diff --git a/CVE-2024-22211.patch b/CVE-2024-22211.patch deleted file mode 100644 index 7acdf620edf0c3ce222381ecc0e90850bb639bc6..0000000000000000000000000000000000000000 --- a/CVE-2024-22211.patch +++ /dev/null @@ -1,34 +0,0 @@ -From aeac3040cc99eeaff1e1171a822114c857b9dca9 Mon Sep 17 00:00:00 2001 -From: Armin Novak -Date: Sat, 13 Jan 2024 21:01:55 +0100 -Subject: [PATCH] [codec,planar] check resolution for overflow - -Origin: https://github.com/FreeRDP/FreeRDP/commit/aeac3040cc99eeaff1e1171a822114c857b9dca9 - -If the codec resolution is too large return an error as the internal -buffers would otherwise overflow. - -(cherry picked from commit 44edab1deae4f8c901c00a00683f888cef36d853) ---- - libfreerdp/codec/planar.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c -index b4815a632309..0a5ec581c6cc 100644 ---- a/libfreerdp/codec/planar.c -+++ b/libfreerdp/codec/planar.c -@@ -1496,7 +1496,13 @@ BOOL freerdp_bitmap_planar_context_reset(BITMAP_PLANAR_CONTEXT* context, UINT32 - context->bgr = FALSE; - context->maxWidth = PLANAR_ALIGN(width, 4); - context->maxHeight = PLANAR_ALIGN(height, 4); -- context->maxPlaneSize = context->maxWidth * context->maxHeight; -+ const UINT64 tmp = (UINT64)context->maxWidth * context->maxHeight; -+ if (tmp > UINT32_MAX) -+ return FALSE; -+ context->maxPlaneSize = tmp; -+ -+ if (context->maxWidth > UINT32_MAX / 4) -+ return FALSE; - context->nTempStep = context->maxWidth * 4; - free(context->planesBuffer); - free(context->pTempData); diff --git a/CVE-2024-32661.patch b/CVE-2024-32661.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e727954458da963d38eef9e95cbecef952d27cf --- /dev/null +++ b/CVE-2024-32661.patch @@ -0,0 +1,25 @@ +From 71e463e31b4d69f4022d36bfc814592f56600793 Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Sun, 21 Apr 2024 13:56:13 +0200 +Subject: [PATCH] [core,info] fix missing check in rdp_write_logon_info_v1 + +Origin: https://github.com/FreeRDP/FreeRDP/commit/71e463e31b4d69f4022d36bfc814592f56600793 + +--- + libfreerdp/core/info.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/libfreerdp/core/info.c ++++ b/libfreerdp/core/info.c +@@ -1322,6 +1322,10 @@ static BOOL rdp_write_logon_info_v1(wStr + return FALSE; + + /* domain */ ++ WINPR_ASSERT(info); ++ if (!info->domain || !info->username) ++ return FALSE; ++ + ilen = ConvertToUnicode(CP_UTF8, 0, info->domain, -1, &wString, 0); + + if (ilen < 0) + diff --git a/Fix-clang-incompatible-function-pointer-error.patch b/Fix-clang-incompatible-function-pointer-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b4b9b262614f95532b2525171af08fddaa0fe27 --- /dev/null +++ b/Fix-clang-incompatible-function-pointer-error.patch @@ -0,0 +1,48 @@ +From 0a35fd99e25e085a4826a7e5af4711034fec2eed Mon Sep 17 00:00:00 2001 +From: yanying <201250106@smail.nju.edu.cn> +Date: Mon, 5 Aug 2024 23:42:40 +0800 +Subject: [PATCH] Fix clang incompatible function pointer error + +--- + libfreerdp/codec/rfx.c | 4 ++-- + winpr/include/winpr/collections.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c +index ccbc5afe4..eec736558 100644 +--- a/libfreerdp/codec/rfx.c ++++ b/libfreerdp/codec/rfx.c +@@ -153,7 +153,7 @@ static void rfx_tile_init(void* obj) + } + } + +-static void* rfx_decoder_tile_new(void* val) ++static void* rfx_decoder_tile_new(const void* val) + { + RFX_TILE* tile = NULL; + WINPR_UNUSED(val); +@@ -184,7 +184,7 @@ static void rfx_decoder_tile_free(void* obj) + } + } + +-static void* rfx_encoder_tile_new(void* val) ++static void* rfx_encoder_tile_new(const void* val) + { + WINPR_UNUSED(val); + return calloc(1, sizeof(RFX_TILE)); +diff --git a/winpr/include/winpr/collections.h b/winpr/include/winpr/collections.h +index 807f011d7..b8c8d9d66 100644 +--- a/winpr/include/winpr/collections.h ++++ b/winpr/include/winpr/collections.h +@@ -36,7 +36,7 @@ extern "C" + { + #endif + +- typedef void* (*OBJECT_NEW_FN)(void* val); ++ typedef void* (*OBJECT_NEW_FN)(const void* val); + typedef void (*OBJECT_INIT_FN)(void* obj); + typedef void (*OBJECT_UNINIT_FN)(void* obj); + typedef void (*OBJECT_FREE_FN)(void* obj); +-- +2.41.0.windows.1 + diff --git a/freerdp-2.11.1.tar.gz b/freerdp-2.11.7.tar.gz similarity index 51% rename from freerdp-2.11.1.tar.gz rename to freerdp-2.11.7.tar.gz index 99e92cc8ad6645403824815443686ff1cf807762..ae6741f8f28ead8a6bc59f99ee0b006cf08bda05 100644 Binary files a/freerdp-2.11.1.tar.gz and b/freerdp-2.11.7.tar.gz differ diff --git a/freerdp.spec b/freerdp.spec index ac5b616cc9d91cc612a44835d1a66655a83cb0a6..083136b0b131599a9ed7b6847baf7ce0ede0a94c 100644 --- a/freerdp.spec +++ b/freerdp.spec @@ -1,6 +1,6 @@ Name: freerdp -Version: 2.11.1 -Release: 2 +Version: 2.11.7 +Release: 3 Epoch: 2 Summary: A Remote Desktop Protocol Implementation License: Apache-2.0 @@ -8,7 +8,8 @@ URL: http://www.freerdp.com Source0: https://github.com/FreeRDP/FreeRDP/releases/download/%{version}/freerdp-%{version}.tar.gz Patch0001: Fix-freerdp-shadow-cli-exit-codes-for-help-and-version.patch -Patch0002: CVE-2024-22211.patch +Patch0002: CVE-2024-32661.patch +Patch0003: Fix-clang-incompatible-function-pointer-error.patch BuildRequires: gcc gcc-c++ alsa-lib-devel cmake >= 2.8 cups-devel gsm-devel libXrandr-devel libXv-devel BuildRequires: libjpeg-turbo-devel libjpeg-turbo-devel libX11-devel libXcursor-devel libxkbfile-devel @@ -138,6 +139,17 @@ echo "%{_libdir}/freerdp2" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_ %{_mandir}/*/* %changelog +* Mon Aug 05 2024 yanying <201250106@smail.nju.edu.cn> - 2:2.11.7-3 +- Fix clang incompatible function pointer error + +* Mon May 06 2024 wangkai <13474090681@163.com> - 2:2.11.7-2 +- Fix CVE-2024-32661 + +* Tue Apr 23 2024 wangkai <13474090681@163.com> - 2:2.11.7-1 +- Update to 2.11.7 for fix CVE-2024-32039,CVE-2024-32040, + CVE-2024-32041,CVE-2024-32458,CVE-2024-32459,CVE-2024-32460, + CVE-2024-32658,CVE-2024-32659 and CVE-2024-32660 + * Wed Jan 24 2024 wangkai <13474090681@163.com> - 2:2.11.1-2 - Fix CVE-2024-22211