Bug#946831: buster-pu: package freerdp2/2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
I have just uploaded freerdp2
2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1 to buster with the following
change:
+ * debian/patches:
+ + Add 0001_CVE-2019-17177.patch. Fix realloc return handling.
+ (CVE-2019-17177).
+
-> Fixes a <no-dsa> security issue.
Greets,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/changelog freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/changelog
--- freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/changelog 2019-02-04 10:04:45.000000000 +0100
+++ freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/changelog 2019-12-16 11:36:02.000000000 +0100
@@ -1,3 +1,11 @@
+freerdp2 (2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1) buster; urgency=medium
+
+ * debian/patches:
+ + Add 0001_CVE-2019-17177.patch. Fix realloc return handling.
+ (CVE-2019-17177).
+
+ -- Mike Gabriel <sunweaver@debian.org> Mon, 16 Dec 2019 11:36:02 +0100
+
freerdp2 (2.0.0~git20190204.1.2693389a+dfsg1-1) unstable; urgency=medium
* Import Git snapshot for 2.0.0-2693389a (post ~rc4) from upstream:
diff -Nru freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/0001_CVE-2019-17177.patch freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/0001_CVE-2019-17177.patch
--- freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/0001_CVE-2019-17177.patch 1970-01-01 01:00:00.000000000 +0100
+++ freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/0001_CVE-2019-17177.patch 2019-12-16 11:35:50.000000000 +0100
@@ -0,0 +1,171 @@
+From fc80ab45621bd966f70594c0b7393ec005a94007 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Fri, 4 Oct 2019 14:49:30 +0200
+Subject: [PATCH] Fixed #5645: realloc return handling
+
+---
+ client/X11/generate_argument_docbook.c | 33 +++++++++++++++++++++-----
+ libfreerdp/codec/region.c | 20 ++++++++++++----
+ winpr/libwinpr/utils/lodepng/lodepng.c | 6 ++++-
+ 3 files changed, 48 insertions(+), 11 deletions(-)
+
+--- a/client/X11/generate_argument_docbook.c
++++ b/client/X11/generate_argument_docbook.c
+@@ -9,6 +9,7 @@
+ LPSTR tr_esc_str(LPCSTR arg, bool format)
+ {
+ LPSTR tmp = NULL;
++ LPSTR tmp2 = NULL;
+ size_t cs = 0, x, ds, len;
+ size_t s;
+
+@@ -25,7 +26,12 @@
+ ds = s + 1;
+
+ if (s)
+- tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ {
++ tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ if (!tmp2)
++ free(tmp);
++ tmp = tmp2;
++ }
+
+ if (NULL == tmp)
+ {
+@@ -43,7 +49,10 @@
+ case '<':
+ len = format ? 13 : 4;
+ ds += len - 1;
+- tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ if (!tmp2)
++ free(tmp);
++ tmp = tmp2;
+
+ if (NULL == tmp)
+ {
+@@ -64,7 +73,10 @@
+ case '>':
+ len = format ? 14 : 4;
+ ds += len - 1;
+- tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ if (!tmp2)
++ free(tmp);
++ tmp = tmp2;
+
+ if (NULL == tmp)
+ {
+@@ -84,7 +96,10 @@
+
+ case '\'':
+ ds += 5;
+- tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ if (!tmp2)
++ free(tmp);
++ tmp = tmp2;
+
+ if (NULL == tmp)
+ {
+@@ -102,7 +117,10 @@
+
+ case '"':
+ ds += 5;
+- tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ if (!tmp2)
++ free(tmp);
++ tmp = tmp2;
+
+ if (NULL == tmp)
+ {
+@@ -120,7 +138,10 @@
+
+ case '&':
+ ds += 4;
+- tmp = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ tmp2 = (LPSTR)realloc(tmp, ds * sizeof(CHAR));
++ if (!tmp2)
++ free(tmp);
++ tmp = tmp2;
+
+ if (NULL == tmp)
+ {
+--- a/libfreerdp/codec/region.c
++++ b/libfreerdp/codec/region.c
+@@ -469,8 +469,12 @@
+
+ if (finalNbRects != nbRects)
+ {
+- int allocSize = sizeof(REGION16_DATA) + (finalNbRects * sizeof(RECTANGLE_16));
+- region->data = realloc(region->data, allocSize);
++ REGION16_DATA* data;
++ size_t allocSize = sizeof(REGION16_DATA) + (finalNbRects * sizeof(RECTANGLE_16));
++ data = realloc(region->data, allocSize);
++ if (!data)
++ free(region->data);
++ region->data = data;
+
+ if (!region->data)
+ {
+@@ -487,6 +491,7 @@
+
+ BOOL region16_union_rect(REGION16* dst, const REGION16* src, const RECTANGLE_16* rect)
+ {
++ REGION16_DATA* data;
+ const RECTANGLE_16* srcExtents;
+ RECTANGLE_16* dstExtents;
+ const RECTANGLE_16* currentBand, *endSrcRect, *nextBand;
+@@ -675,7 +680,10 @@
+ dstExtents->bottom = MAX(rect->bottom, srcExtents->bottom);
+ dstExtents->right = MAX(rect->right, srcExtents->right);
+ newItems->size = sizeof(REGION16_DATA) + (usedRects * sizeof(RECTANGLE_16));
+- dst->data = realloc(newItems, newItems->size);
++ data = realloc(newItems, newItems->size);
++ if (!data)
++ free(dst->data);
++ dst->data = data;
+
+ if (!dst->data)
+ {
+@@ -719,6 +727,7 @@
+
+ BOOL region16_intersect_rect(REGION16* dst, const REGION16* src, const RECTANGLE_16* rect)
+ {
++ REGION16_DATA* data;
+ REGION16_DATA* newItems;
+ const RECTANGLE_16* srcPtr, *endPtr, *srcExtents;
+ RECTANGLE_16* dstPtr;
+@@ -791,7 +800,10 @@
+ if (dst->data->size)
+ free(dst->data);
+
+- dst->data = realloc(newItems, newItems->size);
++ data = realloc(newItems, newItems->size);
++ if (!data)
++ free(dst->data);
++ dst->data = data;
+
+ if (!dst->data)
+ {
+--- a/winpr/libwinpr/utils/lodepng/lodepng.c
++++ b/winpr/libwinpr/utils/lodepng/lodepng.c
+@@ -840,11 +840,15 @@
+ static unsigned HuffmanTree_makeFromFrequencies(HuffmanTree* tree, const unsigned* frequencies,
+ size_t mincodes, size_t numcodes, unsigned maxbitlen)
+ {
++ unsigned* lengths;
+ unsigned error = 0;
+ while(!frequencies[numcodes - 1] && numcodes > mincodes) numcodes--; /*trim zeroes*/
+ tree->maxbitlen = maxbitlen;
+ tree->numcodes = (unsigned)numcodes; /*number of symbols*/
+- tree->lengths = (unsigned*)realloc(tree->lengths, numcodes * sizeof(unsigned));
++ lengths = (unsigned*)realloc(tree->lengths, numcodes * sizeof(unsigned));
++ if (!lengths)
++ free(tree->lengths);
++ tree->lengths = lengths;
+ if(!tree->lengths) return 83; /*alloc fail*/
+ /*initialize all lengths to 0*/
+ memset(tree->lengths, 0, numcodes * sizeof(unsigned));
diff -Nru freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/series freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/series
--- freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/series 2019-02-04 10:04:45.000000000 +0100
+++ freerdp2-2.0.0~git20190204.1.2693389a+dfsg1/debian/patches/series 2019-12-16 11:35:50.000000000 +0100
@@ -1 +1,2 @@
1001_spelling-fixes.patch
+0001_CVE-2019-17177.patch
Reply to: