Bug 983078 (CVE-2013-4118, CVE-2013-4119) - CVE-2013-4119 freerdp: Multiple security fixes in versions after 1.1.0-beta1
Summary: CVE-2013-4119 freerdp: Multiple security fixes in versions after 1.1.0-beta1
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2013-4118, CVE-2013-4119
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 983079 983080 983081 987518
Blocks: 982959 999871
TreeView+ depends on / blocked
 
Reported: 2013-07-10 12:49 UTC by Jan Lieskovsky
Modified: 2019-09-29 13:05 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-05-31 12:38:25 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2013-07-10 12:49:36 UTC 
FreeRDP upstream has released 1.1.0-beta1 version:
  [1] http://sourceforge.net/mailarchive/message.php?msg_id=30591956

correcting multiple security flaws:
* library / client side fixes:
    https://github.com/FreeRDP/FreeRDP/pull/887
    https://github.com/FreeRDP/FreeRDP/commit/0dc22d5a30a1c7d146b2a835b2032668127c33e9
    https://github.com/FreeRDP/FreeRDP/commit/bceec083677a609ba2f06cc75924ab0accac5388

* server side fixes:
    https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7
    https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53
Comment 1 Jan Lieskovsky 2013-07-10 12:52:24 UTC 
These issues affect the versions of the freerdp package, as shipped with Fedora release of 17, 18, and 19. Please schedule an update.

--

These issues affect the versions of the freerdp package, as shipped with Fedora EPEL-5 and Fedora EPEL-6. Please schedule an update.
Comment 4 Jan Lieskovsky 2013-07-10 12:54:35 UTC 
Created freerdp tracking bugs for this issue:

Affects: fedora-all [bug 983080]
Affects: epel-all [bug 983081]
Comment 5 Jan Lieskovsky 2013-07-10 13:12:02 UTC 
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/07/10/6
Comment 6 Vincent Danen 2013-07-22 21:46:00 UTC 
This was assigned CVEs as follows:

* server side issue #1 (https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7) -- CVE-2013-4118

* server side issue #2 (https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53) -- CVE-2013-4119

(as per http://seclists.org/oss-sec/2013/q3/96)
Comment 7 Vincent Danen 2013-07-22 21:47:54 UTC 
Please note that as per http://seclists.org/oss-sec/2013/q3/98 1.1.0-beta1 does _NOT_ correct these issues.  This post indicates the snapshot that fixes these issues (freerdp-1.1.0-beta+2013071101), so that will either need to be used, the patches applied to our existing packages, or waiting for (presumably) beta2.
Comment 10 Mads Kiilerich 2013-09-01 02:31:36 UTC 
The server pert of FreeRDP is barely usable yet. The Fedora/EPEL packages only contains the client program.

The complexity of the RDP protocol and the way FreeRDP is coded do that it only should be used on trusted networks, connecting to trusted servers.

The impact of these issues are thus quite low.

I also don't think it is feasible to fix the issues right now. I doubt it is feasible to backport these fixes to 1.0.2 ... and I doubt that these issues are more important than many other issues in the "old" version. Upgrading to a development version is also not really an option.
Note You need to log in before you can comment on or make changes to this bug.