Bug 983078 - (CVE-2013-4118, CVE-2013-4119) CVE-2013-4118 CVE-2013-4119 freerdp: Multiple security fixes in versions after 1.1.0-beta1
CVE-2013-4118 CVE-2013-4119 freerdp: Multiple security fixes in versions aft...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130110,repor...
: Security
Depends On: 983079 983080 983081 987518
Blocks: 982959 999871
  Show dependency treegraph
 
Reported: 2013-07-10 08:49 EDT by Jan Lieskovsky
Modified: 2015-07-31 06:45 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 1 Jan Lieskovsky 2013-07-10 08:52:24 EDT
These issues affect the versions of the freerdp package, as shipped with Fedora release of 17, 18, and 19. Please schedule an update.

--

These issues affect the versions of the freerdp package, as shipped with Fedora EPEL-5 and Fedora EPEL-6. Please schedule an update.
Comment 4 Jan Lieskovsky 2013-07-10 08:54:35 EDT
Created freerdp tracking bugs for this issue:

Affects: fedora-all [bug 983080]
Affects: epel-all [bug 983081]
Comment 5 Jan Lieskovsky 2013-07-10 09:12:02 EDT
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/07/10/6
Comment 7 Vincent Danen 2013-07-22 17:47:54 EDT
Please note that as per http://seclists.org/oss-sec/2013/q3/98 1.1.0-beta1 does _NOT_ correct these issues.  This post indicates the snapshot that fixes these issues (freerdp-1.1.0-beta+2013071101), so that will either need to be used, the patches applied to our existing packages, or waiting for (presumably) beta2.
Comment 10 Mads Kiilerich 2013-08-31 22:31:36 EDT
The server pert of FreeRDP is barely usable yet. The Fedora/EPEL packages only contains the client program.

The complexity of the RDP protocol and the way FreeRDP is coded do that it only should be used on trusted networks, connecting to trusted servers.

The impact of these issues are thus quite low.

I also don't think it is feasible to fix the issues right now. I doubt it is feasible to backport these fixes to 1.0.2 ... and I doubt that these issues are more important than many other issues in the "old" version. Upgrading to a development version is also not really an option.
Comment 11 Huzaifa S. Sidhpurwala 2014-05-28 04:36:16 EDT
Statement:

This issue affects the version of freerdp as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having Moderate security impact, a future update may address this flaw.

Note You need to log in before you can comment on or make changes to this bug.