From: Gyorgy Sarvari via lists.openembedded.org <[email protected]>
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39350 Pick the patch that was identified[1] by Debian as the solution. Note that the NVD report also references a commit as a patch - however that seems to be incorrect. Although the NVD patch also solves a vulnerability, it solves a different CVE (CVE-2023-39353), not this. [1]: https://security-tracker.debian.org/tracker/CVE-2023-39350 Signed-off-by: Gyorgy Sarvari <[email protected]> --- v1: https://lists.openembedded.org/g/openembedded-devel/message/123658 v2: In v1, the patch was included that was identified by NVD as the solution. Looking at it closer, it doesn't look correct, it solves a different vulnerability. This patch picks the commit that was identified by Debian as the solution, which fits the vulnerability description also better. .../freerdp/freerdp/CVE-2023-39350.patch | 42 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39350.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39350.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39350.patch new file mode 100644 index 0000000000..9f4590d90e --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39350.patch @@ -0,0 +1,42 @@ +From 31ede2c7f721cb32a4a4c7ec843e9ddafb69ba53 Mon Sep 17 00:00:00 2001 +From: akallabeth <[email protected]> +Date: Fri, 4 Aug 2023 13:55:40 +0200 +Subject: [PATCH] fix possible out of bound read + +Allows malicious servers to crash FreeRDP based clients +reported by pwn2carr + +(cherry picked from commit a51952882f2eb3bbce6b69a7a4f9a54bf1dbb672) + +CVE: CVE-2023-39350 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/7ece410ce5b5660b9191e1ccb6835158afa11822] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + libfreerdp/codec/rfx.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c +index 38eb1b9a4..bbd7aafa3 100644 +--- a/libfreerdp/codec/rfx.c ++++ b/libfreerdp/codec/rfx.c +@@ -1129,8 +1129,18 @@ BOOL rfx_process_message(RFX_CONTEXT* context, const BYTE* data, UINT32 length, + } + } + +- Stream_StaticInit(&subStream, Stream_Pointer(s), blockLen - (6 + extraBlockLen)); +- Stream_Seek(s, blockLen - (6 + extraBlockLen)); ++ const size_t blockLenNoHeader = blockLen - 6; ++ if (blockLenNoHeader < extraBlockLen) ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, ++ "blockLen too small(%" PRIu32 "), must be >= 6 + %" PRIu16, blockLen, ++ extraBlockLen); ++ return FALSE; ++ } ++ ++ const size_t subStreamLen = blockLenNoHeader - extraBlockLen; ++ Stream_StaticInit(&subStream, Stream_Pointer(s), subStreamLen); ++ Stream_Seek(s, subStreamLen); + + switch (blockType) + { diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index 7cadae3d45..a104f33e52 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2022-24883.patch \ file://CVE-2022-39282.patch \ file://CVE-2022-39320.patch \ + file://CVE-2023-39350.patch \ " S = "${WORKDIR}/git"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123669): https://lists.openembedded.org/g/openembedded-devel/message/123669 Mute This Topic: https://lists.openembedded.org/mt/117361923/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
