Details: https://nvd.nist.gov/vuln/detail/CVE-2022-24883
Pick the patch that is mentioned in teh NVD advisory. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../freerdp/freerdp/CVE-2022-24883.patch | 102 ++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 9 +- 2 files changed, 107 insertions(+), 4 deletions(-) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2022-24883.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-24883.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-24883.patch new file mode 100644 index 0000000000..12f5efd8e7 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2022-24883.patch @@ -0,0 +1,102 @@ +From 3912ccfe5bac0db647b9e1c26b50e75055aee4b9 Mon Sep 17 00:00:00 2001 +From: akallabeth <[email protected]> +Date: Fri, 22 Apr 2022 14:42:11 +0200 +Subject: [PATCH] Cleaned up ntlm_fetch_ntlm_v2_hash + +(cherry picked from commit 4661492e5a617199457c8074bad22f766a116cdc) + +CVE: CVE-2022-24883 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/6f473b273a4b6f0cb6aca32b95e22fd0de88e144] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + winpr/libwinpr/sspi/NTLM/ntlm_compute.c | 60 ++++++++++--------------- + 1 file changed, 24 insertions(+), 36 deletions(-) + +diff --git a/winpr/libwinpr/sspi/NTLM/ntlm_compute.c b/winpr/libwinpr/sspi/NTLM/ntlm_compute.c +index dbd7f7fb0..48c07d5c1 100644 +--- a/winpr/libwinpr/sspi/NTLM/ntlm_compute.c ++++ b/winpr/libwinpr/sspi/NTLM/ntlm_compute.c +@@ -206,59 +206,47 @@ void ntlm_generate_timestamp(NTLM_CONTEXT* context) + ntlm_current_time(context->Timestamp); + } + +-static int ntlm_fetch_ntlm_v2_hash(NTLM_CONTEXT* context, BYTE* hash) ++static BOOL ntlm_fetch_ntlm_v2_hash(NTLM_CONTEXT* context, BYTE* hash) + { +- WINPR_SAM* sam; +- WINPR_SAM_ENTRY* entry; ++ BOOL rc = FALSE; ++ WINPR_SAM* sam = NULL; ++ WINPR_SAM_ENTRY* entry = NULL; + SSPI_CREDENTIALS* credentials = context->credentials; + sam = SamOpen(context->SamFile, TRUE); + + if (!sam) +- return -1; ++ goto fail; + + entry = SamLookupUserW( +- sam, (LPWSTR)credentials->identity.User, credentials->identity.UserLength * 2, +- (LPWSTR)credentials->identity.Domain, credentials->identity.DomainLength * 2); ++ sam, (LPWSTR)credentials->identity.User, credentials->identity.UserLength * sizeof(WCHAR), ++ (LPWSTR)credentials->identity.Domain, credentials->identity.DomainLength * sizeof(WCHAR)); + +- if (entry) ++ if (!entry) + { +-#ifdef WITH_DEBUG_NTLM +- WLog_DBG(TAG, "NTLM Hash:"); +- winpr_HexDump(TAG, WLOG_DEBUG, entry->NtHash, 16); +-#endif +- NTOWFv2FromHashW(entry->NtHash, (LPWSTR)credentials->identity.User, +- credentials->identity.UserLength * 2, (LPWSTR)credentials->identity.Domain, +- credentials->identity.DomainLength * 2, (BYTE*)hash); +- SamFreeEntry(sam, entry); +- SamClose(sam); +- return 1; ++ entry = SamLookupUserW(sam, (LPWSTR)credentials->identity.User, ++ credentials->identity.UserLength * sizeof(WCHAR), NULL, 0); + } + +- entry = SamLookupUserW(sam, (LPWSTR)credentials->identity.User, +- credentials->identity.UserLength * 2, NULL, 0); +- +- if (entry) +- { ++ if (!entry) ++ goto fail; + #ifdef WITH_DEBUG_NTLM + WLog_DBG(TAG, "NTLM Hash:"); + winpr_HexDump(TAG, WLOG_DEBUG, entry->NtHash, 16); + #endif +- NTOWFv2FromHashW(entry->NtHash, (LPWSTR)credentials->identity.User, +- credentials->identity.UserLength * 2, (LPWSTR)credentials->identity.Domain, +- credentials->identity.DomainLength * 2, (BYTE*)hash); +- SamFreeEntry(sam, entry); +- SamClose(sam); +- return 1; +- } +- else +- { +- SamClose(sam); +- WLog_ERR(TAG, "Error: Could not find user in SAM database"); +- return 0; +- } ++ NTOWFv2FromHashW(entry->NtHash, (LPWSTR)credentials->identity.User, ++ credentials->identity.UserLength * sizeof(WCHAR), ++ (LPWSTR)credentials->identity.Domain, ++ credentials->identity.DomainLength * sizeof(WCHAR), (BYTE*)hash); ++ ++ rc = TRUE; + ++fail: ++ SamFreeEntry(sam, entry); + SamClose(sam); +- return 1; ++ if (!rc) ++ WLog_ERR(TAG, "Error: Could not find user in SAM database"); ++ ++ return rc; + } + + static int ntlm_convert_password_hash(NTLM_CONTEXT* context, BYTE* hash) diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index 9da8b27c0d..2271be3c6c 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -15,10 +15,11 @@ PKGV = "${GITPKGVTAG}" SRCREV = "658a72980f6e93241d927c46cfa664bf2547b8b1" SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \ - file://winpr-makecert-Build-with-install-RPATH.patch \ - file://CVE-2022-39316.patch \ - file://CVE-2022-39318-39319.patch \ -" + file://winpr-makecert-Build-with-install-RPATH.patch \ + file://CVE-2022-39316.patch \ + file://CVE-2022-39318-39319.patch \ + file://CVE-2022-24883.patch \ + " S = "${WORKDIR}/git"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123654): https://lists.openembedded.org/g/openembedded-devel/message/123654 Mute This Topic: https://lists.openembedded.org/mt/117359790/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
