iDefense published advisory affecting rdesktop: DESCRIPTION: Remote exploitation of a BSS overflow vulnerability in rdesktop, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged-in user. The vulnerability exists within the code responsible for reading in an RDP redirect request. This request is used to redirect an RDP connection from one server to another. When parsing the redirect request, the rdesktop client reads several 32-bit integers from the request packet. These integers are then used to control the number of bytes read into statically allocated buffers. This results in several buffers located in the BSS section being overflowed, which can lead to the execution of arbitrary code. ANALYSIS: Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the logged in user. In order to exploit this vulnerability, an attacker must persuade a targeted user to connect to a malicious RDP server. Reference: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697 Upstream patch: http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?r1=1.101&r2=1.102&pathrev=HEAD
Upstream released version 1.6.0 which address this issue: http://sourceforge.net/mailarchive/message.php?msg_name=20080511065217.GA24455%40cse.unsw.EDU.AU
rdesktop-1.6.0-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rdesktop-1.6.0-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
rdesktop-1.6.0-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 306785 [details] Public PoC http://www.milw0rm.com/exploits/5585
Could you clarify the status for the various RHELs?
This vulnerability is in 1.5 which we have not shipped in any RHEL.
This vulnerability occurs in the Session Directory code that was only introduced in upstream rdesktop version 1.5.0: rdesktop (1.5.0) [ ... ] * Session Directory support (patch from Brian Chapeau) http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/doc/ChangeLog?view=markup This issue did not affect the versions of rdesktop as shipped with Red Hat Enterprise Linux 3, 4, or 5.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3985 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3917 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-3886