From ${URL} : client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way: void xf_Pointer_New(rdpContext* context, rdpPointer* pointer) { XcursorImage ci; […] ci.width = pointer->width; ci.height = pointer->height; […] ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4); The width and height members are read from the wire. Both are 16 bit, but because of the multiplication with 4, the allocation still overflows (on 32 bit and 64 bit). xf_Bitmap_Decompress() appears to have a similar issue. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Here are the commits for this in to upstream https://github.com/FreeRDP/FreeRDP/pull/1874
This one will be easier to apply. Just waiting for it to be merged upstream. https://github.com/FreeRDP/FreeRDP/pull/1891
+*freerdp-1.1.0_beta1_p20130710-r1 (21 Jun 2014) + + 21 Jun 2014; Mike Gilbert <floppym@gentoo.org> + +files/freerdp-1.1-CVE-2014-0250.patch, + +freerdp-1.1.0_beta1_p20130710-r1.ebuild: + Add fix for CVE-2014-0250, bug 511688. Please stabilize: =net-misc/freerdp-1.1.0_beta1_p20130710-r1
Arches, please test and mark stable: =net-misc/freerdp-1.1.0_beta1_p20130710-r1 Target Keywords : "alpha amd64 arm ppc ppc64 x86" Thank you!
amd64 stable
x86 stable
arm stable
alpha stable
ppc64 stable
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
New GLSA request filed.
This issue was resolved and addressed in GLSA 201412-18 at http://security.gentoo.org/glsa/glsa-201412-18.xml by GLSA coordinator Sean Amoss (ackle).