Reafctored public key check from libtasn_read_cert_pk_parameters()
into its own function libtasn_cert_pk_oid(). The make use of it
instead of gnutls_x509_crt_get_pk_oid().
Verify the certificate from the peer against the system’s default
trusted CAs. If certificate fails the verification a fallback to
use the certificate cache is used.
The certificate cache is used to give the user the option to add
exceptions for invalid certificates. For example; self-signed
certificates etc.
Even though we can detect that the server buffer is too small to
receive the APDU result we don't prevent the actual copy of this result
to allocated buffer which results in overflow.
Before this change we announce that we support redirection
packet version 3 (Microsoft RDP 5.1 and 5.2 clients), this
makes the server to only send back LB_TARGET_NET_ADDRESS which
includes an IP address for the redirection. Announcing version
4 (Microsoft RDP 6.0 and 6.1 clients) will make the server to
send a LB_TARGET_FQDN which solves a few problems, for example
using kerberos authentication.
Fixes issue #303
This commit includes fixes for a set of 21 vulnerabilities in
rdesktop when a malicious RDP server is used.
All vulnerabilities was identified and reported by Eyal Itkin.
* Add rdp_protocol_error function that is used in several fixes
* Refactor of process_bitmap_updates
* Fix possible integer overflow in s_check_rem() on 32bit arch
* Fix memory corruption in process_bitmap_data - CVE-2018-8794
* Fix remote code execution in process_bitmap_data - CVE-2018-8795
* Fix remote code execution in process_plane - CVE-2018-8797
* Fix Denial of Service in mcs_recv_connect_response - CVE-2018-20175
* Fix Denial of Service in mcs_parse_domain_params - CVE-2018-20175
* Fix Denial of Service in sec_parse_crypt_info - CVE-2018-20176
* Fix Denial of Service in sec_recv - CVE-2018-20176
* Fix minor information leak in rdpdr_process - CVE-2018-8791
* Fix Denial of Service in cssp_read_tsrequest - CVE-2018-8792
* Fix remote code execution in cssp_read_tsrequest - CVE-2018-8793
* Fix Denial of Service in process_bitmap_data - CVE-2018-8796
* Fix minor information leak in rdpsnd_process_ping - CVE-2018-8798
* Fix Denial of Service in process_secondary_order - CVE-2018-8799
* Fix remote code execution in in ui_clip_handle_data - CVE-2018-8800
* Fix major information leak in ui_clip_handle_data - CVE-2018-20174
* Fix memory corruption in rdp_in_unistr - CVE-2018-20177
* Fix Denial of Service in process_demand_active - CVE-2018-20178
* Fix remote code execution in lspci_process - CVE-2018-20179
* Fix remote code execution in rdpsnddbg_process - CVE-2018-20180
* Fix remote code execution in seamless_process - CVE-2018-20181
* Fix remote code execution in seamless_process_line - CVE-2018-20182
There is a limiter used for processing X11 events set to 20
for slicing between processing X11 event and processing data
on file descriptors. Before this fix, when waiting for data on
filedescriptors, we assumed that there were no pending X11
events left on queue and therefore the select() timeout on
60 seconds.
Now we will check the queue and select a timeout depending
on whats left to do.
Fixes bug #275