Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 511688 (CVE-2014-0250) - <net-misc/freerdp-1.1.0_beta1_p20130710-r1: integer overflow (CVE-2014-0250)
Summary: <net-misc/freerdp-1.1.0_beta1_p20130710-r1: integer overflow (CVE-2014-0250)
Status: RESOLVED FIXED
Alias: CVE-2014-0250
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-28 13:18 UTC by Agostino Sarubbo
Modified: 2014-12-13 17:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-28 13:18:07 UTC
From ${URL} :

client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way:

void xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
{
	XcursorImage ci;
[…]
	ci.width = pointer->width;
	ci.height = pointer->height;
[…]
	ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4);

The width and height members are read from the wire.  Both are 16 bit, but because of the multiplication 
with 4, the allocation still overflows (on 32 bit and 64 bit).

xf_Bitmap_Decompress() appears to have a similar issue.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-09 01:43:30 UTC
Here are the commits for this in to upstream

https://github.com/FreeRDP/FreeRDP/pull/1874
Comment 2 Mike Gilbert gentoo-dev 2014-06-09 23:39:32 UTC
This one will be easier to apply. Just waiting for it to be merged upstream.

https://github.com/FreeRDP/FreeRDP/pull/1891
Comment 3 Mike Gilbert gentoo-dev 2014-06-21 01:56:38 UTC
+*freerdp-1.1.0_beta1_p20130710-r1 (21 Jun 2014)
+
+  21 Jun 2014; Mike Gilbert <floppym@gentoo.org>
+  +files/freerdp-1.1-CVE-2014-0250.patch,
+  +freerdp-1.1.0_beta1_p20130710-r1.ebuild:
+  Add fix for CVE-2014-0250, bug 511688.

Please stabilize:

=net-misc/freerdp-1.1.0_beta1_p20130710-r1
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-21 03:07:59 UTC
Arches, please test and mark stable:

=net-misc/freerdp-1.1.0_beta1_p20130710-r1

Target Keywords : "alpha amd64 arm ppc ppc64 x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2014-06-21 10:59:05 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-06-21 11:00:13 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2014-06-22 18:40:53 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-07-05 11:31:54 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-07-05 12:51:31 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-07-05 12:54:30 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Kristian Fiskerstrand gentoo-dev Security 2014-07-05 13:33:11 UTC
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 17:57:58 UTC
This issue was resolved and addressed in
 GLSA 201412-18 at http://security.gentoo.org/glsa/glsa-201412-18.xml
by GLSA coordinator Sean Amoss (ackle).