Bug 998934 (CVE-2014-0250)
| Summary: | CVE-2014-0250 freerdp: integer overflows in memory allocations in client/X11/xf_graphics.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Florian Weimer <fweimer> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | fweimer, jkurik, kem, security-response-team, vkrizan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-05-31 20:33:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 983080, 983081 | ||
| Bug Blocks: | 982959, 999871 | ||
This issue is potentially related: https://github.com/FreeRDP/FreeRDP/issues/1657 This issue has been assigned CVE-2014-0250 Filed an upstream bug via: https://github.com/FreeRDP/FreeRDP/issues/1871 |
client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way: void xf_Pointer_New(rdpContext* context, rdpPointer* pointer) { XcursorImage ci; […] ci.width = pointer->width; ci.height = pointer->height; […] ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4); The width and height members are read from the wire. Both are 16 bit, but because of the multiplication with 4, the allocation still overflows (on 32 bit and 64 bit). xf_Bitmap_Decompress() appears to have a similar issue. These look very much like a trust boundary is crossed. Consequently, this is an embargoed security bug which has to be fixed in cooperation with upstream (which appears to be affected as well).