diff -Nru freerdp-1.0.2/debian/changelog freerdp-1.0.2/debian/changelog --- freerdp-1.0.2/debian/changelog 2017-08-03 14:01:12.000000000 +0000 +++ freerdp-1.0.2/debian/changelog 2018-12-11 07:28:17.000000000 +0000 @@ -1,3 +1,18 @@ +freerdp (1.0.2-2ubuntu1.2) trusty-security; urgency=medium + + * SECURITY UPDATE: Integer truncation in update_read_bitmap_update + - debian/patches/CVE-2018-8786.patch: Promote count to 32-bit integer + type to avoid integer truncation in libfreerdp-core/update.c. Based on + upstream patch. + - CVE-2018-8786 + * SECURITY UPDATE: Integer overflow in gdi_Bitmap_Decompress + - debian/patches/CVE-2018-8787.patch: Check for and avoid possible + integer overflow in libfreerdp-gdi/graphics.c. Based on upstream + patch. + - CVE-2018-8787 + + -- Alex Murray Tue, 11 Dec 2018 16:36:47 +1030 + freerdp (1.0.2-2ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: integer overflow in xf_Pointer_New diff -Nru freerdp-1.0.2/debian/patches/CVE-2018-8786.patch freerdp-1.0.2/debian/patches/CVE-2018-8786.patch --- freerdp-1.0.2/debian/patches/CVE-2018-8786.patch 1970-01-01 00:00:00.000000000 +0000 +++ freerdp-1.0.2/debian/patches/CVE-2018-8786.patch 2018-12-11 03:41:18.000000000 +0000 @@ -0,0 +1,25 @@ +Backport of: + +From 445a5a42c500ceb80f8fa7f2c11f3682538033f3 Mon Sep 17 00:00:00 2001 +From: Armin Novak +Date: Mon, 22 Oct 2018 16:25:13 +0200 +Subject: [PATCH] Fixed CVE-2018-8786 + +Thanks to Eyal Itkin from Check Point Software Technologies. +--- + libfreerdp/core/update.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +Index: freerdp-1.0.2/libfreerdp-core/update.c +=================================================================== +--- freerdp-1.0.2.orig/libfreerdp-core/update.c ++++ freerdp-1.0.2/libfreerdp-core/update.c +@@ -90,7 +90,7 @@ void update_read_bitmap(rdpUpdate* updat + + if (bitmap_update->number > bitmap_update->count) + { +- uint16 count; ++ uint32 count; + + count = bitmap_update->number * 2; + diff -Nru freerdp-1.0.2/debian/patches/CVE-2018-8787.patch freerdp-1.0.2/debian/patches/CVE-2018-8787.patch --- freerdp-1.0.2/debian/patches/CVE-2018-8787.patch 1970-01-01 00:00:00.000000000 +0000 +++ freerdp-1.0.2/debian/patches/CVE-2018-8787.patch 2018-12-11 06:15:46.000000000 +0000 @@ -0,0 +1,45 @@ +Backport of: + +From 09b9d4f1994a674c4ec85b4947aa656eda1aed8a Mon Sep 17 00:00:00 2001 +From: Armin Novak +Date: Mon, 22 Oct 2018 16:30:20 +0200 +Subject: [PATCH] Fixed CVE-2018-8787 + +Thanks to Eyal Itkin from Check Point Software Technologies. +--- + libfreerdp/gdi/graphics.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +Index: freerdp-1.0.2/libfreerdp-gdi/graphics.c +=================================================================== +--- freerdp-1.0.2.orig/libfreerdp-gdi/graphics.c ++++ freerdp-1.0.2/libfreerdp-gdi/graphics.c +@@ -17,6 +17,7 @@ + * limitations under the License. + */ + ++#include + #include + #include + #include +@@ -89,9 +90,18 @@ void gdi_Bitmap_Paint(rdpContext* contex + void gdi_Bitmap_Decompress(rdpContext* context, rdpBitmap* bitmap, + uint8* data, int width, int height, int bpp, int length, boolean compressed) + { +- uint16 size; ++ uint32 size; + +- size = width * height * (bpp + 7) / 8; ++ size = width * height; ++ ++ if (bpp <= 0 || width <= 0 || height <= 0 || ++ width > (UINT32_MAX / height) || ++ size > (UINT32_MAX / (bpp + 7) / 8)) ++ { ++ printf("Invalid parameters, unable to decompress bitmap\n"); ++ return; ++ } ++ size *= (bpp + 7) / 8; + + if (bitmap->data == NULL) + bitmap->data = (uint8*) xmalloc(size); diff -Nru freerdp-1.0.2/debian/patches/series freerdp-1.0.2/debian/patches/series --- freerdp-1.0.2/debian/patches/series 2017-08-03 13:47:56.000000000 +0000 +++ freerdp-1.0.2/debian/patches/series 2018-12-11 04:03:28.000000000 +0000 @@ -5,3 +5,5 @@ CVE-2017-2838.patch CVE-2017-2839.patch CVE-2014-0250.patch +CVE-2018-8786.patch +CVE-2018-8787.patch