pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/net/rdesktop Add patches required to fix CVE-2008-180[...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/0aa73b56a963
branches:  trunk
changeset: 542269:0aa73b56a963
user:      tonnerre <tonnerre%pkgsrc.org@localhost>
date:      Sat May 10 15:28:04 2008 +0000

description:
Add patches required to fix CVE-2008-180[123], taken from rdesktop CVS.

1) An integer underflow error in iso.c when processing RDP requests can
   be exploited to cause a heap-based buffer overflow.
2) An input validation error in rdp.c when processing RDP redirect
   requests can be exploited to cause a BSS-based buffer overflow.
3) A signedness error within "xrealloc()" in rdesktop.c can be exploited
   to cause a heap-based buffer overflow.

diffstat:

 net/rdesktop/Makefile         |    4 +-
 net/rdesktop/distinfo         |    9 ++-
 net/rdesktop/patches/patch-ac |   16 +++++
 net/rdesktop/patches/patch-ad |  133 ++++++++++++++++++++++++++++++++++++++++++
 net/rdesktop/patches/patch-ae |   13 ++++
 net/rdesktop/patches/patch-af |   22 ++++++
 net/rdesktop/patches/patch-ag |   33 ++++++++++
 net/rdesktop/patches/patch-ah |   13 ++++
 net/rdesktop/patches/patch-ai |   19 ++++++
 9 files changed, 259 insertions(+), 3 deletions(-)

diffs (truncated from 310 to 300 lines):

diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/Makefile
--- a/net/rdesktop/Makefile     Sat May 10 14:57:19 2008 +0000
+++ b/net/rdesktop/Makefile     Sat May 10 15:28:04 2008 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.33 2008/01/18 05:08:49 tnn Exp $
+# $NetBSD: Makefile,v 1.34 2008/05/10 15:28:04 tonnerre Exp $
 #
 
 DISTNAME=              rdesktop-1.5.0
-PKGREVISION=           3
+PKGREVISION=           4
 CATEGORIES=            net
 MASTER_SITES=          ${MASTER_SITE_SOURCEFORGE:=rdesktop/}
 
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/distinfo
--- a/net/rdesktop/distinfo     Sat May 10 14:57:19 2008 +0000
+++ b/net/rdesktop/distinfo     Sat May 10 15:28:04 2008 +0000
@@ -1,7 +1,14 @@
-$NetBSD: distinfo,v 1.17 2007/06/06 00:16:35 tnn Exp $
+$NetBSD: distinfo,v 1.18 2008/05/10 15:28:04 tonnerre Exp $
 
 SHA1 (rdesktop-1.5.0.tar.gz) = e3086bf865191eed41631813125f482e279c7f3d
 RMD160 (rdesktop-1.5.0.tar.gz) = 350e08166d0b7620b4ed9c6594addae7ec53d15a
 Size (rdesktop-1.5.0.tar.gz) = 245137 bytes
 SHA1 (patch-aa) = dda84f70792828c97aa02567b97d2ae9647b6fcb
 SHA1 (patch-ab) = 396a37a4f6f0751e014bd548f9c44f6c462812e1
+SHA1 (patch-ac) = 075ac18148124e5aaa88ee7e5bbd03059d054703
+SHA1 (patch-ad) = 7d439f5dd9f297b6408c60da9d1838c47cc1a90f
+SHA1 (patch-ae) = 556ddf2c44f873c5af99d5e85c51d3097e46eb8b
+SHA1 (patch-af) = 666ca22f3429722cf277af07bbbef2aadfe08281
+SHA1 (patch-ag) = f36405b112a586b0558f52975d3a7c7e3a0ff933
+SHA1 (patch-ah) = 3ab85738b7e2b62e45e4b1e4f4de3714c00a9fe7
+SHA1 (patch-ai) = c167000000e7cea29fcf33be2c9ca60bc472f4da
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ac     Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-ac,v 1.5 2008/05/10 15:28:04 tonnerre Exp $
+
+--- iso.c.orig 2006-08-07 13:45:43.000000000 +0200
++++ iso.c
+@@ -98,6 +98,11 @@ iso_recv_msg(uint8 * code, uint8 * rdpve
+                       next_be(s, length);
+               }
+       }
++      if (length < 4)
++      {
++              error("Bad packet header\n");
++              return NULL;
++      }
+       s = tcp_recv(s, length - 4);
+       if (s == NULL)
+               return NULL;
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ad     Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,133 @@
+$NetBSD: patch-ad,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- rdp.c.orig 2006-08-07 13:45:43.000000000 +0200
++++ rdp.c
+@@ -241,10 +241,10 @@ rdp_out_unistr(STREAM s, char *string, i
+  * Returns str_len of string
+  */
+ int
+-rdp_in_unistr(STREAM s, char *string, int uni_len)
++rdp_in_unistr(STREAM s, char *string, int str_size, int in_len)
+ {
+ #ifdef HAVE_ICONV
+-      size_t ibl = uni_len, obl = uni_len;
++      size_t ibl = in_len, obl = str_size-1;
+       char *pin = (char *) s->p, *pout = string;
+       static iconv_t iconv_h = (iconv_t) - 1;
+ 
+@@ -258,37 +258,56 @@ rdp_in_unistr(STREAM s, char *string, in
+                                       WINDOWS_CODEPAGE, g_codepage, (int) iconv_h);
+ 
+                               g_iconv_works = False;
+-                              return rdp_in_unistr(s, string, uni_len);
++                              return rdp_in_unistr(s, string, str_size, in_len);
+                       }
+               }
+ 
+               if (iconv(iconv_h, (ICONV_CONST char **) &pin, &ibl, &pout, &obl) == (size_t) - 1)
+               {
+-                      iconv_close(iconv_h);
+-                      iconv_h = (iconv_t) - 1;
+-                      warning("rdp_in_unistr: iconv fail, errno %d\n", errno);
++                      if (errno == E2BIG)
++                      {
++                              warning("server sent an unexpectedly long string, truncating\n");
++                      }
++                      else
++                      {
++                              iconv_close(iconv_h);
++                              iconv_h = (iconv_t) - 1;
++                              warning("rdp_in_unistr: iconv fail, errno %d\n", errno);
+ 
+-                      g_iconv_works = False;
+-                      return rdp_in_unistr(s, string, uni_len);
++                              g_iconv_works = False;
++                              return rdp_in_unistr(s, string, str_size, in_len);
++                      }
+               }
+ 
+               /* we must update the location of the current STREAM for future reads of s->p */
+-              s->p += uni_len;
++              s->p += in_len;
+ 
++              *pout = 0;
+               return pout - string;
+       }
+       else
+ #endif
+       {
+               int i = 0;
++              int len = in_len / 2;
++              int rem = 0;
++
++              if (len > str_size - 1)
++              {
++                      warning("server sent an unexpectedly long string, truncating\n");
++                      len = str_size - 1;
++                      rem = in_len - 2 * len;
++              }
+ 
+-              while (i < uni_len / 2)
++              while (i < len)
+               {
+                       in_uint8a(s, &string[i++], 1);
+                       in_uint8s(s, 1);
+               }
+ 
+-              return i - 1;
++              in_uint8s(s, rem);
++              string[len] = 0;
++              return len;
+       }
+ }
+ 
+@@ -1323,32 +1342,44 @@ process_redirect_pdu(STREAM s /*, uint32
+       in_uint32_le(s, len);
+ 
+       /* read ip string */
+-      rdp_in_unistr(s, g_redirect_server, len);
++      rdp_in_unistr(s, g_redirect_server, sizeof(g_redirect_server), len);
+ 
+       /* read length of cookie string */
+       in_uint32_le(s, len);
+ 
+       /* read cookie string (plain ASCII) */
+-      in_uint8a(s, g_redirect_cookie, len);
++      if (len > sizeof(g_redirect_cookie)-1)
++      {
++              uint32 rem = len - (sizeof(g_redirect_cookie)-1);
++              len = sizeof(g_redirect_cookie)-1;
++
++              warning("Unexpectedly large redirection cookie\n");
++              in_uint8a(s, g_redirect_cookie, len);
++              in_uint8s(s, rem);
++      }
++      else
++      {
++              in_uint8a(s, g_redirect_cookie, len);
++      }
+       g_redirect_cookie[len] = 0;
+ 
+       /* read length of username string */
+       in_uint32_le(s, len);
+ 
+       /* read username string */
+-      rdp_in_unistr(s, g_redirect_username, len);
++      rdp_in_unistr(s, g_redirect_username, sizeof(g_redirect_username), len);
+ 
+       /* read length of domain string */
+       in_uint32_le(s, len);
+ 
+       /* read domain string */
+-      rdp_in_unistr(s, g_redirect_domain, len);
++      rdp_in_unistr(s, g_redirect_domain, sizeof(g_redirect_domain), len);
+ 
+       /* read length of password string */
+       in_uint32_le(s, len);
+ 
+       /* read password string */
+-      rdp_in_unistr(s, g_redirect_password, len);
++      rdp_in_unistr(s, g_redirect_password, sizeof(g_redirect_password), len);
+ 
+       g_redirect = True;
+ 
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ae     Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ae,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- proto.h.orig       2006-08-07 13:45:43.000000000 +0200
++++ proto.h
+@@ -135,7 +135,7 @@ BOOL rd_lock_file(int fd, int start, int
+ void rdp5_process(STREAM s);
+ /* rdp.c */
+ void rdp_out_unistr(STREAM s, char *string, int len);
+-int rdp_in_unistr(STREAM s, char *string, int uni_len);
++int rdp_in_unistr(STREAM s, char *string, int str_size, int in_len);
+ void rdp_send_input(uint32 time, uint16 message_type, uint16 device_flags, uint16 param1,
+                   uint16 param2);
+ void rdp_send_client_window_status(int status);
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-af
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-af     Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-af,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- rdpdr.c.orig       2006-08-07 13:45:43.000000000 +0200
++++ rdpdr.c
+@@ -415,7 +415,7 @@ rdpdr_process_irp(STREAM s)
+ 
+                       if (length && (length / 2) < 256)
+                       {
+-                              rdp_in_unistr(s, filename, length);
++                              rdp_in_unistr(s, filename, sizeof(filename), length);
+                               convert_to_unix_filename(filename);
+                       }
+                       else
+@@ -608,7 +608,7 @@ rdpdr_process_irp(STREAM s)
+                                       in_uint8s(s, 0x17);
+                                       if (length && length < 2 * 255)
+                                       {
+-                                              rdp_in_unistr(s, filename, length);
++                                              rdp_in_unistr(s, filename, sizeof(filename), length);
+                                               convert_to_unix_filename(filename);
+                                       }
+                                       else
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ag
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ag     Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,33 @@
+$NetBSD: patch-ag,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- printercache.c.orig        2006-08-07 13:45:43.000000000 +0200
++++ printercache.c
+@@ -245,8 +245,8 @@ printercache_process(STREAM s)
+ 
+                       /* NOTE - 'driver' doesn't contain driver, it contains the new printer name */
+ 
+-                      rdp_in_unistr(s, printer, printer_length);
+-                      rdp_in_unistr(s, driver, driver_length);
++                      rdp_in_unistr(s, printer, sizeof(printer), printer_length);
++                      rdp_in_unistr(s, driver, sizeof(printer), driver_length);
+ 
+                       printercache_rename_blob(printer, driver);
+                       break;
+@@ -254,7 +254,7 @@ printercache_process(STREAM s)
+               case 3: /* delete item */
+                       in_uint8(s, printer_unicode_length);
+                       in_uint8s(s, 0x3);      /* padding */
+-                      printer_length = rdp_in_unistr(s, printer, printer_unicode_length);
++                      printer_length = rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length);
+                       printercache_unlink_blob(printer);
+                       break;
+ 
+@@ -264,7 +264,7 @@ printercache_process(STREAM s)
+ 
+                       if (printer_unicode_length < 2 * 255)
+                       {
+-                              rdp_in_unistr(s, printer, printer_unicode_length);
++                              rdp_in_unistr(s, printer, sizeof(printer), printer_unicode_length);
+                               printercache_save_blob(printer, s->p, blob_length);
+                       }
+                       break;
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ah
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ah     Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ah,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- disk.c.orig        2006-08-07 13:45:43.000000000 +0200
++++ disk.c
+@@ -799,7 +799,7 @@ disk_set_information(NTHANDLE handle, ui
+ 
+                       if (length && (length / 2) < 256)
+                       {
+-                              rdp_in_unistr(in, newname, length);
++                              rdp_in_unistr(in, newname, sizeof(newname), length);
+                               convert_to_unix_filename(newname);
+                       }
+                       else
diff -r b1bc39dbed88 -r 0aa73b56a963 net/rdesktop/patches/patch-ai
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rdesktop/patches/patch-ai     Sat May 10 15:28:04 2008 +0000
@@ -0,0 +1,19 @@
+$NetBSD: patch-ai,v 1.1 2008/05/10 15:28:04 tonnerre Exp $
+
+--- rdesktop.c.orig    2006-08-07 13:45:43.000000000 +0200
++++ rdesktop.c
+@@ -1082,12 +1082,12 @@ xrealloc(void *oldmem, int size)
+ {
+       void *mem;
+ 
+-      if (size < 1)



Home | Main Index | Thread Index | Old Index