Bug 983078 (CVE-2013-4118, CVE-2013-4119)

Summary: CVE-2013-4119 freerdp: Multiple security fixes in versions after 1.1.0-beta1
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fweimer, kem, mads, negativo17, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-31 12:38:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 983079, 983080, 983081, 987518    
Bug Blocks: 982959, 999871    

Description Jan Lieskovsky 2013-07-10 12:49:36 UTC 
FreeRDP upstream has released 1.1.0-beta1 version:
  [1] http://sourceforge.net/mailarchive/message.php?msg_id=30591956

correcting multiple security flaws:
* library / client side fixes:
    https://github.com/FreeRDP/FreeRDP/pull/887
    https://github.com/FreeRDP/FreeRDP/commit/0dc22d5a30a1c7d146b2a835b2032668127c33e9
    https://github.com/FreeRDP/FreeRDP/commit/bceec083677a609ba2f06cc75924ab0accac5388

* server side fixes:
    https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7
    https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53
Comment 1 Jan Lieskovsky 2013-07-10 12:52:24 UTC 
These issues affect the versions of the freerdp package, as shipped with Fedora release of 17, 18, and 19. Please schedule an update.

--

These issues affect the versions of the freerdp package, as shipped with Fedora EPEL-5 and Fedora EPEL-6. Please schedule an update.
Comment 4 Jan Lieskovsky 2013-07-10 12:54:35 UTC 
Created freerdp tracking bugs for this issue:

Affects: fedora-all [bug 983080]
Affects: epel-all [bug 983081]
Comment 5 Jan Lieskovsky 2013-07-10 13:12:02 UTC 
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/07/10/6
Comment 6 Vincent Danen 2013-07-22 21:46:00 UTC 
This was assigned CVEs as follows:

* server side issue #1 (https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7) -- CVE-2013-4118

* server side issue #2 (https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53) -- CVE-2013-4119

(as per http://seclists.org/oss-sec/2013/q3/96)
Comment 7 Vincent Danen 2013-07-22 21:47:54 UTC 
Please note that as per http://seclists.org/oss-sec/2013/q3/98 1.1.0-beta1 does _NOT_ correct these issues.  This post indicates the snapshot that fixes these issues (freerdp-1.1.0-beta+2013071101), so that will either need to be used, the patches applied to our existing packages, or waiting for (presumably) beta2.
Comment 10 Mads Kiilerich 2013-09-01 02:31:36 UTC 
The server pert of FreeRDP is barely usable yet. The Fedora/EPEL packages only contains the client program.

The complexity of the RDP protocol and the way FreeRDP is coded do that it only should be used on trusted networks, connecting to trusted servers.

The impact of these issues are thus quite low.

I also don't think it is feasible to fix the issues right now. I doubt it is feasible to backport these fixes to 1.0.2 ... and I doubt that these issues are more important than many other issues in the "old" version. Upgrading to a development version is also not really an option.