pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/net/rdesktop Add patches required to fix CVE-2008-180[...
details: https://anonhg.NetBSD.org/pkgsrc/rev/0aa73b56a963
branches: trunk
changeset: 542269:0aa73b56a963
user: tonnerre <tonnerre%pkgsrc.org@localhost>
date: Sat May 10 15:28:04 2008 +0000
description:
Add patches required to fix CVE-2008-180[123], taken from rdesktop CVS.
1) An integer underflow error in iso.c when processing RDP requests can
be exploited to cause a heap-based buffer overflow.
2) An input validation error in rdp.c when processing RDP redirect
requests can be exploited to cause a BSS-based buffer overflow.
3) A signedness error within "xrealloc()" in rdesktop.c can be exploited
to cause a heap-based buffer overflow.
diffstat:
net/rdesktop/Makefile | 4 +-
net/rdesktop/distinfo | 9 ++-
net/rdesktop/patches/patch-ac | 16 +++++
net/rdesktop/patches/patch-ad | 133 ++++++++++++++++++++++++++++++++++++++++++
net/rdesktop/patches/patch-ae | 13 ++++
net/rdesktop/patches/patch-af | 22 ++++++
net/rdesktop/patches/patch-ag | 33 ++++++++++
net/rdesktop/patches/patch-ah | 13 ++++
net/rdesktop/patches/patch-ai | 19 ++++++
9 files changed, 259 insertions(+), 3 deletions(-)
diffs (truncated from 310 to 300 lines):
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/Makefile
--- a/net/rdesktop/Makefile Sat May 10 14:57:19 2008 +0000
+++ b/net/rdesktop/Makefile Sat May 10 15:28:04 2008 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.33 2008/01/18 05:08:49 tnn Exp $
+# $NetBSD: Makefile,v 1.34 2008/05/10 15:28:04 tonnerre Exp $
#
DISTNAME= rdesktop-1.5.0
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= net
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=rdesktop/}
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/distinfo
--- a/net/rdesktop/distinfo Sat May 10 14:57:19 2008 +0000
+++ b/net/rdesktop/distinfo Sat May 10 15:28:04 2008 +0000
@@ -1,7 +1,14 @@
-$NetBSD: distinfo,v 1.17 2007/06/06 00:16:35 tnn Exp $
+$NetBSD: distinfo,v 1.18 2008/05/10 15:28:04 tonnerre Exp $
SHA1 (rdesktop-1.5.0.tar.gz) = e3086bf865191eed41631813125f482e279c7f3d
RMD160 (rdesktop-1.5.0.tar.gz) = 350e08166d0b7620b4ed9c6594addae7ec53d15a
Size (rdesktop-1.5.0.tar.gz) = 245137 bytes
SHA1 (patch-aa) = dda84f70792828c97aa02567b97d2ae9647b6fcb
SHA1 (patch-ab) = 396a37a4f6f0751e014bd548f9c44f6c462812e1
+SHA1 (patch-ac) = 075ac18148124e5aaa88ee7e5bbd03059d054703
+SHA1 (patch-ad) = 7d439f5dd9f297b6408c60da9d1838c47cc1a90f
+SHA1 (patch-ae) = 556ddf2c44f873c5af99d5e85c51d3097e46eb8b
+SHA1 (patch-af) = 666ca22f3429722cf277af07bbbef2aadfe08281
+SHA1 (patch-ag) = f36405b112a586b0558f52975d3a7c7e3a0ff933
+SHA1 (patch-ah) = 3ab85738b7e2b62e45e4b1e4f4de3714c00a9fe7
+SHA1 (patch-ai) = c167000000e7cea29fcf33be2c9ca60bc472f4da
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ac Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-ac,v 1.5 2008/05/10 15:28:04 tonnerre Exp $
+
+--- iso.c.orig 2006-08-07 13:45:43.000000000 +0200
++++ iso.c
+@@ -98,6 +98,11 @@ iso_recv_msg(uint8 * code, uint8 * rdpve
+ next_be(s, length);
+ }
+ }
++ if (length < 4)
++ {
++ error("Bad packet header\n");
++ return NULL;
++ }
+ s = tcp_recv(s, length - 4);
+ if (s == NULL)
+ return NULL;
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ad
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ad Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,133 @@
+$NetBSD: patch-ad,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- rdp.c.orig 2006-08-07 13:45:43.000000000 +0200
++++ rdp.c
+@@ -241,10 +241,10 @@ rdp_out_unistr(STREAM s, char *string, i
+ * Returns str_len of string
+ */
+ int
+-rdp_in_unistr(STREAM s, char *string, int uni_len)
++rdp_in_unistr(STREAM s, char *string, int str_size, int in_len)
+ {
+ #ifdef HAVE_ICONV
+- size_t ibl = uni_len, obl = uni_len;
++ size_t ibl = in_len, obl = str_size-1;
+ char *pin = (char *) s->p, *pout = string;
+ static iconv_t iconv_h = (iconv_t) - 1;
+
+@@ -258,37 +258,56 @@ rdp_in_unistr(STREAM s, char *string, in
+ WINDOWS_CODEPAGE, g_codepage, (int) iconv_h);
+
+ g_iconv_works = False;
+- return rdp_in_unistr(s, string, uni_len);
++ return rdp_in_unistr(s, string, str_size, in_len);
+ }
+ }
+
+ if (iconv(iconv_h, (ICONV_CONST char **) &pin, &ibl, &pout, &obl) == (size_t) - 1)
+ {
+- iconv_close(iconv_h);
+- iconv_h = (iconv_t) - 1;
+- warning("rdp_in_unistr: iconv fail, errno %d\n", errno);
++ if (errno == E2BIG)
++ {
++ warning("server sent an unexpectedly long string, truncating\n");
++ }
++ else
++ {
++ iconv_close(iconv_h);
++ iconv_h = (iconv_t) - 1;
++ warning("rdp_in_unistr: iconv fail, errno %d\n", errno);
+
+- g_iconv_works = False;
+- return rdp_in_unistr(s, string, uni_len);
++ g_iconv_works = False;
++ return rdp_in_unistr(s, string, str_size, in_len);
++ }
+ }
+
+ /* we must update the location of the current STREAM for future reads of s->p */
+- s->p += uni_len;
++ s->p += in_len;
+
++ *pout = 0;
+ return pout - string;
+ }
+ else
+ #endif
+ {
+ int i = 0;
++ int len = in_len / 2;
++ int rem = 0;
++
++ if (len > str_size - 1)
++ {
++ warning("server sent an unexpectedly long string, truncating\n");
++ len = str_size - 1;
++ rem = in_len - 2 * len;
++ }
+
+- while (i < uni_len / 2)
++ while (i < len)
+ {
+ in_uint8a(s, &string[i++], 1);
+ in_uint8s(s, 1);
+ }
+
+- return i - 1;
++ in_uint8s(s, rem);
++ string[len] = 0;
++ return len;
+ }
+ }
+
+@@ -1323,32 +1342,44 @@ process_redirect_pdu(STREAM s /*, uint32
+ in_uint32_le(s, len);
+
+ /* read ip string */
+- rdp_in_unistr(s, g_redirect_server, len);
++ rdp_in_unistr(s, g_redirect_server, sizeof(g_redirect_server), len);
+
+ /* read length of cookie string */
+ in_uint32_le(s, len);
+
+ /* read cookie string (plain ASCII) */
+- in_uint8a(s, g_redirect_cookie, len);
++ if (len > sizeof(g_redirect_cookie)-1)
++ {
++ uint32 rem = len - (sizeof(g_redirect_cookie)-1);
++ len = sizeof(g_redirect_cookie)-1;
++
++ warning("Unexpectedly large redirection cookie\n");
++ in_uint8a(s, g_redirect_cookie, len);
++ in_uint8s(s, rem);
++ }
++ else
++ {
++ in_uint8a(s, g_redirect_cookie, len);
++ }
+ g_redirect_cookie[len] = 0;
+
+ /* read length of username string */
+ in_uint32_le(s, len);
+
+ /* read username string */
+- rdp_in_unistr(s, g_redirect_username, len);
++ rdp_in_unistr(s, g_redirect_username, sizeof(g_redirect_username), len);
+
+ /* read length of domain string */
+ in_uint32_le(s, len);
+
+ /* read domain string */
+- rdp_in_unistr(s, g_redirect_domain, len);
++ rdp_in_unistr(s, g_redirect_domain, sizeof(g_redirect_domain), len);
+
+ /* read length of password string */
+ in_uint32_le(s, len);
+
+ /* read password string */
+- rdp_in_unistr(s, g_redirect_password, len);
++ rdp_in_unistr(s, g_redirect_password, sizeof(g_redirect_password), len);
+
+ g_redirect = True;
+
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ae
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ae Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ae,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- proto.h.orig 2006-08-07 13:45:43.000000000 +0200
++++ proto.h
+@@ -135,7 +135,7 @@ BOOL rd_lock_file(int fd, int start, int
+ void rdp5_process(STREAM s);
+ /* rdp.c */
+ void rdp_out_unistr(STREAM s, char *string, int len);
+-int rdp_in_unistr(STREAM s, char *string, int uni_len);
++int rdp_in_unistr(STREAM s, char *string, int str_size, int in_len);
+ void rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags, uint16 param1,
+ uint16 param2);
+ void rdp_send_client_window_status(int status);
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-af
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-af Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-af,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- rdpdr.c.orig 2006-08-07 13:45:43.000000000 +0200
++++ rdpdr.c
+@@ -415,7 +415,7 @@ rdpdr_process_irp(STREAM s)
+
+ if (length && (length / 2) < 256)
+ {
+- rdp_in_unistr(s, filename, length);
++ rdp_in_unistr(s, filename, sizeof(filename), length);
+ convert_to_unix_filename(filename);
+ }
+ else
+@@ -608,7 +608,7 @@ rdpdr_process_irp(STREAM s)
+ in_uint8s(s, 0x17);
+ if (length && length < 2 * 255)
+ {
+- rdp_in_unistr(s, filename, length);
++ rdp_in_unistr(s, filename, sizeof(filename), length);
+ convert_to_unix_filename(filename);
+ }
+ else
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ag
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ag Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,33 @@
+$NetBSD: patch-ag,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- printercache.c.orig 2006-08-07 13:45:43.000000000 +0200
++++ printercache.c
+@@ -245,8 +245,8 @@ printercache_process(STREAM s)
+
+ /* NOTE - 'driver' doesn't contain driver, it contains the new printer name */
+
+- rdp_in_unistr(s, printer, printer_length);
+- rdp_in_unistr(s, driver, driver_length);
++ rdp_in_unistr(s, printer, sizeof(printer), printer_length);
++ rdp_in_unistr(s, driver, sizeof(printer), driver_length);
+
+ printercache_rename_blob(printer, driver);
+ break;
+@@ -254,7 +254,7 @@ printercache_process(STREAM s)
+ case 3: /* delete item */
+ in_uint8(s, printer_unicode_length);
+ in_uint8s(s, 0x3); /* padding */
+- printer_length = rdp_in_unistr(s, printer, printer_unicode_length);
++ printer_length = rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length);
+ printercache_unlink_blob(printer);
+ break;
+
+@@ -264,7 +264,7 @@ printercache_process(STREAM s)
+
+ if (printer_unicode_length < 2 * 255)
+ {
+- rdp_in_unistr(s, printer, printer_unicode_length);
++ rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length);
+ printercache_save_blob(printer, s->p, blob_length);
+ }
+ break;
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ah
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ah Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ah,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- disk.c.orig 2006-08-07 13:45:43.000000000 +0200
++++ disk.c
+@@ -799,7 +799,7 @@ disk_set_information(NTHANDLE handle, ui
+
+ if (length && (length / 2) < 256)
+ {
+- rdp_in_unistr(in, newname, length);
++ rdp_in_unistr(in, newname, sizeof(newname), length);
+ convert_to_unix_filename(newname);
+ }
+ else
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ai
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ai Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,19 @@
+$NetBSD: patch-ai,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- rdesktop.c.orig 2006-08-07 13:45:43.000000000 +0200
++++ rdesktop.c
+@@ -1082,12 +1082,12 @@ xrealloc(void *oldmem, int size)
+ {
+ void *mem;
+
+- if (size < 1)
Home |
Main Index |
Thread Index |
Old Index