Bug 511688 (CVE-2014-0250)

Summary:	<net-misc/freerdp-1.1.0_beta1_p20130710-r1: integer overflow (CVE-2014-0250)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	floppym
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=998934
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2014-05-28 13:18:07 UTC

From ${URL} :

client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way:

void xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
{
	XcursorImage ci;
[…]
	ci.width = pointer->width;
	ci.height = pointer->height;
[…]
	ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4);

The width and height members are read from the wire.  Both are 16 bit, but because of the multiplication 
with 4, the allocation still overflows (on 32 bit and 64 bit).

xf_Bitmap_Decompress() appears to have a similar issue.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Yury German Gentoo Infrastructure

2014-06-09 01:43:30 UTC

Here are the commits for this in to upstream

https://github.com/FreeRDP/FreeRDP/pull/1874

Comment 2 Mike Gilbert gentoo-dev

2014-06-09 23:39:32 UTC

This one will be easier to apply. Just waiting for it to be merged upstream.

https://github.com/FreeRDP/FreeRDP/pull/1891

Comment 3 Mike Gilbert gentoo-dev

2014-06-21 01:56:38 UTC

+*freerdp-1.1.0_beta1_p20130710-r1 (21 Jun 2014)
+
+  21 Jun 2014; Mike Gilbert <floppym@gentoo.org>
+  +files/freerdp-1.1-CVE-2014-0250.patch,
+  +freerdp-1.1.0_beta1_p20130710-r1.ebuild:
+  Add fix for CVE-2014-0250, bug 511688.

Please stabilize:

=net-misc/freerdp-1.1.0_beta1_p20130710-r1

Comment 4 Yury German Gentoo Infrastructure

2014-06-21 03:07:59 UTC

Arches, please test and mark stable:

=net-misc/freerdp-1.1.0_beta1_p20130710-r1

Target Keywords : "alpha amd64 arm ppc ppc64 x86"

Thank you!

Comment 5 Agostino Sarubbo gentoo-dev

2014-06-21 10:59:05 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2014-06-21 11:00:13 UTC

x86 stable

Comment 7 Markus Meier gentoo-dev

2014-06-22 18:40:53 UTC

arm stable

Comment 8 Agostino Sarubbo gentoo-dev

2014-07-05 11:31:54 UTC

alpha stable

Comment 9 Agostino Sarubbo gentoo-dev

2014-07-05 12:51:31 UTC

ppc64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2014-07-05 12:54:30 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-07-05 13:33:11 UTC

New GLSA request filed.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2014-12-13 17:57:58 UTC

This issue was resolved and addressed in
 GLSA 201412-18 at http://security.gentoo.org/glsa/glsa-201412-18.xml
by GLSA coordinator Sean Amoss (ackle).