.0.0-rc4.tar.gz
 Source0  : https://github.com/FreeRDP/FreeRDP/archive/2.0.0-rc4.tar.gz
-Summary  : Free RDP client
+Summary  : Free implementation of the Remote Desktop Protocol (RDP)
 Group    : Development/Tools
 License  : Apache-2.0
 Requires: FreeRDP-bin = %{version}-%{release}
@@ -43,7 +43,6 @@ BuildRequires : pkg-config
 BuildRequires : pkgconfig(dbus-1)
 BuildRequires : pkgconfig(dbus-glib-1)
 BuildRequires : pkgconfig(glib-2.0)
-BuildRequires : pkgconfig(gtk+-2.0)
 BuildRequires : pkgconfig(libpulse)
 BuildRequires : pkgconfig(libsystemd)
 BuildRequires : pkgconfig(openssl)
@@ -52,9 +51,9 @@ BuildRequires : pkgconfig(wayland-scanner)
 BuildRequires : pkgconfig(xcursor)
 BuildRequires : pkgconfig(xkbcommon)
 BuildRequires : pkgconfig(xrandr)
-BuildRequires : pkgconfig(xrender)
 BuildRequires : systemd-dev
 Patch1: 0001-No-rc4-v2.patch
+Patch2: CVE-2019-17177.patch
 
 %description
 FreeRDP is a open and free implementation of the Remote Desktop Protocol (RDP).
@@ -64,7 +63,6 @@ This package provides nightly master builds of all components.
 Summary: bin components for the FreeRDP package.
 Group: Binaries
 Requires: FreeRDP-license = %{version}-%{release}
-Requires: FreeRDP-man = %{version}-%{release}
 
 %description bin
 bin components for the FreeRDP package.
@@ -76,6 +74,7 @@ Group: Development
 Requires: FreeRDP-lib = %{version}-%{release}
 Requires: FreeRDP-bin = %{version}-%{release}
 Provides: FreeRDP-devel = %{version}-%{release}
+Requires: FreeRDP = %{version}-%{release}
 
 %description dev
 dev components for the FreeRDP package.
@@ -109,21 +108,27 @@ man components for the FreeRDP package.
 %prep
 %setup -q -n FreeRDP-2.0.0-rc4
 %patch1 -p1
+%patch2 -p1
 
 %build
 export http_proxy=http://127.0.0.1:9/
 export https_proxy=http://127.0.0.1:9/
 export no_proxy=localhost,127.0.0.1,0.0.0.0
-export LANG=C
-export SOURCE_DATE_EPOCH=1547584041
+export LANG=C.UTF-8
+export SOURCE_DATE_EPOCH=1570633773
 mkdir -p clr-build
 pushd clr-build
+export GCC_IGNORE_WERROR=1
+export CFLAGS="$CFLAGS -fno-lto -fstack-protector-strong -mzero-caller-saved-regs=used "
+export FCFLAGS="$CFLAGS -fno-lto -fstack-protector-strong -mzero-caller-saved-regs=used "
+export FFLAGS="$CFLAGS -fno-lto -fstack-protector-strong -mzero-caller-saved-regs=used "
+export CXXFLAGS="$CXXFLAGS -fno-lto -fstack-protector-strong -mzero-caller-saved-regs=used "
 %cmake .. -DWITH_ALSA=ON -DWITH_CHANNELS=ON -DWITH_CLIENT=ON -DWITH_CUPS=ON -DWITH_FFMPEG=OFF -DWITH_GSTREAMER_0_10=OFF -DWITH_GSTREAMER_1_0=ON -DWITH_JPEG=ON -DWITH_MANPAGES=ON -DWITH_OPENSSL=ON -DWITH_PULSE=ON -DWITH_SERVER=ON -DWITH_SHADOW_X11=ON -DWITH_SSE2=ON -DWITH_WAYLAND=ON -DWITH_X11=ON -DWITH_X264=OFF -DWITH_XCURSOR=ON -DWITH_XEXT=ON -DWITH_XI=ON -DWITH_XINERAMA=ON -DWITH_XKBFILE=ON -DWITH_XRENDER=ON -DWITH_XTEST=OFF -DWITH_XV=ON -DWITH_ZLIB=ON -DWITH_SOXR=OFF
-make  %{?_smp_mflags} :|| cmake --build .
+make  %{?_smp_mflags}  :|| cmake --build .
 popd
 
 %install
-export SOURCE_DATE_EPOCH=1547584041
+export SOURCE_DATE_EPOCH=1570633773
 rm -rf %{buildroot}
 mkdir -p %{buildroot}/usr/share/package-licenses/FreeRDP
 cp LICENSE %{buildroot}/usr/share/package-licenses/FreeRDP/LICENSE

diff --git a/buildreq_ban b/buildreq_ban
@@ -2,3 +2,5 @@
 # undesirable. One entry per line, no whitespace.
 pkgconfig(libswresample)
 pkgconfig(soxr)
+buildreq-mvn
+gradle
diff --git a/options.conf b/options.conf
@@ -3,6 +3,7 @@ name = FreeRDP
 url = https://github.com/FreeRDP/FreeRDP/archive/2.0.0-rc4.tar.gz
 archives = 
 giturl = https://github.com/FreeRDP/FreeRDP.git
+domain = 
 
 [autospec]
 # build 32 bit libraries
@@ -17,7 +18,7 @@ autoupdate = false
 broken_c++ = false
 # disable parallelization during build
 broken_parallel_build = false
-# this package is a library compatability package and only ships versioned library files
+# this package is a library compatibility package and only ships versioned library files
 compat = false
 # set conservative build flags
 conservative_flags = false
@@ -33,14 +34,16 @@ insecure_build = false
 keepstatic = false
 # do not require autostart subpackage
 no_autostart = false
+# do not generate debuginfo for this package
+nodebug = false
 # disable stripping binaries
 nostrip = false
 # optimize build for size over speed
 optimize_size = false
 # set profile for pgo
 pgo = false
 # set flags for security-sensitive builds
-security_sensitive = false
+security_sensitive = true
 # do not run test suite
 skip_tests = true
 # add .so files to the lib package instead of dev

diff --git a/release b/release
@@ -1 +1 @@
-24
+25
diff --git a/series b/series
@@ -1 +1,2 @@
 0001-No-rc4-v2.patch
+CVE-2019-17177.patch
diff --git a/versions b/versions
@@ -0,0 +1 @@
+2.0.0.rc4