Bug 829013 - VUL-1: freerdp issues
VUL-1: freerdp issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2013-4119:6.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-11 08:52 UTC by Marcus Meissner
Modified: 2016-10-20 10:24 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-11 08:52:02 UTC
is public, via oss-sec

From: Jan Lieskovsky <jlieskov@redhat.com>
Date: Wed, 10 Jul 2013 09:10:45 -0400 (EDT)
Subject: [oss-security] CVE Request -- FreeRDP: Multiple security fixes in 1.1.0-beta1  version

Hello Kurt, Steve, vendors,

  (some time ago) FreeRDP upstream has released 1.1.0-beta1 version:
  [1] http://sourceforge.net/mailarchive/message.php?msg_id=30591956

correcting multiple security flaws:
* library / client side fixes:
    https://github.com/FreeRDP/FreeRDP/pull/887
    https://github.com/FreeRDP/FreeRDP/commit/0dc22d5a30a1c7d146b2a835b2032668127c33e9
    https://github.com/FreeRDP/FreeRDP/commit/bceec083677a609ba2f06cc75924ab0accac5388

* server side fixes:
    https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7
    https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53

CC-ed Marc-Andre, Bernhard and Martin of FreeRDP upstream to clarify
if the above list of patches is complete wrt to security fixes, corrected
within 1.0.1-beta1 version. Marc-Andre, Bernhard, Martin, please complete
the set of security fixes if / where necessary.

Kurt / Steve, could you allocate CVE ids for these?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: Thanks goes to Florian Weimer of Red Hat Product Security Team for pointing these out.
Comment 1 Bruno Friedmann 2013-07-11 20:43:59 UTC
What is not still clear for me, is the fact we don't have (yet) 1.1.0
We deliver 1.0.2 stable rpm.

So is 1.0x stable concerned too ? If yes will the patches backported to a next stable fixed release 1.0.3 ?
Comment 2 Swamp Workflow Management 2013-07-11 22:00:12 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2013-07-12 09:22:52 UTC
CVEs so far:

> * server side fixes:
> https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7

Please use CVE-2013-4118 for this issue.

> https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53

Please use CVE-2013-4119 for this issue.
Comment 5 SMASH SMASH 2014-07-07 09:25:14 UTC
Affected packages:

SLE-11-SP3: freerdp
Comment 6 Felix Zhang 2016-09-18 10:36:38 UTC
CVE-2013-4118:
SLE11:       too old, not affected

SLE12 & SP1: affected, fix pushed to maintenance:
https://build.suse.de/request/show/121252

SLE12-SP2:   has the fix, not affected
Comment 7 Felix Zhang 2016-09-18 10:42:46 UTC
CVE-2013-4119:
SLE11, SLE12&SP1: too old, not affected.
SLE12-SP2:        fixed, not affected.
Comment 8 Bruno Friedmann 2016-09-18 11:38:35 UTC
Felix question (has I don't have access to build.suse.de ) would you mind to also do a maintenance request for Leap 42.1 which should be affected too ?
Comment 9 Felix Zhang 2016-09-18 11:51:04 UTC
(In reply to Bruno Friedmann from comment #8)
> Felix question (has I don't have access to build.suse.de ) would you mind to
> also do a maintenance request for Leap 42.1 which should be affected too ?

Hi Bruno. Sure, but please forgive my ignorance: what is the submission target please?
Comment 10 Felix Zhang 2016-09-18 12:29:45 UTC
Sorry for the stupid question. Submission to Leap 42.1:
https://build.opensuse.org/request/show/428454
Comment 11 Bruno Friedmann 2016-09-18 20:17:36 UTC
Ty Felix, really appreciated
Comment 12 Felix Zhang 2016-09-19 04:32:15 UTC
Hi Marcus, please remind if there's any more targets to fix, otherwise I guess we could close this bug once the submissions are accepted. Thanks.
Comment 13 Marcus Meissner 2016-09-19 06:16:00 UTC
openSUSE 13.2 also needs the fix, can you submit it there too?
Comment 14 Felix Zhang 2016-09-19 07:23:38 UTC
(In reply to Marcus Meissner from comment #13)
> openSUSE 13.2 also needs the fix, can you submit it there too?

Thank you very much for reminding me. Sure, as 13.2 and 42.1 uses same code base, I will just submit the 42.1 package to 13.2 when the request is checked in.
:-)
Comment 15 Felix Zhang 2016-09-19 07:34:05 UTC
(In reply to Felix Zhang from comment #14)
> (In reply to Marcus Meissner from comment #13)
> > openSUSE 13.2 also needs the fix, can you submit it there too?
> 
> Thank you very much for reminding me. Sure, as 13.2 and 42.1 uses same code
> base, I will just submit the 42.1 package to 13.2 when the request is
> checked in.
> :-)

Please ignore that. Submitted to 13.2 to make the reviews in parallel:
https://build.opensuse.org/request/show/428599
Comment 16 Felix Zhang 2016-09-20 15:23:55 UTC
openSUSE 13.2
https://build.opensuse.org/request/show/428599

Leap 42.1
https://build.opensuse.org/request/show/428454

SLE12
https://build.suse.de/request/show/121252

All affected products checked in. Please let me know if I missed something or we could close this bug.
Comment 17 Marcus Meissner 2016-09-20 15:32:39 UTC
i think we have everything.
Comment 18 Felix Zhang 2016-09-20 15:42:23 UTC
Thank you Marcus. Assigning back to security team.
Comment 20 Marcus Meissner 2016-09-23 08:18:21 UTC
we will close once released
Comment 21 Felix Zhang 2016-09-23 08:20:50 UTC
(In reply to Marcus Meissner from comment #20)
> we will close once released

I see. Thanks very much!
Comment 22 Swamp Workflow Management 2016-09-27 19:10:28 UTC
openSUSE-SU-2016:2400-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 829013,857491
CVE References: CVE-2013-4118,CVE-2014-0791
Sources used:
openSUSE 13.2 (src):    freerdp-1.0.2-8.3.1
Comment 23 Swamp Workflow Management 2016-09-27 19:11:17 UTC
openSUSE-SU-2016:2402-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 829013,857491
CVE References: CVE-2013-4118,CVE-2014-0791
Sources used:
openSUSE Leap 42.1 (src):    freerdp-1.0.2-11.1
Comment 24 Swamp Workflow Management 2016-10-12 13:10:18 UTC
SUSE-SU-2016:2506-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 829013,857491,880317
CVE References: CVE-2013-4118,CVE-2014-0250,CVE-2014-0791
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    freerdp-1.0.2-9.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    freerdp-1.0.2-9.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    freerdp-1.0.2-9.1
Comment 25 Victor Pereira 2016-10-20 09:34:35 UTC
All updates released