Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-0250

Source

Debian Bug report logs - #749585
freerdp: CVE-2014-0250: integer overflows in xf_graphics.c

Package: freerdp; Maintainer for freerdp is Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>;

Reported by: Henri Salo <henri@nerv.fi>

Date: Wed, 28 May 2014 11:36:01 UTC

Severity: important

Tags: security

Found in versions 1.0.2-4, 1.0.1-1.1+deb7u3

Fixed in version 1.1.0~git20140809.1.b07a5c1+dfsg-1

Done: Mike Gabriel <sunweaver@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Mike Gabriel <sunweaver@debian.org>:
Bug#749585; Package freerdp. (Wed, 28 May 2014 11:36:05 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Mike Gabriel <sunweaver@debian.org>. (Wed, 28 May 2014 11:36:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: freerdp
Version: 1.0.2-4
Severity: important
Tags: security

Advisory: https://github.com/FreeRDP/FreeRDP/issues/1871
Potentially related: https://github.com/FreeRDP/FreeRDP/issues/1657

"""
client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way:

void xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
{
XcursorImage ci;
[…]
ci.width = pointer->width;
ci.height = pointer->height;
[…]
ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4);

The width and height members are read from the wire. Both are 16 bit, but
because of the multiplication with 4, the allocation still overflows (on 32 bit
and 64 bit).

xf_Bitmap_Decompress() appears to have a similar issue.
"""

---
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Marked as found in versions 1.0.1-1.1+deb7u3. Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Wed, 28 May 2014 11:45:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#749585; Package freerdp. (Mon, 11 Aug 2014 22:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Mike Gabriel <sunweaver@debian.org>:
Extra info received and forwarded to list. (Mon, 11 Aug 2014 22:21:05 GMT) (full text, mbox, link).

Message #12 received at 749585@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: close -1
Control: fixed -1 1.1.0~git20140809.1.b07a5c1+dfsg-1

On  Mi 28 Mai 2014 13:33:19 CEST, Henri Salo wrote:

> Package: freerdp
> Version: 1.0.2-4
> Severity: important
> Tags: security
>
> Advisory: https://github.com/FreeRDP/FreeRDP/issues/1871
> Potentially related: https://github.com/FreeRDP/FreeRDP/issues/1657
>
> """
> client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation  
> this way:
>
> void xf_Pointer_New(rdpContext* context, rdpPointer* pointer)
> {
> XcursorImage ci;
> […]
> ci.width = pointer->width;
> ci.height = pointer->height;
> […]
> ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4);
>
> The width and height members are read from the wire. Both are 16 bit, but
> because of the multiplication with 4, the allocation still overflows  
> (on 32 bit
> and 64 bit).
>
> xf_Bitmap_Decompress() appears to have a similar issue.
> """
>
> ---
> Henri Salo

Recently, version 1.1.0~git20140809.1.b07a5c1+dfsg-1 of freerdp has  
been uploaded to Debian unstable. During post-upload bug  
introspection, I realized that this bug should have been closed with  
the upload.

Thus, closing it for the freerdp version in unstable.

Mike


-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

[Message part 2 (application/pgp-signature, inline)]

Marked Bug as done Request was from Mike Gabriel <sunweaver@debian.org> to 749585-submit@bugs.debian.org. (Mon, 11 Aug 2014 22:21:05 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Mon, 11 Aug 2014 22:21:06 GMT) (full text, mbox, link).

Marked as fixed in versions 1.1.0~git20140809.1.b07a5c1+dfsg-1. Request was from Mike Gabriel <sunweaver@debian.org> to 749585-submit@bugs.debian.org. (Mon, 11 Aug 2014 22:21:06 GMT) (full text, mbox, link).

Message sent on to Henri Salo <henri@nerv.fi>:
Bug#749585. (Mon, 11 Aug 2014 22:21:28 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 17 Nov 2014 07:40:01 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:01:05 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

freerdp: CVE-2014-0250: integer overflows in xf_graphics.c

Debian Bug report logs - #749585
freerdp: CVE-2014-0250: integer overflows in xf_graphics.c

Vulmon Search

About

Products

Connect

freerdp: CVE-2014-0250: integer overflows in xf_graphics.c

Debian Bug report logs - #749585 freerdp: CVE-2014-0250: integer overflows in xf_graphics.c

Vulmon Search

About

Products

Connect

Debian Bug report logs - #749585
freerdp: CVE-2014-0250: integer overflows in xf_graphics.c