Bug 998941 (CVE-2014-0791)

Summary: CVE-2014-0791 freerdp: integer overflow in heap allocation in license_read_scope_list()
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, fweimer, jkurik, kem, security-response-team, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-31 09:37:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 983080, 983081    
Bug Blocks: 982959, 999871    
Attachments:
Description Flags
Possible patch none

Description Florian Weimer 2013-08-20 11:46:34 UTC 
This is from libfreerdp-core/license_read_scope_list():

	stream_read_uint32(s, scopeCount); /* ScopeCount (4 bytes) */

	scopeList->count = scopeCount;
	scopeList->array = (LICENSE_BLOB*) xmalloc(sizeof(LICENSE_BLOB) * scopeCount);

Assuming that scopeCount is read from the wire, this results in an integer overflow in the size computation.  The array is subsequentially filled with pointers and constants, so this is probably not exploitable for anything but a crash:

	/* ScopeArray */
	for (i = 0; i < scopeCount; i++)
	{
		scopeList->array[i].type = BB_SCOPE_BLOB;
		license_read_binary_blob(s, &scopeList->array[i]);
	}

But I'm filing it as an embargoed security bug just to be sure.
Comment 6 Huzaifa S. Sidhpurwala 2014-01-02 08:55:29 UTC 
Created attachment 844423 [details]
Possible patch
Comment 7 Florian Weimer 2014-01-02 09:00:03 UTC 
(In reply to Huzaifa S. Sidhpurwala from comment #6)
> Created attachment 844423 [details]
> Possible patch

Patch looks good to me.
Comment 8 Huzaifa S. Sidhpurwala 2014-01-02 09:07:55 UTC 
This is now submitted as a pull request for upstream at:

https://github.com/FreeRDP/FreeRDP/pull/1649
Comment 9 Murray McAllister 2014-01-06 03:19:46 UTC 
This issue was assigned CVE-2014-0791:

http://www.openwall.com/lists/oss-security/2014/01/03/7
Comment 10 Huzaifa S. Sidhpurwala 2014-03-24 05:57:11 UTC 
Fixed upstream via:

https://github.com/FreeRDP/FreeRDP/commit/f1d6afca6ae620f9855a33280bdc6f3ad9153be0#diff-b6d68bbca6e0f5875c57ef225cd65c45

(There is no new release yet)