Bug 880317 (CVE-2014-0250) - VUL-0: CVE-2014-0250: freerdp: integer overflows in memory allocations in client/X11/xf_graphics.c
Summary: VUL-0: CVE-2014-0250: freerdp: integer overflows in memory allocations in cli...
Status: RESOLVED FIXED
Alias: CVE-2014-0250
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P2 - High : Normal
Target Milestone: ---
Deadline: 2014-06-26
Assignee: David Liang
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/99138/
Whiteboard: maint:running:57801:moderate
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-28 11:26 UTC by Sebastian Krahmer
Modified: 2016-10-12 13:10 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johannes Segitz 2014-06-12 08:57:45 UTC 
Upstream bug: https://github.com/FreeRDP/FreeRDP/issues/1871

In SLE11 SP3 its X11/xf_win.c, l_ui_create_cursor
Comment 2 Swamp Workflow Management 2014-06-12 09:00:30 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-06-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57801
Comment 3 SMASH SMASH 2014-06-12 09:05:15 UTC 
Affected packages:

SLE-11-SP3: freerdp
Comment 4 David Liang 2014-06-12 10:27:58 UTC 
The upstream solution is in the libfreerdp/core/update.c
        if ((pointer_color->width > 96) || (pointer_color->height > 96))
                return FALSE;


In sle11-sp3, the width and the height is more strict, set to 32. in libfreerdp/rdp.c

        if ((width != 32) || (height != 32))
        {
                ui_error(rdp->inst, "process_color_pointer_common: error "
                        "width %d height %d\n", width, height);
                return;
        }

So 11-sp3 was not affected.

(In reply to comment #1)
> Upstream bug: https://github.com/FreeRDP/FreeRDP/issues/1871
> 
> In SLE11 SP3 its X11/xf_win.c, l_ui_create_cursor
Comment 5 Johannes Segitz 2014-06-12 11:14:43 UTC 
Good, than we only have to fix openSUSE and SLE12
Comment 6 David Liang 2014-06-13 05:01:42 UTC 
Make a minimum patch to solve the CVE bug only.
Submitted to sle12 and openSUSD:factory.
Comment 7 Bernhard Wiedemann 2014-06-13 06:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (880317) was mentioned in
https://build.opensuse.org/request/show/237030 Factory / freerdp
Comment 11 Bernhard Wiedemann 2014-06-24 12:00:18 UTC 
This is an autogenerated message for OBS integration:
This bug (880317) was mentioned in
https://build.opensuse.org/request/show/238487 12.3 / freerdp
https://build.opensuse.org/request/show/238488 13.1 / freerdp
Comment 13 Johannes Segitz 2014-06-25 07:28:32 UTC 
No need to submit anything since I took you submit for bnc#857491 and reused it here.
Comment 14 Swamp Workflow Management 2014-07-01 12:04:38 UTC 
openSUSE-SU-2014:0862-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 857491,880317
CVE References: CVE-2014-0250,CVE-2014-0791
Sources used:
openSUSE 13.1 (src):    freerdp-1.0.2-3.4.1
openSUSE 12.3 (src):    freerdp-1.0.2-11.12.1
Comment 17 Swamp Workflow Management 2016-10-12 13:10:44 UTC 
SUSE-SU-2016:2506-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 829013,857491,880317
CVE References: CVE-2013-4118,CVE-2014-0250,CVE-2014-0791
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    freerdp-1.0.2-9.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    freerdp-1.0.2-9.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    freerdp-1.0.2-9.1