Red Hat Bugzilla – Bug 983078
CVE-2013-4118 CVE-2013-4119 freerdp: Multiple security fixes in versions after 1.1.0-beta1
Last modified: 2015-07-31 06:45:52 EDT
FreeRDP upstream has released 1.1.0-beta1 version:
correcting multiple security flaws:
* library / client side fixes:
* server side fixes:
These issues affect the versions of the freerdp package, as shipped with Fedora release of 17, 18, and 19. Please schedule an update.
These issues affect the versions of the freerdp package, as shipped with Fedora EPEL-5 and Fedora EPEL-6. Please schedule an update.
Created freerdp tracking bugs for this issue:
Affects: fedora-all [bug 983080]
Affects: epel-all [bug 983081]
This was assigned CVEs as follows:
* server side issue #1 (https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7) -- CVE-2013-4118
* server side issue #2 (https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53) -- CVE-2013-4119
(as per http://seclists.org/oss-sec/2013/q3/96)
Please note that as per http://seclists.org/oss-sec/2013/q3/98 1.1.0-beta1 does _NOT_ correct these issues. This post indicates the snapshot that fixes these issues (freerdp-1.1.0-beta+2013071101), so that will either need to be used, the patches applied to our existing packages, or waiting for (presumably) beta2.
The server pert of FreeRDP is barely usable yet. The Fedora/EPEL packages only contains the client program.
The complexity of the RDP protocol and the way FreeRDP is coded do that it only should be used on trusted networks, connecting to trusted servers.
The impact of these issues are thus quite low.
I also don't think it is feasible to fix the issues right now. I doubt it is feasible to backport these fixes to 1.0.2 ... and I doubt that these issues are more important than many other issues in the "old" version. Upgrading to a development version is also not really an option.
This issue affects the version of freerdp as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having Moderate security impact, a future update may address this flaw.