diff options
| author | tonnerre <tonnerre@pkgsrc.org> | 2008-05-10 15:28:04 +0000 |
|---|---|---|
| committer | tonnerre <tonnerre@pkgsrc.org> | 2008-05-10 15:28:04 +0000 |
| commit | d98d170994da6b048b636ddebf562244a67a9cf3 (patch) | |
| tree | d175d495c6f8a2bc8958e1142fec7a990dd39b54 /net/rdesktop | |
| parent | 6e448d297b09826cd122da59035fef42d99596cd (diff) | |
| download | pkgsrc-d98d170994da6b048b636ddebf562244a67a9cf3.tar.gz | |
Add patches required to fix CVE-2008-180[123], taken from rdesktop CVS.
1) An integer underflow error in iso.c when processing RDP requests can
be exploited to cause a heap-based buffer overflow.
2) An input validation error in rdp.c when processing RDP redirect
requests can be exploited to cause a BSS-based buffer overflow.
3) A signedness error within "xrealloc()" in rdesktop.c can be exploited
to cause a heap-based buffer overflow.
Diffstat (limited to 'net/rdesktop')
| -rw-r--r-- | net/rdesktop/Makefile | 4 | ||||
| -rw-r--r-- | net/rdesktop/distinfo | 9 | ||||
| -rw-r--r-- | net/rdesktop/patches/patch-ac | 16 | ||||
| -rw-r--r-- | net/rdesktop/patches/patch-ad | 133 | ||||
| -rw-r--r-- | net/rdesktop/patches/patch-ae | 13 | ||||
| -rw-r--r-- | net/rdesktop/patches/patch-af | 22 | ||||
| -rw-r--r-- | net/rdesktop/patches/patch-ag | 33 | ||||
| -rw-r--r-- | net/rdesktop/patches/patch-ah | 13 | ||||
| -rw-r--r-- | net/rdesktop/patches/patch-ai | 19 |
9 files changed, 259 insertions, 3 deletions
diff --git a/net/rdesktop/Makefile b/net/rdesktop/Makefile index d441422b342..e351bc8ca1e 100644 --- a/net/rdesktop/Makefile +++ b/net/rdesktop/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.33 2008/01/18 05:08:49 tnn Exp $ +# $NetBSD: Makefile,v 1.34 2008/05/10 15:28:04 tonnerre Exp $ # DISTNAME= rdesktop-1.5.0 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=rdesktop/} diff --git a/net/rdesktop/distinfo b/net/rdesktop/distinfo index 21ad229a45a..644983df3d0 100644 --- a/net/rdesktop/distinfo +++ b/net/rdesktop/distinfo @@ -1,7 +1,14 @@ -$NetBSD: distinfo,v 1.17 2007/06/06 00:16:35 tnn Exp $ +$NetBSD: distinfo,v 1.18 2008/05/10 15:28:04 tonnerre Exp $ SHA1 (rdesktop-1.5.0.tar.gz) = e3086bf865191eed41631813125f482e279c7f3d RMD160 (rdesktop-1.5.0.tar.gz) = 350e08166d0b7620b4ed9c6594addae7ec53d15a Size (rdesktop-1.5.0.tar.gz) = 245137 bytes SHA1 (patch-aa) = dda84f70792828c97aa02567b97d2ae9647b6fcb SHA1 (patch-ab) = 396a37a4f6f0751e014bd548f9c44f6c462812e1 +SHA1 (patch-ac) = 075ac18148124e5aaa88ee7e5bbd03059d054703 +SHA1 (patch-ad) = 7d439f5dd9f297b6408c60da9d1838c47cc1a90f +SHA1 (patch-ae) = 556ddf2c44f873c5af99d5e85c51d3097e46eb8b +SHA1 (patch-af) = 666ca22f3429722cf277af07bbbef2aadfe08281 +SHA1 (patch-ag) = f36405b112a586b0558f52975d3a7c7e3a0ff933 +SHA1 (patch-ah) = 3ab85738b7e2b62e45e4b1e4f4de3714c00a9fe7 +SHA1 (patch-ai) = c167000000e7cea29fcf33be2c9ca60bc472f4da diff --git a/net/rdesktop/patches/patch-ac b/net/rdesktop/patches/patch-ac new file mode 100644 index 00000000000..d61015d0b43 --- /dev/null +++ b/net/rdesktop/patches/patch-ac @@ -0,0 +1,16 @@ +$NetBSD: patch-ac,v 1.5 2008/05/10 15:28:04 tonnerre Exp $ + +--- iso.c.orig 2006-08-07 13:45:43.000000000 +0200 ++++ iso.c +@@ -98,6 +98,11 @@ iso_recv_msg(uint8 * code, uint8 * rdpve + next_be(s, length); + } + } ++ if (length < 4) ++ { ++ error("Bad packet header\n"); ++ return NULL; ++ } + s = tcp_recv(s, length - 4); + if (s == NULL) + return NULL; diff --git a/net/rdesktop/patches/patch-ad b/net/rdesktop/patches/patch-ad new file mode 100644 index 00000000000..92099f9d6f4 --- /dev/null +++ b/net/rdesktop/patches/patch-ad @@ -0,0 +1,133 @@ +$NetBSD: patch-ad,v 1.1 2008/05/10 15:28:04 tonnerre Exp $ + +--- rdp.c.orig 2006-08-07 13:45:43.000000000 +0200 ++++ rdp.c +@@ -241,10 +241,10 @@ rdp_out_unistr(STREAM s, char *string, i + * Returns str_len of string + */ + int +-rdp_in_unistr(STREAM s, char *string, int uni_len) ++rdp_in_unistr(STREAM s, char *string, int str_size, int in_len) + { + #ifdef HAVE_ICONV +- size_t ibl = uni_len, obl = uni_len; ++ size_t ibl = in_len, obl = str_size-1; + char *pin = (char *) s->p, *pout = string; + static iconv_t iconv_h = (iconv_t) - 1; + +@@ -258,37 +258,56 @@ rdp_in_unistr(STREAM s, char *string, in + WINDOWS_CODEPAGE, g_codepage, (int) iconv_h); + + g_iconv_works = False; +- return rdp_in_unistr(s, string, uni_len); ++ return rdp_in_unistr(s, string, str_size, in_len); + } + } + + if (iconv(iconv_h, (ICONV_CONST char **) &pin, &ibl, &pout, &obl) == (size_t) - 1) + { +- iconv_close(iconv_h); +- iconv_h = (iconv_t) - 1; +- warning("rdp_in_unistr: iconv fail, errno %d\n", errno); ++ if (errno == E2BIG) ++ { ++ warning("server sent an unexpectedly long string, truncating\n"); ++ } ++ else ++ { ++ iconv_close(iconv_h); ++ iconv_h = (iconv_t) - 1; ++ warning("rdp_in_unistr: iconv fail, errno %d\n", errno); + +- g_iconv_works = False; +- return rdp_in_unistr(s, string, uni_len); ++ g_iconv_works = False; ++ return rdp_in_unistr(s, string, str_size, in_len); ++ } + } + + /* we must update the location of the current STREAM for future reads of s->p */ +- s->p += uni_len; ++ s->p += in_len; + ++ *pout = 0; + return pout - string; + } + else + #endif + { + int i = 0; ++ int len = in_len / 2; ++ int rem = 0; ++ ++ if (len > str_size - 1) ++ { ++ warning("server sent an unexpectedly long string, truncating\n"); ++ len = str_size - 1; ++ rem = in_len - 2 * len; ++ } + +- while (i < uni_len / 2) ++ while (i < len) + { + in_uint8a(s, &string[i++], 1); + in_uint8s(s, 1); + } + +- return i - 1; ++ in_uint8s(s, rem); ++ string[len] = 0; ++ return len; + } + } + +@@ -1323,32 +1342,44 @@ process_redirect_pdu(STREAM s /*, uint32 + in_uint32_le(s, len); + + /* read ip string */ +- rdp_in_unistr(s, g_redirect_server, len); ++ rdp_in_unistr(s, g_redirect_server, sizeof(g_redirect_server), len); + + /* read length of cookie string */ + in_uint32_le(s, len); + + /* read cookie string (plain ASCII) */ +- in_uint8a(s, g_redirect_cookie, len); ++ if (len > sizeof(g_redirect_cookie)-1) ++ { ++ uint32 rem = len - (sizeof(g_redirect_cookie)-1); ++ len = sizeof(g_redirect_cookie)-1; ++ ++ warning("Unexpectedly large redirection cookie\n"); ++ in_uint8a(s, g_redirect_cookie, len); ++ in_uint8s(s, rem); ++ } ++ else ++ { ++ in_uint8a(s, g_redirect_cookie, len); ++ } + g_redirect_cookie[len] = 0; + + /* read length of username string */ + in_uint32_le(s, len); + + /* read username string */ +- rdp_in_unistr(s, g_redirect_username, len); ++ rdp_in_unistr(s, g_redirect_username, sizeof(g_redirect_username), len); + + /* read length of domain string */ + in_uint32_le(s, len); + + /* read domain string */ +- rdp_in_unistr(s, g_redirect_domain, len); ++ rdp_in_unistr(s, g_redirect_domain, sizeof(g_redirect_domain), len); + + /* read length of password string */ + in_uint32_le(s, len); + + /* read password string */ +- rdp_in_unistr(s, g_redirect_password, len); ++ rdp_in_unistr(s, g_redirect_password, sizeof(g_redirect_password), len); + + g_redirect = True; + diff --git a/net/rdesktop/patches/patch-ae b/net/rdesktop/patches/patch-ae new file mode 100644 index 00000000000..25d658e9af5 --- /dev/null +++ b/net/rdesktop/patches/patch-ae @@ -0,0 +1,13 @@ +$NetBSD: patch-ae,v 1.1 2008/05/10 15:28:04 tonnerre Exp $ + +--- proto.h.orig 2006-08-07 13:45:43.000000000 +0200 ++++ proto.h +@@ -135,7 +135,7 @@ BOOL rd_lock_file(int fd, int start, int + void rdp5_process(STREAM s); + /* rdp.c */ + void rdp_out_unistr(STREAM s, char *string, int len); +-int rdp_in_unistr(STREAM s, char *string, int uni_len); ++int rdp_in_unistr(STREAM s, char *string, int str_size, int in_len); + void rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags, uint16 param1, + uint16 param2); + void rdp_send_client_window_status(int status); diff --git a/net/rdesktop/patches/patch-af b/net/rdesktop/patches/patch-af new file mode 100644 index 00000000000..d88dd318031 --- /dev/null +++ b/net/rdesktop/patches/patch-af @@ -0,0 +1,22 @@ +$NetBSD: patch-af,v 1.1 2008/05/10 15:28:04 tonnerre Exp $ + +--- rdpdr.c.orig 2006-08-07 13:45:43.000000000 +0200 ++++ rdpdr.c +@@ -415,7 +415,7 @@ rdpdr_process_irp(STREAM s) + + if (length && (length / 2) < 256) + { +- rdp_in_unistr(s, filename, length); ++ rdp_in_unistr(s, filename, sizeof(filename), length); + convert_to_unix_filename(filename); + } + else +@@ -608,7 +608,7 @@ rdpdr_process_irp(STREAM s) + in_uint8s(s, 0x17); + if (length && length < 2 * 255) + { +- rdp_in_unistr(s, filename, length); ++ rdp_in_unistr(s, filename, sizeof(filename), length); + convert_to_unix_filename(filename); + } + else diff --git a/net/rdesktop/patches/patch-ag b/net/rdesktop/patches/patch-ag new file mode 100644 index 00000000000..4c4ec179a79 --- /dev/null +++ b/net/rdesktop/patches/patch-ag @@ -0,0 +1,33 @@ +$NetBSD: patch-ag,v 1.1 2008/05/10 15:28:04 tonnerre Exp $ + +--- printercache.c.orig 2006-08-07 13:45:43.000000000 +0200 ++++ printercache.c +@@ -245,8 +245,8 @@ printercache_process(STREAM s) + + /* NOTE - 'driver' doesn't contain driver, it contains the new printer name */ + +- rdp_in_unistr(s, printer, printer_length); +- rdp_in_unistr(s, driver, driver_length); ++ rdp_in_unistr(s, printer, sizeof(printer), printer_length); ++ rdp_in_unistr(s, driver, sizeof(printer), driver_length); + + printercache_rename_blob(printer, driver); + break; +@@ -254,7 +254,7 @@ printercache_process(STREAM s) + case 3: /* delete item */ + in_uint8(s, printer_unicode_length); + in_uint8s(s, 0x3); /* padding */ +- printer_length = rdp_in_unistr(s, printer, printer_unicode_length); ++ printer_length = rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length); + printercache_unlink_blob(printer); + break; + +@@ -264,7 +264,7 @@ printercache_process(STREAM s) + + if (printer_unicode_length < 2 * 255) + { +- rdp_in_unistr(s, printer, printer_unicode_length); ++ rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length); + printercache_save_blob(printer, s->p, blob_length); + } + break; diff --git a/net/rdesktop/patches/patch-ah b/net/rdesktop/patches/patch-ah new file mode 100644 index 00000000000..c831a48d93b --- /dev/null +++ b/net/rdesktop/patches/patch-ah @@ -0,0 +1,13 @@ +$NetBSD: patch-ah,v 1.1 2008/05/10 15:28:04 tonnerre Exp $ + +--- disk.c.orig 2006-08-07 13:45:43.000000000 +0200 ++++ disk.c +@@ -799,7 +799,7 @@ disk_set_information(NTHANDLE handle, ui + + if (length && (length / 2) < 256) + { +- rdp_in_unistr(in, newname, length); ++ rdp_in_unistr(in, newname, sizeof(newname), length); + convert_to_unix_filename(newname); + } + else diff --git a/net/rdesktop/patches/patch-ai b/net/rdesktop/patches/patch-ai new file mode 100644 index 00000000000..a02f00aff53 --- /dev/null +++ b/net/rdesktop/patches/patch-ai @@ -0,0 +1,19 @@ +$NetBSD: patch-ai,v 1.1 2008/05/10 15:28:04 tonnerre Exp $ + +--- rdesktop.c.orig 2006-08-07 13:45:43.000000000 +0200 ++++ rdesktop.c +@@ -1082,12 +1082,12 @@ xrealloc(void *oldmem, int size) + { + void *mem; + +- if (size < 1) ++ if (size == 0) + size = 1; + mem = realloc(oldmem, size); + if (mem == NULL) + { +- error("xrealloc %d\n", size); ++ error("xrealloc %ld\n", size); + exit(1); + } + return mem; |